wolverine-ai 1.7.1 → 2.0.0

package/README.md

@@ -204,7 +204,7 @@ The error hook auto-patches Fastify and Express via `--require` preload. No midd
 
 ## Agent Tool Harness
 
-The AI agent has 16 built-in tools (inspired by [claw-code](https://github.com/ultraworkers/claw-code)):
+The AI agent has 18 built-in tools (inspired by [claw-code](https://github.com/ultraworkers/claw-code)):
 
 | Tool | Category | Description |
 |------|----------|-------------|
@@ -222,6 +222,8 @@ The AI agent has 16 built-in tools (inspired by [claw-code](https://github.com/u
 | `run_db_fix` | Database | UPDATE/DELETE/INSERT/ALTER on SQLite (auto-backup before write) |
 | `check_port` | Diagnostic | Check if a port is in use and by what process |
 | `check_env` | Diagnostic | Check environment variables (values auto-redacted) |
+| `audit_deps` | Deps | Full health check: vulnerabilities, outdated, peer conflicts, unused |
+| `check_migration` | Deps | Known upgrade paths (express→fastify, moment→dayjs, etc.) |
 | `web_fetch` | Research | Fetch URL content for documentation/research |
 | `done` | Control | Signal task completion with summary |
 
@@ -286,23 +288,35 @@ Secured with `WOLVERINE_ADMIN_KEY` + IP allowlist (localhost + `WOLVERINE_ADMIN_
 
 ---
 
-## 10-Model Configuration
+## 10-Model Configuration (OpenAI + Anthropic)
 
-Every AI task has its own model slot. Customize in `.env.local`:
+Every AI task has its own model slot. **Mix and match providers** — set any slot to a `claude-*` model for Anthropic or `gpt-*` for OpenAI. Provider is auto-detected from the model name.
 
-| Env Variable | Role | Needs Tools? | Cost Impact |
+```bash
+# .env.local — use Anthropic for reasoning, OpenAI for coding
+REASONING_MODEL=claude-sonnet-4-20250514
+CODING_MODEL=gpt-5.3-codex
+CHAT_MODEL=claude-haiku-4-20250414
+AUDIT_MODEL=claude-haiku-4-20250414
+```
+
+| Env Variable | Role | Needs Tools? | Example Models |
 |---|---|---|---|
-| `REASONING_MODEL` | Multi-file agent | Yes | High (agent loop) |
-| `CODING_MODEL` | Code repair/generation | Responses API | Medium-high |
-| `CHAT_MODEL` | Simple text responses | No | Low |
-| `TOOL_MODEL` | Chat with function calling | **Yes** | Medium |
-| `CLASSIFIER_MODEL` | SIMPLE/TOOLS/AGENT routing | No | ~10 tokens |
-| `AUDIT_MODEL` | Injection detection (every error) | No | Low |
-| `COMPACTING_MODEL` | Text compression for brain | No | Low |
-| `RESEARCH_MODEL` | Deep research on failures | No | High (rare) |
-| `TEXT_EMBEDDING_MODEL` | Brain vector embeddings | No | Very low |
-
-Reasoning models (`o-series`, `gpt-5-nano`) automatically get 4x token limits to accommodate chain-of-thought.
+| `REASONING_MODEL` | Multi-file agent | Yes | `claude-sonnet-4`, `gpt-5.4` |
+| `CODING_MODEL` | Code repair/generation | Yes | `claude-sonnet-4`, `gpt-5.3-codex` |
+| `CHAT_MODEL` | Simple text responses | No | `claude-haiku-4`, `gpt-5.4-mini` |
+| `TOOL_MODEL` | Chat with function calling | **Yes** | `claude-sonnet-4`, `gpt-4o-mini` |
+| `CLASSIFIER_MODEL` | SIMPLE/TOOLS/AGENT routing | No | `claude-haiku-4`, `gpt-4o-mini` |
+| `AUDIT_MODEL` | Injection detection (every error) | No | `claude-haiku-4`, `gpt-5.4-nano` |
+| `COMPACTING_MODEL` | Text compression for brain | No | `claude-haiku-4`, `gpt-5.4-nano` |
+| `RESEARCH_MODEL` | Deep research on failures | No | `claude-opus-4`, `gpt-4o` |
+| `TEXT_EMBEDDING_MODEL` | Brain vector embeddings | No | `text-embedding-3-small` (OpenAI only) |
+
+**Notes:**
+- Embeddings always use OpenAI (Anthropic doesn't have an embedding API)
+- Tools (all 18) work identically on both providers — normalized at the client level
+- Telemetry tracks usage by model AND by provider (`openai` / `anthropic`)
+- Any future model from either provider works automatically — just set the model name
 
 ---
 
@@ -492,6 +506,19 @@ Auto-discovered from `src/skills/`. Each skill exports metadata for the registry
 - **db.idempotent(key, fn)** — Database-level dedup for critical writes (payments, orders)
 - Auto-injected into agent prompts when building database features
 
+### Dependency Manager (`src/skills/deps.js`)
+- **diagnose()** — structured diagnosis of dependency errors before AI runs (zero tokens)
+- **healthReport()** — full audit: vulnerabilities, outdated, peer conflicts, unused packages, lock file, health score
+- **getMigration()** — known upgrade paths with code transformation patterns:
+
+| From | To | Why |
+|------|----|-----|
+| `express` | `fastify` | 5.6x faster, async-first, built-in validation |
+| `moment` | `dayjs` | Maintenance mode, 70KB → 2KB |
+| `request` | `node-fetch` | Deprecated since 2020 |
+| `body-parser` | built-in | Included in Express 4.16+ / Fastify |
+| callbacks | `async/await` | Cleaner error handling, no callback hell |
+
 Add new skills by creating a file in `src/skills/` with `SKILL_NAME`, `SKILL_DESCRIPTION`, `SKILL_KEYWORDS`, `SKILL_USAGE` exports.
 
 ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "1.7.1",
+  "version": "2.0.0",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {
@@ -55,6 +55,7 @@
     "README.md"
   ],
   "dependencies": {
+    "@anthropic-ai/sdk": "^0.82.0",
     "chalk": "^4.1.2",
     "diff": "^7.0.0",
     "dotenv": "^16.4.7",

package/src/agent/agent-engine.js

@@ -261,6 +261,33 @@ const TOOL_DEFINITIONS = [
       },
     },
   },
+  // ── DEPENDENCY MANAGEMENT ──
+  {
+    type: "function",
+    function: {
+      name: "audit_deps",
+      description: "Run a full dependency health check: npm audit (vulnerabilities), outdated packages, peer dep conflicts, unused packages, lock file status. Returns a health score and actionable fixes. Use BEFORE editing code when the error might be a dependency issue.",
+      parameters: {
+        type: "object",
+        properties: {},
+        required: [],
+      },
+    },
+  },
+  {
+    type: "function",
+    function: {
+      name: "check_migration",
+      description: "Check if a package has a known migration/upgrade path. Use when a deprecated API or old package is causing errors. Returns the recommended replacement and code transformation patterns.",
+      parameters: {
+        type: "object",
+        properties: {
+          package: { type: "string", description: "Package name to check (e.g. 'express', 'moment', 'request')" },
+        },
+        required: ["package"],
+      },
+    },
+  },
   // ── COMPLETION ──
   {
     type: "function",
@@ -352,6 +379,10 @@ DIAGNOSTICS:
 - check_port: Check if a port is in use and by what process
 - check_env: Check environment variables (values auto-redacted for security)
 
+DEPENDENCY MANAGEMENT:
+- audit_deps: Full health check (vulnerabilities, outdated, peer conflicts, unused). Use FIRST for dependency errors.
+- check_migration: Check if a package has a known upgrade path (express→fastify, moment→dayjs, etc.)
+
 RESEARCH:
 - web_fetch: Fetch a URL (docs, npm packages, error solutions)
 
@@ -365,7 +396,7 @@ RESEARCH:
 
 | Error Pattern | Category | Diagnostic Steps | Fix |
 |---|---|---|---|
-| Cannot find module 'X' | DEPENDENCY | check package.json | bash_exec: npm install X |
+| Cannot find module 'X' | DEPENDENCY | audit_deps first, check package.json | bash_exec: npm install X |
 | Cannot find module './X' | IMPORT | glob_files to find real path | edit_file: fix require path |
 | ENOENT: no such file | FILE MISSING | list_dir to check structure | write_file or move_file |
 | EACCES/EPERM | PERMISSION | bash_exec: ls -la | bash_exec: chmod 755 |
@@ -530,6 +561,8 @@ Project root: ${this.cwd}${primaryFile ? `\nPrimary crash file: ${primaryFile}`
       case "check_env":     return this._checkEnv(args);
       case "inspect_db":    return this._inspectDb(args);
       case "run_db_fix":    return this._runDbFix(args);
+      case "audit_deps":    return this._auditDeps(args);
+      case "check_migration": return this._checkMigration(args);
       case "done":          return this._done(args);
       // Legacy aliases
       case "list_files":    return this._globFiles({ pattern: (args.dir || ".") + "/*" + (args.pattern || "") });
@@ -932,6 +965,52 @@ Project root: ${this.cwd}${primaryFile ? `\nPrimary crash file: ${primaryFile}`
     } catch (e) { return { content: `DB error: ${e.message}` }; }
   }
 
+  _auditDeps() {
+    try {
+      const { healthReport } = require("../skills/deps");
+      const report = healthReport(this.cwd);
+      const { redact } = require("../security/secret-redactor");
+      const lines = [
+        `Dependency Health Score: ${report.score}/100 (${report.summary})`,
+        "",
+        `Vulnerabilities: ${report.audit.vulnerabilities} (${report.audit.critical} critical, ${report.audit.high} high, ${report.audit.moderate} moderate)`,
+        report.audit.fixes.length > 0 ? `Fix: ${report.audit.fixes.join(", ")}` : "",
+        "",
+        `Outdated: ${report.outdated.length} packages`,
+        ...report.outdated.slice(0, 10).map(p => `  ${p.name}: ${p.current} → ${p.latest}`),
+        report.outdated.length > 10 ? `  ... and ${report.outdated.length - 10} more` : "",
+        "",
+        `Peer Dependency Issues: ${report.peerDeps.length}`,
+        ...report.peerDeps.slice(0, 5).map(p => `  ${p.package}: ${p.requires}`),
+        "",
+        `Unused Packages: ${report.unused.length}`,
+        report.unused.length > 0 ? `  ${report.unused.join(", ")}` : "",
+        "",
+        `Lock File: ${report.lockFile.healthy ? "OK" : report.lockFile.issue}`,
+        report.lockFile.fix ? `  Fix: ${report.lockFile.fix}` : "",
+      ].filter(l => l !== undefined);
+      console.log(chalk.gray(`    📦 Deps audit: score ${report.score}/100, ${report.audit.vulnerabilities} vulns, ${report.outdated.length} outdated`));
+      return { content: redact(lines.join("\n")) };
+    } catch (e) { return { content: `Deps audit error: ${e.message}` }; }
+  }
+
+  _checkMigration(args) {
+    try {
+      const { getMigration } = require("../skills/deps");
+      const migration = getMigration(args.package);
+      if (!migration) return { content: `No known migration path for '${args.package}'.` };
+      const lines = [
+        `Migration: ${args.package} → ${migration.to}`,
+        `Reason: ${migration.reason}`,
+        "",
+        "Code patterns:",
+        ...migration.patterns.map(p => `  ${p.from}\n  → ${p.to}`),
+      ];
+      console.log(chalk.gray(`    📦 Migration: ${args.package} → ${migration.to}`));
+      return { content: lines.join("\n") };
+    } catch (e) { return { content: `Migration check error: ${e.message}` }; }
+  }
+
   _done(args) {
     console.log(chalk.green(`    ✅ Agent done: ${args.summary}`));
     if (this.logger) {

package/src/agent/sub-agents.js

@@ -23,9 +23,9 @@ const { getModel } = require("../core/models");
 
 // Tool restrictions per agent type (claw-code: allowed_tools_for_subagent)
 const AGENT_TOOL_SETS = {
-  explore: ["read_file", "glob_files", "grep_code", "git_log", "git_diff", "list_dir", "check_env", "check_port", "inspect_db", "done"],
-  plan: ["read_file", "glob_files", "grep_code", "list_dir", "inspect_db", "check_env", "search_brain", "done"],
-  fix: ["read_file", "write_file", "edit_file", "glob_files", "grep_code", "bash_exec", "move_file", "run_db_fix", "done"],
+  explore: ["read_file", "glob_files", "grep_code", "git_log", "git_diff", "list_dir", "check_env", "check_port", "inspect_db", "audit_deps", "done"],
+  plan: ["read_file", "glob_files", "grep_code", "list_dir", "inspect_db", "check_env", "audit_deps", "check_migration", "search_brain", "done"],
+  fix: ["read_file", "write_file", "edit_file", "glob_files", "grep_code", "bash_exec", "move_file", "run_db_fix", "audit_deps", "done"],
   verify: ["read_file", "glob_files", "grep_code", "bash_exec", "inspect_db", "check_port", "done"],
   research: ["read_file", "grep_code", "web_fetch", "search_brain", "done"],
   security: ["read_file", "glob_files", "grep_code", "inspect_db", "done"],

package/src/brain/brain.js

@@ -44,7 +44,7 @@ const SEED_DOCS = [
     metadata: { topic: "security" },
   },
   {
-    text: "Wolverine model tiers: REASONING_MODEL for deep multi-step debugging. CODING_MODEL for code repair generation. CHAT_MODEL for explanations and summaries. AUDIT_MODEL for security scans (runs every error, keep cheap). UTILITY_MODEL for JSON formatting and thought compaction. TEXT_EMBEDDING_MODEL for brain vector embeddings.",
+    text: "Wolverine supports both OpenAI and Anthropic models. Provider auto-detected from model name: claude-* → Anthropic, gpt-*/o1-*/o3-* → OpenAI. Mix and match per role: e.g., Anthropic for reasoning (claude-sonnet-4), OpenAI for coding (gpt-5.3-codex). 10 model slots: REASONING_MODEL, CODING_MODEL, CHAT_MODEL, TOOL_MODEL, CLASSIFIER_MODEL, AUDIT_MODEL, COMPACTING_MODEL, RESEARCH_MODEL, TEXT_EMBEDDING_MODEL (always OpenAI — Anthropic has no embeddings). Configure in .env.local or settings.json. Tools work identically on both providers — ai-client.js normalizes all responses to same {content, toolCalls, usage} shape. Telemetry tracks usage byModel AND byProvider (openai/anthropic) automatically.",
     metadata: { topic: "model-config" },
   },
   {
@@ -228,9 +228,13 @@ const SEED_DOCS = [
     metadata: { topic: "idempotency" },
   },
   {
-    text: "Heal pipeline no longer requires a file path. When no file is identified from the error (database errors, config problems, port conflicts), the pipeline skips fast path and goes straight to the agent, which uses investigation tools (glob_files, grep_code, list_dir, inspect_db, check_env, check_port) to find the root cause. Agent verification for no-file errors: if agent made changes or ran commands, trust the agent's assessment. For file-based errors, verification uses syntax check + boot probe as before.",
+    text: "Heal pipeline no longer requires a file path. When no file is identified from the error (database errors, config problems, port conflicts), the pipeline skips fast path and goes straight to the agent, which uses investigation tools (glob_files, grep_code, list_dir, inspect_db, check_env, check_port, audit_deps) to find the root cause. Agent verification for no-file errors: if agent made changes or ran commands, trust the agent's assessment. For file-based errors, verification uses syntax check + boot probe + route probe as before.",
     metadata: { topic: "fileless-heal" },
   },
+  {
+    text: "Dependency manager skill (src/skills/deps.js): structured npm dependency analysis + repair. diagnose(errorMessage, cwd) returns {diagnosed, category, summary, fixes} — categories: missing_install, missing_package, version_conflict, outdated_api, corrupted_modules. healthReport(cwd) returns full health check: npm audit (vulnerabilities), outdated packages, peer dep conflicts, unused packages, lock file status, health score 0-100. getMigration(packageName) returns known upgrade paths: express→fastify (5.6x faster), moment→dayjs (2KB vs 70KB), request→node-fetch (deprecated), body-parser→built-in, callbacks→async/await. Agent tools: audit_deps (full health check), check_migration (upgrade paths). Heal pipeline uses diagnose() in tryOperationalFix before AI — zero tokens for dependency issues.",
+    metadata: { topic: "skill-deps" },
+  },
 ];
 
 class Brain {

package/src/brain/embedder.js

@@ -1,4 +1,4 @@
-const { getClient, aiCall } = require("../core/ai-client");
+const { getClient, aiCall, detectProvider } = require("../core/ai-client");
 const { getModel } = require("../core/models");
 
 /**
@@ -41,7 +41,8 @@ async function embed(text) {
   const cached = _cacheGet(text);
   if (cached) return cached;
 
-  const openai = getClient();
+  // Embeddings always use OpenAI (Anthropic doesn't have an embedding API)
+  const openai = getClient("openai");
   const model = getModel("embedding");
 
   const response = await openai.embeddings.create({
@@ -78,7 +79,8 @@ async function embedBatch(texts) {
 
   if (uncached.length === 0) return results;
 
-  const openai = getClient();
+  // Embeddings always use OpenAI (Anthropic doesn't have an embedding API)
+  const openai = getClient("openai");
   const model = getModel("embedding");
 
   const response = await openai.embeddings.create({