npm - nexus-agents - Versions diffs - 2.125.41 → 2.127.0 - Mend

nexus-agents 2.125.41 → 2.127.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/{chunk-6KQI4SJT.js → chunk-JE6K7PD6.js} RENAMED Viewed

@@ -47,7 +47,7 @@ import {
 } from "./chunk-PI4RZNLE.js";
 import {
   withPrerequisite
-} from "./chunk-GWUMFIQP.js";
+} from "./chunk-M5QEWTVL.js";
 import {
   NOOP_NOTIFIER,
   RateLimiter,
@@ -122,7 +122,7 @@ import {
   DEFAULT_TASK_TTL_MS,
   DEFAULT_TOOL_RATE_LIMITS,
   clampTaskTtl
-} from "./chunk-323AIMTE.js";
+} from "./chunk-QPVEGYBW.js";
 import {
   resolveInsideRoot
 } from "./chunk-NUBSJGQZ.js";
@@ -50477,4 +50477,4 @@ export {
   shutdownFeedbackSubscriber,
   createEventBusBridge
 };
-//# sourceMappingURL=chunk-6KQI4SJT.js.map
+//# sourceMappingURL=chunk-JE6K7PD6.js.map

package/dist/{chunk-GWUMFIQP.js → chunk-M5QEWTVL.js} RENAMED Viewed

@@ -18,14 +18,15 @@ import {
   getTimeProvider
 } from "./chunk-QT3VRHNP.js";
 import {
-  getNexusDataDir
+  getNexusDataDir,
+  nexusDataPath
 } from "./chunk-ZGLIHPGJ.js";
 // src/mcp/tools/improvement-review.ts
 import { execFile as execFile2 } from "child_process";
 import { readFile } from "fs/promises";
 import { promisify as promisify2 } from "util";
-import { z } from "zod";
+import { z as z2 } from "zod";
 // src/mcp/middleware/tool-prerequisites.ts
 import { execFile } from "child_process";
@@ -741,6 +742,163 @@ function improvementSignalsToTasks(signals, existingTaskIds) {
   return tasks;
 }
+// src/mcp/tools/improvement-remediation-shadow.ts
+import { z } from "zod";
+// src/config/jsonl-store.ts
+import { appendFileSync, existsSync as existsSync2, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { dirname as dirname2 } from "path";
+var DIR_MODE = 448;
+var JsonlStore = class {
+  filePath;
+  schema;
+  maxRecords;
+  logger;
+  records = [];
+  constructor(config) {
+    this.filePath = config.filePath;
+    this.schema = config.schema;
+    this.maxRecords = Math.max(1, config.maxRecords);
+    this.logger = config.logger ?? createLogger({ component: config.component ?? "JsonlStore" });
+    this.ensureDir();
+    this.hydrate();
+  }
+  /** Append one record durably. Validates at the boundary; never throws. */
+  append(record) {
+    const result = this.schema.safeParse(record);
+    if (!result.success) {
+      this.logger.warn("Refusing to persist invalid JSONL record", {
+        path: this.filePath,
+        issues: result.error.issues.map((i) => i.message).join("; ")
+      });
+      return;
+    }
+    this.records.push(result.data);
+    if (this.records.length > this.maxRecords) {
+      this.records.splice(0, this.records.length - this.maxRecords);
+      this.rewriteFile();
+      return;
+    }
+    this.persistLine(result.data);
+  }
+  /** All retained records, oldest first. */
+  all() {
+    return this.records;
+  }
+  /** Number of retained records. */
+  count() {
+    return this.records.length;
+  }
+  // ==========================================================================
+  // Private
+  // ==========================================================================
+  ensureDir() {
+    try {
+      mkdirSync(dirname2(this.filePath), { recursive: true, mode: DIR_MODE });
+    } catch (error) {
+      this.logger.warn("Failed to create JSONL store directory", {
+        error: getErrorMessage(error),
+        path: this.filePath
+      });
+    }
+  }
+  hydrate() {
+    if (!existsSync2(this.filePath)) {
+      this.logger.debug("No JSONL file found, starting fresh", { path: this.filePath });
+      return;
+    }
+    let loaded = 0;
+    let skipped = 0;
+    try {
+      const content = readFileSync2(this.filePath, "utf-8");
+      const lines = content.split("\n").filter((line) => line.trim().length > 0);
+      for (const line of lines) {
+        try {
+          const parsed = JSON.parse(line);
+          const result = this.schema.safeParse(parsed);
+          if (result.success) {
+            this.records.push(result.data);
+            loaded++;
+          } else {
+            skipped++;
+          }
+        } catch {
+          skipped++;
+        }
+      }
+    } catch (error) {
+      this.logger.warn("Failed to hydrate JSONL store from disk", {
+        error: getErrorMessage(error),
+        path: this.filePath
+      });
+      return;
+    }
+    if (this.records.length > this.maxRecords) {
+      this.records.splice(0, this.records.length - this.maxRecords);
+      this.rewriteFile();
+    }
+    this.logger.debug("Hydrated JSONL store from disk", {
+      loaded,
+      skipped,
+      retained: this.records.length,
+      path: this.filePath
+    });
+  }
+  persistLine(record) {
+    try {
+      appendFileSync(this.filePath, JSON.stringify(record) + "\n", "utf-8");
+    } catch (error) {
+      this.logger.warn("Failed to append JSONL record to disk", {
+        error: getErrorMessage(error),
+        path: this.filePath
+      });
+    }
+  }
+  rewriteFile() {
+    try {
+      const content = this.records.map((r) => JSON.stringify(r)).join("\n") + "\n";
+      writeFileSync(this.filePath, content, "utf-8");
+    } catch (error) {
+      this.logger.warn("Failed to rewrite JSONL store file", {
+        error: getErrorMessage(error),
+        path: this.filePath
+      });
+    }
+  }
+};
+// src/mcp/tools/diff-secret-scan.ts
+var SECRET_PATTERNS = [
+  { name: "private-key-block", re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/ },
+  { name: "aws-access-key-id", re: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: "github-token", re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/ },
+  { name: "slack-token", re: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/ },
+  { name: "google-api-key", re: /\bAIza[0-9A-Za-z_-]{35}\b/ },
+  { name: "openai-key", re: /\bsk-[A-Za-z0-9]{32,}\b/ },
+  { name: "anthropic-key", re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/ },
+  { name: "jwt", re: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/ },
+  // Generic `secret/token/password/api_key = "long-value"` assignments.
+  {
+    name: "generic-credential-assignment",
+    re: /(?:api[_-]?key|secret|token|password|passwd|credential)\s*[:=]\s*["'][A-Za-z0-9/+_-]{16,}["']/i
+  }
+];
+function scanForSecrets(text) {
+  const findings = [];
+  const lines = text.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i] ?? "";
+    for (const { name, re } of SECRET_PATTERNS) {
+      if (re.test(line)) findings.push({ pattern: name, line: i + 1 });
+    }
+  }
+  return { clean: findings.length === 0, findings };
+}
+function describeSecretFindings(result) {
+  if (result.clean) return "no secrets detected";
+  return result.findings.map((f) => `${f.pattern}@L${String(f.line)}`).join(", ");
+}
 // src/mcp/tools/improvement-remediation-shadow.ts
 function isSecuritySignal(signal) {
   if (signal.category === "security") return true;
@@ -787,6 +945,180 @@ function recordRemediationShadow(signals, sink = getRemediationShadowSink()) {
   for (const record of records) sink.record(record);
   return records;
 }
+var SoakVoteOutcomeSchema = z.object({
+  approved: z.boolean(),
+  /** Approval percentage at vote time, 0–100 (the consensus tally). */
+  approvalPercentage: z.number()
+});
+var RemediationSoakRecordSchema = z.object({
+  /** ISO-8601 capture time. */
+  timestamp: z.string(),
+  /** The improvement signal's stable key. */
+  signalKey: z.string(),
+  /** The signal's category. */
+  category: z.string(),
+  /** The classified remediation priority (p0–p4). */
+  priority: z.string(),
+  /** The signal's declared severity. */
+  severity: z.string(),
+  /** Vote outcome (approved/rejected + tally), undefined if the signal never reached a vote. */
+  voteOutcome: SoakVoteOutcomeSchema.optional(),
+  /** Number of plan steps research produced (0 if research/plan failed). */
+  planStepCount: z.number(),
+  /** p0 dry-run result detail (scrubbed); undefined for non-p0 or when no dry-run ran. */
+  dryRunResult: z.string().optional(),
+  /** Human-readable verdict reason (scrubbed). */
+  reason: z.string()
+});
+var SOAK_MAX_RECORDS = 1e4;
+function getRemediationSoakFile() {
+  return nexusDataPath("learning", "remediation-soak.jsonl");
+}
+function scrubSoakRecord(record) {
+  const scrub = (text) => {
+    const result = scanForSecrets(text);
+    if (result.clean) return text;
+    return `[redacted: ${describeSecretFindings(result)}]`;
+  };
+  const scrubbed = {
+    ...record,
+    reason: scrub(record.reason),
+    ...record.dryRunResult !== void 0 ? { dryRunResult: scrub(record.dryRunResult) } : {}
+  };
+  return scrubbed;
+}
+function createRemediationSoakSink(filePath = getRemediationSoakFile(), maxRecords = SOAK_MAX_RECORDS) {
+  const store = new JsonlStore({
+    filePath,
+    schema: RemediationSoakRecordSchema,
+    maxRecords,
+    component: "RemediationSoakSink"
+  });
+  return {
+    record(record) {
+      store.append(scrubSoakRecord(record));
+    },
+    getRecords() {
+      return store.all();
+    }
+  };
+}
+var soakSingleton;
+function getRemediationSoakSink() {
+  soakSingleton ??= createRemediationSoakSink();
+  return soakSingleton;
+}
+function tallySoakRecord(t, r) {
+  t.byCategory[r.category] = (t.byCategory[r.category] ?? 0) + 1;
+  t.byPriority[r.priority] = (t.byPriority[r.priority] ?? 0) + 1;
+  if (r.voteOutcome !== void 0) {
+    t.voted++;
+    if (r.voteOutcome.approved) t.approved++;
+  }
+  if (r.dryRunResult !== void 0) t.dryRunsCaptured++;
+}
+function summarizeRemediationSoak(records) {
+  const t = {
+    byCategory: {},
+    byPriority: {},
+    voted: 0,
+    approved: 0,
+    dryRunsCaptured: 0
+  };
+  for (const r of records) tallySoakRecord(t, r);
+  const first = records[0]?.timestamp;
+  const last = records[records.length - 1]?.timestamp;
+  return {
+    total: records.length,
+    voted: t.voted,
+    approved: t.approved,
+    rejected: t.voted - t.approved,
+    approvalRate: t.voted === 0 ? 0 : t.approved / t.voted,
+    dryRunsCaptured: t.dryRunsCaptured,
+    byCategory: t.byCategory,
+    byPriority: t.byPriority,
+    ...first !== void 0 ? { firstTimestamp: first } : {},
+    ...last !== void 0 ? { lastTimestamp: last } : {}
+  };
+}
+function readRemediationSoakSummary(sink = getRemediationSoakSink()) {
+  return summarizeRemediationSoak(sink.getRecords());
+}
+function parseVoteDetail(detail) {
+  const approved = /\bapproved\b/.test(detail);
+  const rejected = /\brejected\b/.test(detail);
+  if (!approved && !rejected) return void 0;
+  const pct = /(\d+(?:\.\d+)?)%/.exec(detail);
+  return {
+    approved,
+    approvalPercentage: pct?.[1] !== void 0 ? Number(pct[1]) : approved ? 100 : 0
+  };
+}
+var SOAK_TERMINAL_REASON_STEPS = /* @__PURE__ */ new Set([
+  "skip",
+  "research-failed",
+  "protected-path"
+]);
+function applySoakEvent(d, event) {
+  if (event.step === "plan") {
+    const n = /(\d+)\s*steps?/.exec(event.detail);
+    d.planStepCount = n?.[1] !== void 0 ? Number(n[1]) : 0;
+    if (d.reason === "") d.reason = "plan produced";
+    return;
+  }
+  if (event.step === "vote") {
+    const outcome = parseVoteDetail(event.detail);
+    if (outcome !== void 0) d.voteOutcome = outcome;
+    d.reason = event.detail;
+    return;
+  }
+  if (event.step === "dry-run") {
+    d.dryRunResult = event.detail;
+    return;
+  }
+  if (SOAK_TERMINAL_REASON_STEPS.has(event.step)) d.reason = event.detail;
+}
+function draftToSoakRecord(d, meta, timestamp) {
+  return {
+    timestamp,
+    signalKey: d.signalKey,
+    category: meta?.category ?? "unknown",
+    priority: meta?.priority ?? "unknown",
+    severity: meta?.severity ?? "unknown",
+    ...d.voteOutcome !== void 0 ? { voteOutcome: d.voteOutcome } : {},
+    planStepCount: d.planStepCount,
+    ...d.dryRunResult !== void 0 ? { dryRunResult: d.dryRunResult } : {},
+    reason: d.reason === "" ? "no verdict recorded" : d.reason
+  };
+}
+function createRemediationSoakCollector(metaFor, sink = getRemediationSoakSink()) {
+  const drafts = /* @__PURE__ */ new Map();
+  const draftFor = (signalKey) => {
+    let d = drafts.get(signalKey);
+    if (d === void 0) {
+      d = { signalKey, planStepCount: 0, reason: "" };
+      drafts.set(signalKey, d);
+    }
+    return d;
+  };
+  return {
+    observe(event) {
+      if (event.signalKey === void 0) return;
+      applySoakEvent(draftFor(event.signalKey), event);
+    },
+    flush() {
+      const ts = new Date(getTimeProvider().now()).toISOString();
+      const out = [];
+      for (const d of drafts.values()) {
+        const record = draftToSoakRecord(d, metaFor(d.signalKey), ts);
+        sink.record(record);
+        out.push(record);
+      }
+      drafts.clear();
+      return out;
+    }
+  };
+}
 // src/mcp/tools/remediation-priority.ts
 function priorityLabel(priority) {
@@ -816,14 +1148,14 @@ function classifySignalPriority(signal) {
 // src/mcp/tools/improvement-review.ts
 var execFileAsync2 = promisify2(execFile2);
-var ImprovementReviewInputSchema = z.object({
-  lookbackDays: z.number().int().min(1).max(90).optional().default(7).describe("Lookback window for outcome data, in days. Default 7."),
-  fileIssues: z.boolean().optional().default(false).describe(
+var ImprovementReviewInputSchema = z2.object({
+  lookbackDays: z2.number().int().min(1).max(90).optional().default(7).describe("Lookback window for outcome data, in days. Default 7."),
+  fileIssues: z2.boolean().optional().default(false).describe(
     "When true, file candidate issues via `gh issue create` for crossed thresholds (rate-limited to 5 per run, deduped against open issues). When false (default), return signals only."
   ),
-  minSampleSize: z.number().int().min(1).max(1e3).optional().default(5).describe("Minimum sample size before a CLI/category signal can fire."),
-  fitnessFloor: z.number().int().min(0).max(100).optional().default(90).describe("Fitness score below this threshold triggers a tech-debt signal."),
-  selfEvalReportPath: z.string().optional().describe(
+  minSampleSize: z2.number().int().min(1).max(1e3).optional().default(5).describe("Minimum sample size before a CLI/category signal can fire."),
+  fitnessFloor: z2.number().int().min(0).max(100).optional().default(90).describe("Fitness score below this threshold triggers a tech-debt signal."),
+  selfEvalReportPath: z2.string().optional().describe(
     "Optional path to a self-eval JSON report (from `self-eval --json`). When set, high-confidence unanimous deprecate/refactor findings are surfaced as tech-debt signals through the same deduped/rate-limited issue path (#3224). Unreadable/malformed reports are skipped (no signal). Absent \u2192 no self-eval signals."
   )
 });
@@ -1021,14 +1353,14 @@ function detectFitnessSignals(audit, fitnessFloor) {
   return signals;
 }
 var SELF_EVAL_CONFIDENCE_FLOOR = 0.8;
-var SelfEvalReportSchema = z.object({
-  results: z.array(
-    z.object({
-      component: z.string(),
-      finalRecommendation: z.string(),
-      confidence: z.number(),
-      dissent: z.array(z.unknown()).optional().default([]),
-      evidenceQuality: z.number().optional()
+var SelfEvalReportSchema = z2.object({
+  results: z2.array(
+    z2.object({
+      component: z2.string(),
+      finalRecommendation: z2.string(),
+      confidence: z2.number(),
+      dissent: z2.array(z2.unknown()).optional().default([]),
+      evidenceQuality: z2.number().optional()
     })
   )
 });
@@ -1243,13 +1575,13 @@ async function reviewHandler(args, ctx) {
 }
 var description = "Periodic threshold-gated observability-driven improvement loop. Reads OutcomeStore + fitness audit, surfaces patterns crossing documented thresholds as candidate findings. When fileIssues=true, files candidate GitHub issues via `gh issue create` (rate-limited to 5 per run, deduped against open issues). Never auto-merges. Replaces the deleted self-development engine (#2402).";
 var TOOL_INPUT_SCHEMA = {
-  lookbackDays: z.number().int().min(1).max(90).optional().describe("Lookback window for outcome data, in days. Default 7."),
-  fileIssues: z.boolean().optional().describe(
+  lookbackDays: z2.number().int().min(1).max(90).optional().describe("Lookback window for outcome data, in days. Default 7."),
+  fileIssues: z2.boolean().optional().describe(
     "When true, file candidate issues for crossed thresholds (default false \u2014 return signals only)"
   ),
-  minSampleSize: z.number().int().min(1).max(1e3).optional().describe("Minimum sample size before a CLI/category signal fires (default 5)."),
-  fitnessFloor: z.number().int().min(0).max(100).optional().describe("Fitness score below this threshold triggers a tech-debt signal (default 90)."),
-  selfEvalReportPath: z.string().optional().describe(
+  minSampleSize: z2.number().int().min(1).max(1e3).optional().describe("Minimum sample size before a CLI/category signal fires (default 5)."),
+  fitnessFloor: z2.number().int().min(0).max(100).optional().describe("Fitness score below this threshold triggers a tech-debt signal (default 90)."),
+  selfEvalReportPath: z2.string().optional().describe(
     "Optional path to a self-eval JSON report. High-confidence unanimous deprecate/refactor findings surface as tech-debt signals (#3224)."
   )
 };
@@ -1282,6 +1614,12 @@ export {
   withPrerequisite,
   createFitnessScoreCalculator,
   calculateFitnessScore,
+  JsonlStore,
+  scanForSecrets,
+  describeSecretFindings,
+  getRemediationSoakSink,
+  readRemediationSoakSummary,
+  createRemediationSoakCollector,
   consensusFor,
   classifySignalPriority,
   ImprovementReviewInputSchema,
@@ -1296,4 +1634,4 @@ export {
   runImprovementReview,
   registerImprovementReviewTool
 };
-//# sourceMappingURL=chunk-GWUMFIQP.js.map
+//# sourceMappingURL=chunk-M5QEWTVL.js.map