wolverine-ai 3.7.1 → 3.7.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "3.7.1",
+  "version": "3.7.3",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {

package/src/core/runner.js

@@ -558,6 +558,7 @@ class WolverineRunner {
         this._healInProgress = false;
         this._healStatus = null;
         this._spawn();
+        this._processPendingErrorHeal();
       } else {
         console.log(chalk.red(`\n🐺 Wolverine could not heal: ${result.explanation}`));
 
@@ -609,7 +610,13 @@ class WolverineRunner {
    * Unlike crash healing, the server is still running — we heal and restart.
    */
   async _healFromError(routePath, errorDetails) {
-    if (this._healInProgress || this._shuttingDown) return;
+    if (this._shuttingDown) return;
+    if (this._healInProgress) {
+      // Queue the error — process after current heal finishes
+      this._pendingErrorHeal = { routePath, errorDetails };
+      console.log(chalk.yellow(`  🔄 Heal in progress — queued IPC error on ${routePath} for after current heal`));
+      return;
+    }
     this._healInProgress = true;
 
     console.log(chalk.yellow(`\n🐺 Wolverine healing caught error on ${routePath}...`));
@@ -693,6 +700,16 @@ class WolverineRunner {
     }
   }
 
+  _processPendingErrorHeal() {
+    if (this._pendingErrorHeal) {
+      const { routePath, errorDetails } = this._pendingErrorHeal;
+      this._pendingErrorHeal = null;
+      console.log(chalk.yellow(`  🔄 Processing queued IPC error on ${routePath}`));
+      // Small delay to let the new child process start
+      setTimeout(() => this._healFromError(routePath, errorDetails), 2000);
+    }
+  }
+
   _startStabilityTimer() {
     this._clearStabilityTimer();
     // Capture backup ID in closure — prevents race where a new heal overwrites _lastBackupId

package/src/security/injection-detector.js

@@ -98,13 +98,31 @@ Respond with ONLY valid JSON:
     category: "audit",
   });
 
-  const content = result.content;
-  const cleaned = content.replace(/^```(?:json)?\n?/, "").replace(/\n?```$/, "");
+  const content = (result.content || "").trim();
+  // Strip markdown code blocks, thinking tags, and any prefix text
+  let cleaned = content
+    .replace(/^```(?:json)?\s*/gm, "")
+    .replace(/```\s*$/gm, "")
+    .replace(/<\|channel>.*?<channel\|>/gs, "") // Gemma thinking tags
+    .replace(/<\|think\|>[\s\S]*?<\|\/think\|>/g, "") // thinking blocks
+    .trim();
+
+  // Extract JSON object from response (might have text before/after)
+  const jsonMatch = cleaned.match(/\{[\s\S]*"safe"\s*:\s*(true|false)[\s\S]*\}/);
+  if (jsonMatch) cleaned = jsonMatch[0];
 
   try {
-    return JSON.parse(cleaned);
+    const parsed = JSON.parse(cleaned);
+    return parsed;
   } catch {
-    return { safe: false, risk_level: "medium", explanation: "Could not parse safety scan response" };
+    // If the response contains "safe" as text, infer the result
+    if (/\bsafe\b.*\btrue\b/i.test(content) || /\bnone\b.*\brisk/i.test(content)) {
+      return { safe: true, risk_level: "none", explanation: "Inferred safe from unparseable response" };
+    }
+    // Default to SAFE for parse failures — blocking heals on bad JSON is worse than allowing a safe error through
+    // The regex layer already caught obvious injection patterns
+    console.log(chalk.yellow(`  ⚠️  AI audit: could not parse response, defaulting to safe`));
+    return { safe: true, risk_level: "none", explanation: "Could not parse safety scan — defaulting safe (regex layer passed)" };
   }
 }