nexus-agents 2.125.24 → 2.125.25

package/dist/{chunk-647PSXJ5.js → chunk-B3TJNOKQ.js}

@@ -40,7 +40,7 @@ import {
 } from "./chunk-CH7QIDHQ.js";
 
 // src/version.ts
-var VERSION = true ? "2.125.24" : "dev";
+var VERSION = true ? "2.125.25" : "dev";
 
 // src/config/schemas-core.ts
 import { z } from "zod";
@@ -2099,7 +2099,7 @@ async function runDoctorFix(result) {
   writeLine2("\u2500".repeat(40));
   let fixCount = 0;
   if (!result.dataDirectory.rootExists || result.dataDirectory.subdirectories.some((d) => !d.exists || !d.writable)) {
-    const { runSetup } = await import("./setup-command-63KWDRWL.js");
+    const { runSetup } = await import("./setup-command-PRTMR4DK.js");
     const setupResult = runSetup({
       skipMcp: true,
       skipRules: true,
@@ -2211,4 +2211,4 @@ export {
   startStdioServer,
   closeServer
 };
-//# sourceMappingURL=chunk-647PSXJ5.js.map
+//# sourceMappingURL=chunk-B3TJNOKQ.js.map

package/dist/{chunk-SDA5GEWO.js → chunk-F6VJEXXJ.js}

@@ -123,7 +123,7 @@ import {
   DEFAULT_TASK_TTL_MS,
   DEFAULT_TOOL_RATE_LIMITS,
   clampTaskTtl
-} from "./chunk-647PSXJ5.js";
+} from "./chunk-B3TJNOKQ.js";
 import {
   resolveInsideRoot
 } from "./chunk-NUBSJGQZ.js";
@@ -49800,4 +49800,4 @@ export {
   shutdownFeedbackSubscriber,
   createEventBusBridge
 };
-//# sourceMappingURL=chunk-SDA5GEWO.js.map
+//# sourceMappingURL=chunk-F6VJEXXJ.js.map

package/dist/{chunk-QIEXH2EA.js → chunk-YQARWBVL.js}

@@ -8,7 +8,7 @@ import {
   checkSqlite,
   defaultConfig,
   initDataDirectories
-} from "./chunk-647PSXJ5.js";
+} from "./chunk-B3TJNOKQ.js";
 import {
   probeAllClis
 } from "./chunk-QN3353M2.js";
@@ -2000,4 +2000,4 @@ export {
   setupCommand,
   setupCommandAsync
 };
-//# sourceMappingURL=chunk-QIEXH2EA.js.map
+//# sourceMappingURL=chunk-YQARWBVL.js.map

package/dist/cli.js

@@ -24,7 +24,7 @@ import {
 import {
   setupCommandAsync,
   verifyCommand
-} from "./chunk-QIEXH2EA.js";
+} from "./chunk-YQARWBVL.js";
 import "./chunk-MMWNGT2K.js";
 import {
   AuthHandler,
@@ -144,7 +144,7 @@ import {
   validateCommand,
   validateWorkflow,
   wrapInMarkdownFence
-} from "./chunk-SDA5GEWO.js";
+} from "./chunk-F6VJEXXJ.js";
 import "./chunk-3ACDP4E6.js";
 import {
   CATEGORY_DISPLAY_NAMES,
@@ -246,7 +246,7 @@ import {
   loadConfig,
   runDoctor,
   validateNexusEnv
-} from "./chunk-647PSXJ5.js";
+} from "./chunk-B3TJNOKQ.js";
 import "./chunk-NUBSJGQZ.js";
 import {
   capitalize,
@@ -12743,8 +12743,8 @@ async function exportSessionMetrics(storage, sessionId, exportPath) {
     const session = sessionResult.value;
     const metrics = buildMetricsObject(session, sessionId);
     if (exportPath !== void 0) {
-      const { writeFile: writeFile6 } = await import("fs/promises");
-      await writeFile6(exportPath, JSON.stringify(metrics, null, 2));
+      const { writeFile: writeFile7 } = await import("fs/promises");
+      await writeFile7(exportPath, JSON.stringify(metrics, null, 2));
       logger14.info("Metrics exported", { path: exportPath });
     } else {
       logger14.debug("Session metrics", summarizeMetricsForDebug(metrics));
@@ -23036,6 +23036,235 @@ function stripRefsPrefix(ref) {
   return ref.replace(/^refs\//, "");
 }
 
+// src/mcp/tools/remediation-proposal-pr.ts
+import { execFile as execFile4 } from "child_process";
+import { promisify as promisify4 } from "util";
+import { writeFile as writeFile6, mkdir as mkdir5 } from "fs/promises";
+import { join as join18, dirname as dirname11 } from "path";
+
+// src/mcp/tools/improvement-remediation-capability.ts
+import { z as z8 } from "zod";
+var PHASE_CAPABILITIES = {
+  research: /* @__PURE__ */ new Set(["untrusted-input", "secrets"]),
+  implement: /* @__PURE__ */ new Set(["repo-write", "secrets"])
+};
+var RuleOfTwoViolation = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "RuleOfTwoViolation";
+  }
+};
+var CapabilityLedger = class {
+  phase;
+  /** Enter a phase, setting its declared capability set as active. */
+  enterPhase(phase) {
+    this.phase = phase;
+  }
+  /** The active phase, or undefined if none entered. */
+  currentPhase() {
+    return this.phase;
+  }
+  /**
+   * Assert that `capability` is permitted right now. Throws {@link RuleOfTwoViolation}
+   * (fail-closed) if no phase is active or the active phase doesn't grant it —
+   * which structurally prevents the forbidden three-leg conjunction, since no
+   * phase grants more than two legs.
+   */
+  assertCapability(capability) {
+    if (this.phase === void 0) {
+      throw new RuleOfTwoViolation(
+        `capability '${capability}' requested before any remediation phase was entered (fail-closed)`
+      );
+    }
+    const allowed = PHASE_CAPABILITIES[this.phase];
+    if (!allowed.has(capability)) {
+      throw new RuleOfTwoViolation(
+        `capability '${capability}' is not permitted in phase '${this.phase}' (allowed: ${[...allowed].join(", ")})`
+      );
+    }
+  }
+};
+var RemediationActionKindSchema = z8.enum([
+  "investigate",
+  "adjust-routing",
+  "add-test",
+  "refactor",
+  "update-docs",
+  "fix-bug"
+]);
+var RemediationStepSchema = z8.object({
+  kind: RemediationActionKindSchema,
+  description: z8.string().min(1).max(500),
+  /** Optional path hint; bounded inert string, validated for traversal at use. */
+  targetPath: z8.string().min(1).max(300).optional()
+}).strict();
+var RemediationPlanSchema = z8.object({
+  /** Source signal key (mirrors ImprovementSignal.signalKey). */
+  signalKey: z8.string().min(1).max(200),
+  /** Signal category (mirrors SignalCategory). */
+  category: z8.enum(["routing", "tech-debt", "bug", "security", "consensus"]),
+  summary: z8.string().min(1).max(1e3),
+  steps: z8.array(RemediationStepSchema).min(1).max(20)
+}).strict();
+function parseRemediationPlan(raw) {
+  const result = RemediationPlanSchema.safeParse(raw);
+  if (!result.success) {
+    throw new RuleOfTwoViolation(
+      `RemediationPlan failed strict validation at the RESEARCH\u2192IMPLEMENT boundary: ${result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ")}`
+    );
+  }
+  return result.data;
+}
+function renderPlanAsResearch(plan) {
+  const steps = plan.steps.map((s, i) => {
+    const target = s.targetPath !== void 0 ? ` (target: ${s.targetPath})` : "";
+    return `${String(i + 1)}. [${s.kind}] ${s.description}${target}`;
+  }).join("\n");
+  return `Remediation plan for signal '${plan.signalKey}' (category: ${plan.category}).
+
+${plan.summary}
+
+Steps:
+${steps}`;
+}
+
+// src/mcp/tools/auto-remediation-branch.ts
+var AUTO_REMEDIATION_BRANCH_PREFIX = "auto-remediation/";
+function autoRemediationBranchName(signalKey) {
+  const slug = signalKey.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 100);
+  return `${AUTO_REMEDIATION_BRANCH_PREFIX}${slug || "signal"}`;
+}
+
+// src/mcp/tools/diff-secret-scan.ts
+var SECRET_PATTERNS = [
+  { name: "private-key-block", re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/ },
+  { name: "aws-access-key-id", re: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: "github-token", re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/ },
+  { name: "slack-token", re: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/ },
+  { name: "google-api-key", re: /\bAIza[0-9A-Za-z_-]{35}\b/ },
+  { name: "openai-key", re: /\bsk-[A-Za-z0-9]{32,}\b/ },
+  { name: "anthropic-key", re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/ },
+  { name: "jwt", re: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/ },
+  // Generic `secret/token/password/api_key = "long-value"` assignments.
+  {
+    name: "generic-credential-assignment",
+    re: /(?:api[_-]?key|secret|token|password|passwd|credential)\s*[:=]\s*["'][A-Za-z0-9/+_-]{16,}["']/i
+  }
+];
+function scanForSecrets(text) {
+  const findings = [];
+  const lines = text.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i] ?? "";
+    for (const { name, re } of SECRET_PATTERNS) {
+      if (re.test(line)) findings.push({ pattern: name, line: i + 1 });
+    }
+  }
+  return { clean: findings.length === 0, findings };
+}
+function describeSecretFindings(result) {
+  if (result.clean) return "no secrets detected";
+  return result.findings.map((f) => `${f.pattern}@L${String(f.line)}`).join(", ");
+}
+
+// src/mcp/tools/remediation-proposal-pr.ts
+var execFileAsync4 = promisify4(execFile4);
+function buildProposalDoc(plan) {
+  return `# Auto-remediation proposal \u2014 \`${plan.signalKey}\`
+
+> Consensus-approved remediation **proposal** (not auto-implemented). A human or coder implements the steps below; this PR is the reviewable plan.
+
+${renderPlanAsResearch(plan)}
+`;
+}
+function planSlug(signalKey) {
+  return autoRemediationBranchName(signalKey).replace(/^auto-remediation\//, "");
+}
+function makeProposalPrImplementAdapter(opts) {
+  const scan = opts.scan ?? scanForSecrets;
+  const baseBranch = opts.baseBranch ?? "main";
+  const logger19 = opts.logger ?? createLogger({ tool: "auto-remediation-pr" });
+  return async (plan, ledger) => {
+    ledger.assertCapability("repo-write");
+    const branch = autoRemediationBranchName(plan.signalKey);
+    const doc = buildProposalDoc(plan);
+    const result = scan(doc);
+    if (!result.clean) {
+      throw new Error(
+        `proposal PR aborted \u2014 secrets in plan doc: ${describeSecretFindings(result)}`
+      );
+    }
+    const worktree = await opts.ops.addWorktree(branch, baseBranch);
+    try {
+      await opts.ops.writeFileIn(worktree, `remediation-plans/${planSlug(plan.signalKey)}.md`, doc);
+      await opts.ops.commitAll(worktree, `chore(auto-remediation): proposal for ${plan.signalKey}`);
+      await opts.ops.pushBranch(worktree, branch);
+      const prUrl = await opts.pr.createDraftPr({
+        branch,
+        baseBranch,
+        title: `auto-remediation proposal: ${plan.signalKey}`,
+        body: doc
+      });
+      logger19.info("auto-remediation proposal PR opened", { branch, prUrl });
+      return { branch, prUrl };
+    } finally {
+      await opts.ops.removeWorktree(worktree).catch((err2) => {
+        logger19.warn("worktree cleanup failed (non-fatal)", {
+          worktree,
+          error: err2 instanceof Error ? err2.message : String(err2)
+        });
+      });
+    }
+  };
+}
+function makeGitWorktreeOps(repoRoot) {
+  const git = async (args, cwd) => {
+    await execFileAsync4("git", [...args], { cwd });
+  };
+  return {
+    async addWorktree(branch, baseBranch) {
+      const path21 = join18(repoRoot, ".nexus-worktrees", branch.replace(/\//g, "_"));
+      await git(["worktree", "add", "-b", branch, path21, baseBranch], repoRoot);
+      return path21;
+    },
+    async writeFileIn(worktreePath, relPath, content) {
+      const abs = join18(worktreePath, relPath);
+      await mkdir5(dirname11(abs), { recursive: true });
+      await writeFile6(abs, content, "utf8");
+    },
+    async commitAll(worktreePath, message) {
+      await git(["add", "-A"], worktreePath);
+      await git(["commit", "-m", message], worktreePath);
+    },
+    async pushBranch(worktreePath, branch) {
+      await git(["push", "-u", "origin", branch], worktreePath);
+    },
+    async removeWorktree(worktreePath) {
+      await git(["worktree", "remove", worktreePath, "--force"], repoRoot);
+    }
+  };
+}
+function makeGhPrCreator() {
+  return {
+    async createDraftPr({ branch, baseBranch, title, body }) {
+      const { stdout } = await execFileAsync4("gh", [
+        "pr",
+        "create",
+        "--draft",
+        "--head",
+        branch,
+        "--base",
+        baseBranch,
+        "--title",
+        title,
+        "--body",
+        body
+      ]);
+      return stdout.trim();
+    }
+  };
+}
+
 // src/mcp/tools/auto-remediation-deps.ts
 var NOT_READY = {
   shadowSelections: 0,
@@ -23049,16 +23278,22 @@ function buildAutoRemediationDeps(opts = {}) {
     // lease, so enforce must not proceed. (Audit never calls this.)
     async () => Promise.resolve(null)
   );
+  const implement = opts.repoRoot !== void 0 && opts.repo !== void 0 ? makeProposalPrImplementAdapter({
+    ops: makeGitWorktreeOps(opts.repoRoot),
+    pr: makeGhPrCreator(),
+    ...opts.baseBranch !== void 0 ? { baseBranch: opts.baseBranch } : {},
+    logger: logger19
+  }) : () => Promise.reject(
+    new Error(
+      "auto-remediation implement not wired \u2014 set repo + repoRoot to enable Option B (#3669)"
+    )
+  );
   return {
     research: (signal) => Promise.resolve(buildRemediationPlanFromSignal(signal)),
     vote: makeVoteAdapter(opts.voteRunner, logger19),
     acquireLease,
     readinessEvidence: opts.readiness ?? (() => Promise.resolve(NOT_READY)),
-    implement: () => Promise.reject(
-      new Error(
-        "auto-remediation implement adapter not wired yet (Option B, #3669) \u2014 enforce unavailable"
-      )
-    ),
+    implement,
     audit: (event) => {
       logger19.info(`[auto-remediation] ${event.step}`, {
         ...event.signalKey !== void 0 ? { signalKey: event.signalKey } : {},
@@ -23195,92 +23430,6 @@ function evaluateEnforceReadiness(evidence, config = DEFAULT_ENFORCE_READINESS_C
   return { ready: blockers.length === 0, criteria, blockers };
 }
 
-// src/mcp/tools/improvement-remediation-capability.ts
-import { z as z8 } from "zod";
-var PHASE_CAPABILITIES = {
-  research: /* @__PURE__ */ new Set(["untrusted-input", "secrets"]),
-  implement: /* @__PURE__ */ new Set(["repo-write", "secrets"])
-};
-var RuleOfTwoViolation = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "RuleOfTwoViolation";
-  }
-};
-var CapabilityLedger = class {
-  phase;
-  /** Enter a phase, setting its declared capability set as active. */
-  enterPhase(phase) {
-    this.phase = phase;
-  }
-  /** The active phase, or undefined if none entered. */
-  currentPhase() {
-    return this.phase;
-  }
-  /**
-   * Assert that `capability` is permitted right now. Throws {@link RuleOfTwoViolation}
-   * (fail-closed) if no phase is active or the active phase doesn't grant it —
-   * which structurally prevents the forbidden three-leg conjunction, since no
-   * phase grants more than two legs.
-   */
-  assertCapability(capability) {
-    if (this.phase === void 0) {
-      throw new RuleOfTwoViolation(
-        `capability '${capability}' requested before any remediation phase was entered (fail-closed)`
-      );
-    }
-    const allowed = PHASE_CAPABILITIES[this.phase];
-    if (!allowed.has(capability)) {
-      throw new RuleOfTwoViolation(
-        `capability '${capability}' is not permitted in phase '${this.phase}' (allowed: ${[...allowed].join(", ")})`
-      );
-    }
-  }
-};
-var RemediationActionKindSchema = z8.enum([
-  "investigate",
-  "adjust-routing",
-  "add-test",
-  "refactor",
-  "update-docs",
-  "fix-bug"
-]);
-var RemediationStepSchema = z8.object({
-  kind: RemediationActionKindSchema,
-  description: z8.string().min(1).max(500),
-  /** Optional path hint; bounded inert string, validated for traversal at use. */
-  targetPath: z8.string().min(1).max(300).optional()
-}).strict();
-var RemediationPlanSchema = z8.object({
-  /** Source signal key (mirrors ImprovementSignal.signalKey). */
-  signalKey: z8.string().min(1).max(200),
-  /** Signal category (mirrors SignalCategory). */
-  category: z8.enum(["routing", "tech-debt", "bug", "security", "consensus"]),
-  summary: z8.string().min(1).max(1e3),
-  steps: z8.array(RemediationStepSchema).min(1).max(20)
-}).strict();
-function parseRemediationPlan(raw) {
-  const result = RemediationPlanSchema.safeParse(raw);
-  if (!result.success) {
-    throw new RuleOfTwoViolation(
-      `RemediationPlan failed strict validation at the RESEARCH\u2192IMPLEMENT boundary: ${result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ")}`
-    );
-  }
-  return result.data;
-}
-function renderPlanAsResearch(plan) {
-  const steps = plan.steps.map((s, i) => {
-    const target = s.targetPath !== void 0 ? ` (target: ${s.targetPath})` : "";
-    return `${String(i + 1)}. [${s.kind}] ${s.description}${target}`;
-  }).join("\n");
-  return `Remediation plan for signal '${plan.signalKey}' (category: ${plan.category}).
-
-${plan.summary}
-
-Steps:
-${steps}`;
-}
-
 // src/mcp/tools/remediation-circuit-breaker.ts
 var DEFAULT_CIRCUIT_BREAKER_CONFIG = { threshold: 3 };
 var RemediationCircuitBreaker = class {
@@ -23584,16 +23733,16 @@ async function handleAutoRemediateCommand(args) {
 // src/cli/migrate-command.ts
 import { cpSync, existsSync as existsSync22, mkdirSync as mkdirSync6, readdirSync as readdirSync3 } from "fs";
 import { homedir } from "os";
-import { join as join18 } from "path";
+import { join as join19 } from "path";
 var logger18 = createLogger({ component: "migrate-command" });
-var HOMEDIR_DEFAULT_BASE = join18(homedir(), ".nexus-agents");
+var HOMEDIR_DEFAULT_BASE = join19(homedir(), ".nexus-agents");
 function countItems(dir) {
   if (!existsSync22(dir)) return 0;
   try {
     const entries = readdirSync3(dir, { withFileTypes: true });
     let n = 0;
     for (const e of entries) {
-      const p = join18(dir, e.name);
+      const p = join19(dir, e.name);
       if (e.isDirectory()) {
         n += countItems(p);
       } else {
@@ -23648,8 +23797,8 @@ function checkEarlyExits(fromBase, toBase, dryRun) {
   return null;
 }
 function planAndExecuteEntry(name, fromBase, toBase, perRepoSet, dryRun) {
-  const source = join18(fromBase, name);
-  const target = join18(toBase, name);
+  const source = join19(fromBase, name);
+  const target = join19(toBase, name);
   if (!perRepoSet.has(name)) {
     return { subdir: name, status: "skipped-not-per-repo", source, target: "", itemsCopied: 0 };
   }
@@ -23669,7 +23818,7 @@ function planAndExecuteEntry(name, fromBase, toBase, perRepoSet, dryRun) {
 function resolveDefaultTarget(cwd) {
   const repoRoot = findRepoRoot(cwd);
   if (repoRoot === null) return null;
-  return join18(repoRoot, ".nexus-agents");
+  return join19(repoRoot, ".nexus-agents");
 }
 function formatMigrationResult(result) {
   if (!result.success) {