wolverine-ai 1.1.0 → 1.2.0

package/README.md

@@ -10,24 +10,29 @@ Built on patterns from [claw-code](https://github.com/instructkr/claw-code) —
 
 ## Quick Start
 
+### Install from npm
+
 ```bash
-# Install from npm
 npm i wolverine-ai
+cp node_modules/wolverine-ai/.env.example .env.local
+# Edit .env.local — add your OPENAI_API_KEY
+npx wolverine server/index.js
+```
 
-# Or clone from GitHub
+### Or clone from GitHub
+
+```bash
 git clone https://github.com/bobbyswhip/Wolverine.git
 cd Wolverine
 npm install
-
-# Configure
 cp .env.example .env.local
-# Edit .env.local — add your OPENAI_API_KEY and generate an ADMIN_KEY
-
-# Run
+# Edit .env.local — add your OPENAI_API_KEY
 npm start
-# or: npx wolverine server/index.js
 ```
 
+[![npm](https://img.shields.io/npm/v/wolverine-ai)](https://www.npmjs.com/package/wolverine-ai)
+[![GitHub](https://img.shields.io/github/stars/bobbyswhip/Wolverine)](https://github.com/bobbyswhip/Wolverine)
+
 Dashboard opens at `http://localhost:PORT+1`. Server runs on `PORT`.
 
 ### Try a Demo

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {

package/src/agent/research-agent.js

@@ -1,6 +1,7 @@
 const chalk = require("chalk");
 const { aiCall } = require("../core/ai-client");
 const { getModel } = require("../core/models");
+const { redact } = require("../security/secret-redactor");
 
 /**
  * Research Agent — deep research + learning from experience.
@@ -18,7 +19,6 @@ class ResearchAgent {
   constructor(options = {}) {
     this.brain = options.brain;
     this.logger = options.logger;
-    this.redactor = options.redactor;
   }
 
   /**
@@ -50,8 +50,8 @@ class ResearchAgent {
   async recordAttempt({ errorMessage, filePath, fix, success, explanation }) {
     if (!this.brain || !this.brain._initialized) return;
 
-    const safeError = this.redactor ? this.redactor.redact(errorMessage) : errorMessage;
-    const safeExplanation = this.redactor ? this.redactor.redact(explanation || fix || "") : (explanation || fix || "");
+    const safeError = redact(errorMessage);
+    const safeExplanation = redact(explanation || fix || "");
 
     const namespace = success ? "fixes" : "errors";
     const prefix = success ? "FIXED" : "FAILED";
@@ -66,7 +66,7 @@ class ResearchAgent {
    * Stores findings in brain for future reference.
    */
   async research(errorMessage, context) {
-    const safeError = this.redactor ? this.redactor.redact(errorMessage) : errorMessage;
+    const safeError = redact(errorMessage);
 
     console.log(chalk.magenta(`  🔬 Deep research (${getModel("research")})...`));
 

package/src/brain/brain.js

@@ -191,6 +191,10 @@ const SEED_DOCS = [
     text: "Port best practices: development uses port 3000 (standard, no admin, firewall-friendly). Production uses 443 (HTTPS) or 80 (HTTP) behind a reverse proxy (nginx/caddy). Never use random high ports in production — they bypass firewalls and confuse load balancers. Always use HTTPS in production — terminate TLS at the proxy, not in Node. Dashboard auto-runs on port+1. Wolverine warns on startup if the port is non-standard.",
     metadata: { topic: "port-security" },
   },
+  {
+    text: "Secret redaction is a singleton: initRedactor(projectRoot) called once on startup, then redact(text), redactObj(obj), hasSecrets(text) available everywhere via require('../security/secret-redactor'). No need to pass redactor instances. Every outbound path auto-redacts: event logger, repair history, telemetry heartbeats, brain memories, AI calls, dashboard output. Env variable values replaced with process.env.KEY_NAME.",
+    metadata: { topic: "redaction-singleton" },
+  },
 ];
 
 class Brain {

package/src/core/runner.js

@@ -10,7 +10,7 @@ const { EventLogger, EVENT_TYPES } = require("../logger/event-logger");
 const { DashboardServer } = require("../dashboard/server");
 const { PerfMonitor } = require("../monitor/perf-monitor");
 const { Brain } = require("../brain/brain");
-const { SecretRedactor } = require("../security/secret-redactor");
+const { initRedactor, getRedactor } = require("../security/secret-redactor");
 const { McpRegistry } = require("../mcp/mcp-registry");
 const { TokenTracker } = require("../logger/token-tracker");
 const { RepairHistory } = require("../logger/repair-history");
@@ -43,7 +43,7 @@ class WolverineRunner {
 
     // Core subsystems
     this.sandbox = new Sandbox(this.cwd);
-    this.redactor = new SecretRedactor(this.cwd);
+    this.redactor = initRedactor(this.cwd);
     this.rateLimiter = new RateLimiter({
       maxCallsPerWindow: parseInt(process.env.WOLVERINE_RATE_MAX_CALLS, 10) || 10,
       windowMs: parseInt(process.env.WOLVERINE_RATE_WINDOW_MS, 10) || 600000,

package/src/core/wolverine.js

@@ -23,10 +23,12 @@ const { EVENT_TYPES } = require("../logger/event-logger");
  *
  * The engine tries fast path first. If that fails verification, it escalates to the agent.
  */
-async function heal({ stderr, cwd, sandbox, redactor, notifier, rateLimiter, backupManager, logger, brain, mcp, skills, repairHistory }) {
+async function heal({ stderr, cwd, sandbox, notifier, rateLimiter, backupManager, logger, brain, mcp, skills, repairHistory }) {
   const healStartTime = Date.now();
-  // Redact secrets from stderr BEFORE any processing, logging, or AI calls
-  const safeStderr = redactor ? redactor.redact(stderr) : stderr;
+  const { redact, hasSecrets } = require("../security/secret-redactor");
+
+  // Redact secrets BEFORE any processing, logging, or AI calls
+  const safeStderr = redact(stderr);
 
   if (logger) logger.info(EVENT_TYPES.HEAL_START, "Wolverine detected a crash", { stderr: safeStderr.slice(0, 500) });
   console.log(chalk.yellow("\n🐺 Wolverine detected a crash. Analyzing...\n"));
@@ -35,13 +37,11 @@ async function heal({ stderr, cwd, sandbox, redactor, notifier, rateLimiter, bac
   const parsed = parseError(stderr);
   const errorSignature = RateLimiter.signature(parsed.errorMessage, parsed.filePath);
 
-  // Redact the parsed fields — these go to AI, brain, and logs
-  if (redactor) {
-    parsed.errorMessage = redactor.redact(parsed.errorMessage);
-    parsed.stackTrace = redactor.redact(parsed.stackTrace);
-  }
+  // Redact parsed fields — these go to AI, brain, and logs
+  parsed.errorMessage = redact(parsed.errorMessage);
+  parsed.stackTrace = redact(parsed.stackTrace);
 
-  if (redactor && redactor.containsSecrets(stderr)) {
+  if (hasSecrets(stderr)) {
     console.log(chalk.yellow("  🔐 Secrets detected in error output — redacted before AI/brain/logs"));
   }
 
@@ -136,7 +136,7 @@ async function heal({ stderr, cwd, sandbox, redactor, notifier, rateLimiter, bac
   }
 
   // 6. Research — check past attempts to avoid loops
-  const researcher = new ResearchAgent({ brain, logger, redactor });
+  const researcher = new ResearchAgent({ brain, logger });
   let researchContext = "";
   try {
     researchContext = await researcher.buildFixContext(parsed.errorMessage);

package/src/dashboard/server.js

@@ -154,7 +154,8 @@ class DashboardServer {
         return;
       }
 
-      const safeCommand = this.redactor ? this.redactor.redact(command) : command;
+      const { redact } = require("../security/secret-redactor");
+      const safeCommand = redact(command);
 
       if (this._isSecretExtractionRequest(command)) {
         const refusal = this._buildSecretRefusal();
@@ -763,7 +764,7 @@ ${context ? "\nBrain:\n" + context : ""}`,
               req.on("error", (e) => resolve(`Error: ${e.message}`));
               req.on("timeout", () => { req.destroy(); resolve("Timeout"); });
             });
-            toolResult = this.redactor ? this.redactor.redact(toolResult) : toolResult;
+            const { redact: _r } = require("../security/secret-redactor"); toolResult = _r(toolResult);
             console.log(chalk.green(`  🌐 → ${toolResult.slice(0, 80)}`));
           } catch (e) { toolResult = `Error: ${e.message}`; }
         } else if (tc.function.name === "read_file") {

package/src/index.js

@@ -11,7 +11,7 @@ const { HealthMonitor } = require("./core/health-monitor");
 const { Sandbox, SandboxViolationError } = require("./security/sandbox");
 const { RateLimiter } = require("./security/rate-limiter");
 const { detectInjection } = require("./security/injection-detector");
-const { SecretRedactor } = require("./security/secret-redactor");
+const { SecretRedactor, initRedactor, redact, redactObj, hasSecrets } = require("./security/secret-redactor");
 const { AdminAuth } = require("./security/admin-auth");
 const { BackupManager } = require("./backup/backup-manager");
 const { EventLogger, EVENT_TYPES, SEVERITY } = require("./logger/event-logger");

package/src/logger/event-logger.js

@@ -91,9 +91,6 @@ class EventLogger extends EventEmitter {
     this._recentEvents = [];
     this._maxRecent = 1000;
 
-    // Secret redactor — if set, all events get redacted before persist/emit
-    this.redactor = null;
-
     // Session tracking
     this.sessionId = Date.now().toString(36) + "-" + Math.random().toString(36).slice(2, 6);
     this.sessionStart = Date.now();
@@ -101,11 +98,9 @@ class EventLogger extends EventEmitter {
   }
 
   /**
-   * Attach a SecretRedactor. All events will be redacted before storage/emit.
+   * @deprecated Use singleton redact() — kept for backwards compat
    */
-  setRedactor(redactor) {
-    this.redactor = redactor;
-  }
+  setRedactor() {}
 
   /**
    * Log an event. This is the primary API.
@@ -117,8 +112,10 @@ class EventLogger extends EventEmitter {
    */
   log(type, severity, message, data = {}) {
     // Redact secrets before they hit storage or the wire
-    const safeMessage = this.redactor ? this.redactor.redact(message) : message;
-    const safeData = this.redactor ? this.redactor.redactObject(data) : data;
+    // Universal redaction via singleton — no instance needed
+    const { redact, redactObj } = require("../security/secret-redactor");
+    const safeMessage = redact(message);
+    const safeData = redactObj(data);
 
     const event = {
       id: `${this.sessionId}-${(++this._eventCount).toString(36)}`,

package/src/logger/repair-history.js

@@ -37,14 +37,15 @@ class RepairHistory {
     duration,      // ms from crash to fix
     filesModified, // files changed
   }) {
+    const { redact } = require("../security/secret-redactor");
     const entry = {
       id: Date.now().toString(36) + "-" + Math.random().toString(36).slice(2, 4),
       timestamp: Date.now(),
       iso: new Date().toISOString(),
-      error: (error || "").slice(0, 200),
+      error: redact((error || "").slice(0, 200)),
       file,
       line,
-      resolution: (resolution || "").slice(0, 300),
+      resolution: redact((resolution || "").slice(0, 300)),
       success,
       mode,
       model,

package/src/platform/telemetry.js

@@ -13,7 +13,7 @@ let _v = null;
 function collectHeartbeat(subsystems) {
   if (!_v) { try { _v = require("../../package.json").version; } catch { _v = "0.0.0"; } }
 
-  const { processMonitor, routeProber, tokenTracker, repairHistory, backupManager, brain, redactor } = subsystems;
+  const { processMonitor, routeProber, tokenTracker, repairHistory, backupManager, brain } = subsystems;
   const proc = processMonitor?.getMetrics();
   const usage = tokenTracker?.getAnalytics();
   const repairs = repairHistory?.getStats();
@@ -60,10 +60,10 @@ function collectHeartbeat(subsystems) {
     backups: backupManager?.getStats() || { total: 0, stable: 0 },
   };
 
-  if (redactor && repairs?.lastRepair) {
+  if (repairs?.lastRepair) {
     payload.repairs.lastRepair = {
-      error: redactor.redact((repairs.lastRepair?.error || "").slice(0, 150)),
-      resolution: redactor.redact((repairs.lastRepair?.resolution || "").slice(0, 150)),
+      error: (repairs.lastRepair?.error || "").slice(0, 150),
+      resolution: (repairs.lastRepair?.resolution || "").slice(0, 150),
       tokens: repairs.lastRepair?.tokens || 0,
       cost: repairs.lastRepair?.cost || 0,
       mode: repairs.lastRepair?.mode || "",
@@ -72,7 +72,9 @@ function collectHeartbeat(subsystems) {
     };
   }
 
-  return payload;
+  // Pre-flight security: redact entire payload before it leaves the process
+  const { redactObj } = require("../security/secret-redactor");
+  return redactObj(payload);
 }
 
 module.exports = { collectHeartbeat, INSTANCE_ID };

package/src/security/secret-redactor.js

@@ -214,4 +214,50 @@ class SecretRedactor {
   }
 }
 
-module.exports = { SecretRedactor };
+// ── Singleton ──
+// One instance, initialized once, used everywhere.
+// Import { redact, redactObj } from anywhere — no need to pass the redactor around.
+
+let _instance = null;
+
+/**
+ * Initialize the singleton. Call once on startup from runner.
+ */
+function initRedactor(projectRoot) {
+  _instance = new SecretRedactor(projectRoot);
+  return _instance;
+}
+
+/**
+ * Get the singleton instance.
+ */
+function getRedactor() {
+  return _instance;
+}
+
+/**
+ * Redact a string. Safe to call even if not initialized (returns input unchanged).
+ * This is the universal function — use it everywhere instead of this.redactor?.redact().
+ */
+function redact(text) {
+  if (!_instance || !text || typeof text !== "string") return text;
+  return _instance.redact(text);
+}
+
+/**
+ * Redact all string values in an object (deep). Safe to call if not initialized.
+ */
+function redactObj(obj) {
+  if (!_instance) return obj;
+  return _instance.redactObject(obj);
+}
+
+/**
+ * Check if a string contains secrets.
+ */
+function hasSecrets(text) {
+  if (!_instance || !text) return false;
+  return _instance.containsSecrets(text);
+}
+
+module.exports = { SecretRedactor, initRedactor, getRedactor, redact, redactObj, hasSecrets };