wolverine-ai 1.2.0 → 1.4.0

package/README.md

@@ -73,7 +73,8 @@ wolverine/
 │   │   ├── ai-client.js     ← OpenAI client (Chat + Responses API)
 │   │   ├── models.js        ← 10-model configuration system
 │   │   ├── verifier.js      ← Fix verification (syntax + boot probe)
-│   │   ├── error-parser.js  ← Stack trace parsing
+│   │   ├── error-parser.js  ← Stack trace parsing + error classification
+│   │   ├── error-hook.js   ← Auto-injected into child (IPC error reporting)
 │   │   ├── patcher.js       ← File patching with sandbox
 │   │   ├── health-monitor.js← PM2-style health checks
 │   │   ├── config.js        ← Config loader (settings.json + env)
@@ -105,7 +106,8 @@ wolverine/
 │   ├── monitor/             ← Performance + process management
 │   │   ├── perf-monitor.js  ← Endpoint response times + spam detection
 │   │   ├── process-monitor.js← Memory/CPU/heartbeat + leak detection
-│   │   └── route-prober.js  ← Auto-discovers and tests all routes
+│   │   ├── route-prober.js  ← Auto-discovers and tests all routes
+│   │   └── error-monitor.js ← Caught 500 error detection (no-crash healing)
 │   ├── dashboard/           ← Web UI
 │   │   └── server.js        ← Real-time dashboard + command interface
 │   ├── notifications/       ← Alerts
@@ -140,30 +142,62 @@ wolverine/
 
 ```
 Server crashes
-  → Error parsed (file, line, message)
+  → Error parsed (file, line, message, errorType)
+  → Error classified: missing_module | missing_file | permission | port_conflict | syntax | runtime
   → Secrets redacted from error output
   → Prompt injection scan (AUDIT_MODEL)
   → Human-required check (expired keys, service down → notify, don't waste tokens)
   → Rate limit check (error loop → exponential backoff)
 
+Operational Fix (zero AI tokens):
+  → "Cannot find module 'cors'" → npm install cors (instant, free)
+  → ENOENT on config file → create missing file with defaults
+  → EACCES/EPERM → chmod 755
+  → If operational fix works → done. No AI needed.
+
 Goal Loop (iterate until fixed or exhausted):
   Iteration 1: Fast path (CODING_MODEL, single file, ~1-2k tokens)
-    → Apply patch → Verify (syntax check + boot probe) → Pass? Done.
+    → AI returns code changes AND/OR shell commands (npm install, mkdir, etc.)
+    → Execute commands first, apply patches second
+    → Verify (syntax check + boot probe) → Pass? Done.
   Iteration 2: Single agent (REASONING_MODEL, multi-file, 10 tools)
-    → Explores codebase → Fix → Verify → Pass? Done.
+    → Agent has error pattern → fix strategy table
+    → Uses bash_exec for npm install, chmod, config creation
+    → Uses edit_file for code fixes
+    → Verify → Pass? Done.
   Iteration 3: Sub-agents (explore → plan → fix)
     → Explorer finds relevant files (read-only)
-    → Planner proposes fix strategy (read-only)
-    → Fixer executes the plan (write access)
+    → Planner considers operational vs code fixes
+    → Fixer has bash_exec + file tools (can npm install AND edit code)
     → Deep research (RESEARCH_MODEL) feeds into context
     → Each failure feeds into the next attempt
 
 After fix:
-  → Record to repair history (error, resolution, tokens, cost)
+  → Record to repair history (error, resolution, tokens, cost, mode)
   → Store in brain for future reference
   → Promote backup to stable after 30min uptime
 ```
 
+### Caught Error Healing (No-Crash)
+
+Most production bugs don't crash the process — Fastify/Express catch them and return 500. Wolverine now detects these too:
+
+```
+Route returns 500 (process still alive)
+  → Error hook reports to parent via IPC (auto-injected, zero user code changes)
+  → ErrorMonitor tracks consecutive 500s per route
+  → 3 failures in 30s → triggers heal pipeline (same as crash healing)
+  → Fix applied → server restarted → route prober verifies fix
+```
+
+| Setting | Default | Env Variable |
+|---------|---------|-------------|
+| Failure threshold | 3 | `WOLVERINE_ERROR_THRESHOLD` |
+| Time window | 30s | `WOLVERINE_ERROR_WINDOW_MS` |
+| Cooldown per route | 60s | `WOLVERINE_ERROR_COOLDOWN_MS` |
+
+The error hook auto-patches Fastify and Express via `--require` preload. No middleware, no code changes to your server.
+
 ---
 
 ## Agent Tool Harness
@@ -199,7 +233,7 @@ For complex repairs, wolverine spawns specialized sub-agents that run in sequenc
 |-------|--------|-------|------|
 | `explore` | Read-only | REASONING | Investigate codebase, find relevant files |
 | `plan` | Read-only | REASONING | Analyze problem, propose fix strategy |
-| `fix` | Read+write | CODING | Execute targeted fix from plan |
+| `fix` | Read+write+shell | CODING | Execute targeted fix — code edits AND npm install/chmod |
 | `verify` | Read-only | REASONING | Check if fix actually works |
 | `research` | Read-only | RESEARCH | Search brain + web for solutions |
 | `security` | Read-only | AUDIT | Audit code for vulnerabilities |
@@ -224,8 +258,7 @@ Real-time web UI at `http://localhost:PORT+1`:
 | **Performance** | Endpoint response times, request rates, error rates |
 | **Command** | Admin chat interface — ask questions or build features |
 | **Analytics** | Memory/CPU charts, route health, per-route response times + trends |
-| **Command** | Admin chat interface — ask questions or build features |
-| **Backups** | Full server/ snapshot history with status badges |
+| **Backups** | Full backup management: rollback/hot-load buttons, undo, rollback log, admin IP allowlist |
 | **Brain** | Vector store stats (23 seed docs), namespace counts, function map |
 | **Repairs** | Error/resolution audit trail: error, fix, tokens, cost, duration |
 | **Tools** | Agent tool harness listing (10 built-in + MCP) |
@@ -241,7 +274,7 @@ Three routes (AI-classified per command):
 | **TOOLS** | TOOL_MODEL | call_endpoint, read_file, search_brain | Live data, file contents |
 | **AGENT** | CODING_MODEL | Full 10-tool harness | Build features, fix code |
 
-Secured with `WOLVERINE_ADMIN_KEY` + localhost-only IP check.
+Secured with `WOLVERINE_ADMIN_KEY` + IP allowlist (localhost + `WOLVERINE_ADMIN_IPS`).
 
 ---
 
@@ -273,7 +306,7 @@ Reasoning models (`o-series`, `gpt-5-nano`) automatically get 4x token limits to
 | **Injection Detector** | Regex layer + AI audit (AUDIT_MODEL) on every error before repair |
 | **Sandbox** | All file operations locked to project directory, symlink escape detection |
 | **Protected Paths** | Agent blocked from modifying wolverine internals (`src/`, `bin/`, etc.) |
-| **Admin Auth** | Dashboard command interface requires key + localhost IP, timing-safe comparison, lockout after 10 failures |
+| **Admin Auth** | Dashboard requires key + IP allowlist. Localhost always allowed. Remote IPs via `WOLVERINE_ADMIN_IPS` env var or `POST /api/admin/add-ip` at runtime. Timing-safe comparison, lockout after 10 failures |
 | **Rate Limiter** | Sliding window, min gap, hourly budget, exponential backoff on error loops |
 | **MCP Security** | Per-server tool allowlists, arg sanitization, result injection scanning |
 | **SQL Skill** | `sqlGuard()` middleware blocks 15 injection pattern families on all endpoints |
@@ -409,14 +442,29 @@ All demos use the `server/` directory pattern. Each demo:
 
 ## Backup System
 
-Full `server/` directory snapshots:
+Full `server/` directory snapshots with lifecycle management:
 
-- Created before every repair attempt and every smart edit
+- Created before every repair attempt and every smart edit (with reason string)
+- Created on graceful shutdown (`createShutdownBackup()`)
 - Includes all files: `.js`, `.json`, `.sql`, `.db`, `.yaml`, configs
 - **Status lifecycle**: UNSTABLE → VERIFIED (fix passed) → STABLE (30min+ uptime)
-- **Retention**: unstable pruned after 7 days, stable keeps 1/day after 7 days
+- **Retention**: unstable/verified pruned after 7 days, stable keeps 1/day after 7 days
 - Atomic writes prevent corruption on kill
 
+**Rollback & Recovery:**
+
+| Action | What it does |
+|--------|-------------|
+| **Rollback** | Restore any backup — creates a pre-rollback safety backup first, restarts server |
+| **Undo Rollback** | Restore the pre-rollback state if the rollback made things worse |
+| **Hot-load** | Load any backup as the current server state from the dashboard |
+| **Rollback Log** | Full audit trail: timestamp, action, target backup, success/failure |
+
+**Dashboard endpoints** (admin auth required):
+- `POST /api/backups/:id/rollback` — rollback to specific backup
+- `POST /api/backups/:id/hotload` — hot-load backup as current state
+- `POST /api/backups/undo` — undo the last rollback
+
 ---
 
 ## Skills

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {

package/src/agent/agent-engine.js

@@ -262,11 +262,27 @@ Use these tools systematically:
 5. You can edit ANY file type: .js, .json, .sql, .yaml, .env, .dockerfile, .sh, etc.
 6. Prefer edit_file for small targeted fixes, write_file for major changes
 7. Use grep_code to find all usages before renaming something
-8. Use bash_exec to run tests or check dependencies
+8. Use bash_exec to run tests, install packages, or check dependencies
+
+CRITICAL — Not every crash is a code bug. Choose the right fix:
+
+| Error Pattern | Root Cause | Correct Fix |
+|---|---|---|
+| Cannot find module 'X' | Missing npm package | bash_exec: npm install X |
+| Cannot find module './X' | Wrong import path | edit_file: fix the require/import path |
+| ENOENT: no such file | Missing config/data file | write_file: create the missing file |
+| EACCES/EPERM | Permission denied | bash_exec: chmod or fix ownership |
+| EADDRINUSE | Port conflict | bash_exec: kill process on port, or edit config |
+| SyntaxError | Bad code | edit_file: fix the syntax |
+| TypeError/ReferenceError | Logic bug | edit_file: fix the code |
+| MODULE_NOT_FOUND + node_modules | Corrupted install | bash_exec: rm -rf node_modules && npm install |
+
+ALWAYS check package.json before editing imports. If a module isn't a local file, use bash_exec to install it.
 
 Rules:
 - Read files before modifying them
 - Make minimal, targeted changes
+- Use bash_exec for operational fixes (npm install, chmod, config creation)
 - When done, call the "done" tool with a summary
 
 Project root: ${this.cwd}

package/src/agent/sub-agents.js

@@ -25,7 +25,7 @@ const { getModel } = require("../core/models");
 const AGENT_TOOL_SETS = {
   explore: ["read_file", "glob_files", "grep_code", "git_log", "git_diff", "done"],
   plan: ["read_file", "glob_files", "grep_code", "search_brain", "done"],
-  fix: ["read_file", "write_file", "edit_file", "glob_files", "grep_code", "done"],
+  fix: ["read_file", "write_file", "edit_file", "glob_files", "grep_code", "bash_exec", "done"],
   verify: ["read_file", "glob_files", "grep_code", "bash_exec", "done"],
   research: ["read_file", "grep_code", "web_fetch", "search_brain", "done"],
   security: ["read_file", "glob_files", "grep_code", "done"],
@@ -46,8 +46,8 @@ const AGENT_CONFIGS = {
 // System prompts per agent type
 const AGENT_PROMPTS = {
   explore: "You are an Explorer agent. Your job is to investigate the codebase and find files relevant to the problem. Read files, search for patterns, check git history. Report what you found — do NOT make changes.",
-  plan: "You are a Planner agent. Your job is to analyze the problem and propose a fix strategy. Read the relevant files, understand the root cause, and describe step-by-step what needs to change. Do NOT make changes.",
-  fix: "You are a Fixer agent. You receive a specific fix plan. Execute it precisely — edit only the files mentioned, make only the changes described. Use edit_file for surgical changes.",
+  plan: "You are a Planner agent. Your job is to analyze the problem and propose a fix strategy. Read the relevant files, understand the root cause, and describe step-by-step what needs to change. Consider: is this a code bug (edit files) or an operational issue (npm install, create missing config, fix permissions)? Check package.json for dependencies. Do NOT make changes.",
+  fix: "You are a Fixer agent. You receive a specific fix plan. Execute it precisely. Use edit_file for code fixes, bash_exec for operational fixes (npm install, chmod, mkdir, config creation). Not every error is a code bug — missing modules need npm install, missing files need creation, permission errors need chmod. Check package.json before editing imports.",
   verify: "You are a Verifier agent. Check if a fix actually works. Read the modified files, look for issues, run tests if available. Report whether the fix is correct.",
   research: "You are a Research agent. Search the brain for past fixes to similar errors, and search the web for solutions. Report your findings.",
   security: "You are a Security agent. Audit the code for vulnerabilities: SQL injection, XSS, path traversal, hardcoded secrets, missing input validation. Report all findings.",

package/src/backup/backup-manager.js

@@ -1,38 +1,24 @@
 const fs = require("fs");
 const path = require("path");
 const chalk = require("chalk");
+const { redact } = require("../security/secret-redactor");
 
 /**
- * Smart Backup Manager — manages versioned backups with stability tracking.
+ * Backup Manager — full server/ directory snapshots with lifecycle management.
  *
- * Backup lifecycle:
- * 1. UNSTABLE: Created when a fix is applied, before verification
- * 2. VERIFIED: The fix ran without immediately crashing (same error)
- * 3. STABLE:   The server ran successfully for STABILITY_THRESHOLD without crashing
+ * Lifecycle: UNSTABLE → VERIFIED → STABLE
+ * Every backup is a complete copy of server/ (code, configs, databases).
+ * Admins can rollback, undo rollbacks, and hot-load any backup state.
  *
- * Retention policy:
- * - Unstable backups: deleted after 7 days
- * - Verified backups: kept for 7 days, then pruned unless promoted to stable
- * - Stable backups:   after 7 days, keep only 1 per day (most recent each day)
- *
- * Storage layout:
- *   .wolverine/
- *     backups/
- *       manifest.json         — tracks all backups with metadata
- *       <timestamp>/          — one directory per backup event
- *         <filename>.bak      — the original file content
+ * Retention: unstable/verified pruned after 7 days.
+ * Stable backups older than 7 days → keep 1 per day (most recent).
  */
 
 const WOLVERINE_DIR = ".wolverine";
 const BACKUPS_DIR = path.join(WOLVERINE_DIR, "backups");
 const MANIFEST_FILE = path.join(BACKUPS_DIR, "manifest.json");
-
-// Stability threshold: how long the server must run without the same crash
-// to consider a fix "stable" (default: 30 minutes)
 const STABILITY_THRESHOLD_MS = 30 * 60 * 1000;
-
-// Retention: unstable/verified backups older than this are pruned
-const RETENTION_UNSTABLE_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+const RETENTION_MS = 7 * 24 * 60 * 60 * 1000;
 
 class BackupManager {
   constructor(projectRoot) {
@@ -44,30 +30,25 @@ class BackupManager {
   }
 
   /**
-   * Create a backup of specific files or the entire server/ directory.
-   * Returns a backupId that can be used to rollback or promote.
-   *
-   * @param {string[]|null} filePaths — specific files, or null to backup entire server/
+   * Create a full server/ backup.
+   * @param {string} reason — why this backup was created
+   * @returns {string} backupId
    */
-  createBackup(filePaths) {
+  createBackup(reason = "manual") {
     const backupId = Date.now().toString(36) + "-" + Math.random().toString(36).slice(2, 6);
     const timestamp = Date.now();
     const backupDir = path.join(this.backupsDir, backupId);
     fs.mkdirSync(backupDir, { recursive: true });
 
-    // If no specific files, backup the entire server/ directory
-    if (!filePaths || filePaths.length === 0) {
-      filePaths = this._collectServerFiles();
-    }
-
+    const filePaths = this._collectServerFiles();
     const files = [];
+
     for (const filePath of filePaths) {
       const absPath = path.isAbsolute(filePath) ? filePath : path.resolve(this.projectRoot, filePath);
       if (!fs.existsSync(absPath)) continue;
-      // Skip large files (>10MB) and binary blobs
       try {
         const stat = fs.statSync(absPath);
-        if (stat.size > 10 * 1024 * 1024) continue;
+        if (stat.size > 10 * 1024 * 1024) continue; // skip >10MB
       } catch { continue; }
 
       const relativePath = path.relative(this.projectRoot, absPath);
@@ -85,7 +66,9 @@ class BackupManager {
       id: backupId,
       timestamp,
       status: "unstable",
+      reason: redact(reason),
       files,
+      fileCount: files.length,
       errorSignature: null,
       promotedAt: null,
       verifiedAt: null,
@@ -94,22 +77,29 @@ class BackupManager {
     this.manifest.backups.push(entry);
     this._saveManifest();
 
+    console.log(chalk.gray(`  💾 Backup ${backupId} (${files.length} files) — ${reason}`));
     return backupId;
   }
 
   /**
-   * Rollback to a specific backup.
+   * Rollback to a specific backup. Creates a pre-rollback backup first.
+   * @returns {{ success, preRollbackId }}
    */
   rollbackTo(backupId) {
     const entry = this.manifest.backups.find(b => b.id === backupId);
     if (!entry) {
       console.log(chalk.red(`Backup ${backupId} not found.`));
-      return false;
+      return { success: false };
     }
 
+    // Create a pre-rollback backup so admins can undo
+    const preRollbackId = this.createBackup(`pre-rollback (before restoring ${backupId})`);
+
     let allRestored = true;
     for (const file of entry.files) {
       if (fs.existsSync(file.backup)) {
+        // Ensure parent dir exists
+        fs.mkdirSync(path.dirname(file.original), { recursive: true });
         fs.copyFileSync(file.backup, file.original);
         console.log(chalk.yellow(`  ↩️  Restored: ${file.relative}`));
       } else {
@@ -118,22 +108,64 @@ class BackupManager {
       }
     }
 
-    return allRestored;
+    // Log the rollback
+    if (!this.manifest.rollbackLog) this.manifest.rollbackLog = [];
+    this.manifest.rollbackLog.push({
+      timestamp: Date.now(),
+      restoredBackupId: backupId,
+      preRollbackBackupId: preRollbackId,
+      success: allRestored,
+    });
+    this._saveManifest();
+
+    return { success: allRestored, preRollbackId };
   }
 
   /**
-   * Rollback to the most recent backup (any status).
+   * Rollback the most recent backup.
    */
   rollbackLatest() {
-    if (this.manifest.backups.length === 0) return false;
+    if (this.manifest.backups.length === 0) return { success: false };
     const latest = this.manifest.backups[this.manifest.backups.length - 1];
-    console.log(chalk.yellow(`\n↩️  Rolling back to backup ${latest.id} (${new Date(latest.timestamp).toISOString()})...`));
+    console.log(chalk.yellow(`\n↩️  Rolling back to ${latest.id} (${new Date(latest.timestamp).toISOString()})...`));
     return this.rollbackTo(latest.id);
   }
 
   /**
-   * Mark a backup as verified (fix didn't immediately reproduce the error).
+   * Undo the last rollback — restores the pre-rollback state.
    */
+  undoRollback() {
+    if (!this.manifest.rollbackLog || this.manifest.rollbackLog.length === 0) {
+      console.log(chalk.red("No rollback to undo."));
+      return { success: false };
+    }
+    const lastRollback = this.manifest.rollbackLog[this.manifest.rollbackLog.length - 1];
+    console.log(chalk.yellow(`\n↩️  Undoing rollback — restoring pre-rollback state ${lastRollback.preRollbackBackupId}...`));
+
+    const entry = this.manifest.backups.find(b => b.id === lastRollback.preRollbackBackupId);
+    if (!entry) {
+      console.log(chalk.red("Pre-rollback backup not found."));
+      return { success: false };
+    }
+
+    let allRestored = true;
+    for (const file of entry.files) {
+      if (fs.existsSync(file.backup)) {
+        fs.mkdirSync(path.dirname(file.original), { recursive: true });
+        fs.copyFileSync(file.backup, file.original);
+      } else { allRestored = false; }
+    }
+
+    this.manifest.rollbackLog.push({
+      timestamp: Date.now(),
+      action: "undo",
+      restoredBackupId: lastRollback.preRollbackBackupId,
+      success: allRestored,
+    });
+    this._saveManifest();
+    return { success: allRestored };
+  }
+
   markVerified(backupId) {
     const entry = this.manifest.backups.find(b => b.id === backupId);
     if (entry && entry.status === "unstable") {
@@ -143,9 +175,6 @@ class BackupManager {
     }
   }
 
-  /**
-   * Mark a backup as stable (server ran for the full stability threshold).
-   */
   markStable(backupId) {
     const entry = this.manifest.backups.find(b => b.id === backupId);
     if (entry && (entry.status === "verified" || entry.status === "unstable")) {
@@ -156,163 +185,124 @@ class BackupManager {
     }
   }
 
-  /**
-   * Set the error signature on a backup (for tracking what error this fix addressed).
-   */
   setErrorSignature(backupId, signature) {
     const entry = this.manifest.backups.find(b => b.id === backupId);
-    if (entry) {
-      entry.errorSignature = signature;
-      this._saveManifest();
-    }
+    if (entry) { entry.errorSignature = signature; this._saveManifest(); }
   }
 
   /**
-   * Run the retention policy — prune old backups.
-   *
-   * Rules:
-   * 1. Unstable/verified backups older than 7 days → delete
-   * 2. Stable backups older than 7 days → keep only 1 per day (most recent each day)
-   * 3. All stable backups within 7 days → keep
+   * Shutdown backup — called on graceful server shutdown.
+   */
+  createShutdownBackup() {
+    return this.createBackup("server-shutdown");
+  }
+
+  /**
+   * Get all backups for dashboard.
+   */
+  getAll() {
+    return this.manifest.backups;
+  }
+
+  /**
+   * Get rollback log for dashboard.
+   */
+  getRollbackLog() {
+    return this.manifest.rollbackLog || [];
+  }
+
+  /**
+   * Prune old backups per retention policy.
    */
   prune() {
     const now = Date.now();
-    const cutoff = now - RETENTION_UNSTABLE_MS;
+    const cutoff = now - RETENTION_MS;
     let pruned = 0;
-
-    // Separate backups by status
     const toKeep = [];
     const stableOld = [];
 
     for (const entry of this.manifest.backups) {
       if (entry.status === "stable") {
-        if (entry.timestamp < cutoff) {
-          stableOld.push(entry);
-        } else {
-          toKeep.push(entry);
-        }
+        if (entry.timestamp < cutoff) stableOld.push(entry);
+        else toKeep.push(entry);
       } else {
-        // Unstable or verified
-        if (entry.timestamp < cutoff) {
-          this._deleteBackupFiles(entry);
-          pruned++;
-        } else {
-          toKeep.push(entry);
-        }
+        if (entry.timestamp < cutoff) { this._deleteBackupFiles(entry); pruned++; }
+        else toKeep.push(entry);
       }
     }
 
-    // For old stable backups: keep 1 per day
     if (stableOld.length > 0) {
       const byDay = new Map();
       for (const entry of stableOld) {
         const dayKey = new Date(entry.timestamp).toISOString().slice(0, 10);
-        if (!byDay.has(dayKey)) {
-          byDay.set(dayKey, []);
-        }
+        if (!byDay.has(dayKey)) byDay.set(dayKey, []);
         byDay.get(dayKey).push(entry);
       }
-
       for (const [, dayEntries] of byDay) {
-        // Sort by timestamp descending, keep the newest per day
         dayEntries.sort((a, b) => b.timestamp - a.timestamp);
-        toKeep.push(dayEntries[0]); // keep the most recent
-        for (let i = 1; i < dayEntries.length; i++) {
-          this._deleteBackupFiles(dayEntries[i]);
-          pruned++;
-        }
+        toKeep.push(dayEntries[0]);
+        for (let i = 1; i < dayEntries.length; i++) { this._deleteBackupFiles(dayEntries[i]); pruned++; }
       }
     }
 
     this.manifest.backups = toKeep;
     this._saveManifest();
-
-    if (pruned > 0) {
-      console.log(chalk.gray(`  🧹 Pruned ${pruned} old backup(s).`));
-    }
-
+    if (pruned > 0) console.log(chalk.gray(`  🧹 Pruned ${pruned} old backup(s).`));
     return pruned;
   }
 
-  /**
-   * Get summary stats for logging.
-   */
   getStats() {
     const counts = { unstable: 0, verified: 0, stable: 0 };
     for (const entry of this.manifest.backups) {
       counts[entry.status] = (counts[entry.status] || 0) + 1;
     }
-    return {
-      total: this.manifest.backups.length,
-      ...counts,
-    };
+    return { total: this.manifest.backups.length, ...counts };
   }
 
   // -- Private --
 
-  _ensureDirs() {
-    fs.mkdirSync(this.backupsDir, { recursive: true });
-  }
+  _ensureDirs() { fs.mkdirSync(this.backupsDir, { recursive: true }); }
 
   _loadManifest() {
     if (fs.existsSync(this.manifestPath)) {
-      try {
-        return JSON.parse(fs.readFileSync(this.manifestPath, "utf-8"));
-      } catch {
-        return { version: 1, backups: [] };
-      }
+      try { return JSON.parse(fs.readFileSync(this.manifestPath, "utf-8")); }
+      catch { return { version: 1, backups: [], rollbackLog: [] }; }
     }
-    return { version: 1, backups: [] };
+    return { version: 1, backups: [], rollbackLog: [] };
   }
 
   _saveManifest() {
-    fs.writeFileSync(this.manifestPath, JSON.stringify(this.manifest, null, 2), "utf-8");
+    const tmp = this.manifestPath + ".tmp";
+    fs.writeFileSync(tmp, JSON.stringify(this.manifest, null, 2), "utf-8");
+    fs.renameSync(tmp, this.manifestPath);
   }
 
   _deleteBackupFiles(entry) {
     const backupDir = path.join(this.backupsDir, entry.id);
     if (fs.existsSync(backupDir)) {
-      for (const file of fs.readdirSync(backupDir)) {
-        fs.unlinkSync(path.join(backupDir, file));
-      }
+      for (const file of fs.readdirSync(backupDir)) fs.unlinkSync(path.join(backupDir, file));
       fs.rmdirSync(backupDir);
     }
   }
 
-  /**
-   * Collect all files in the server/ directory for full backup.
-   * Includes: .js, .json, .sql, .db, .sqlite, .yaml, .yml, .env, .html, .css
-   * Excludes: node_modules, .git, large binaries
-   */
   _collectServerFiles() {
     const serverDir = path.join(this.projectRoot, "server");
     if (!fs.existsSync(serverDir)) return [];
-
     const files = [];
     const SKIP = new Set(["node_modules", ".git", ".wolverine"]);
-    const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
     const walk = (dir) => {
       let entries;
       try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
-
       for (const entry of entries) {
         if (SKIP.has(entry.name)) continue;
-
         const fullPath = path.join(dir, entry.name);
-        if (entry.isDirectory()) {
-          walk(fullPath);
-        } else {
-          try {
-            const stat = fs.statSync(fullPath);
-            if (stat.size <= MAX_FILE_SIZE) {
-              files.push(fullPath);
-            }
-          } catch {}
+        if (entry.isDirectory()) walk(fullPath);
+        else {
+          try { if (fs.statSync(fullPath).size <= 10 * 1024 * 1024) files.push(fullPath); } catch {}
         }
       }
     };
-
     walk(serverDir);
     return files;
   }