wolverine-ai 4.3.1 → 4.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "4.3.1",
+  "version": "4.5.0",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {

package/src/agent/agent-engine.js

@@ -358,6 +358,90 @@ const TOOL_DEFINITIONS = [
       },
     },
   },
+  // ── ADVANCED DIAGNOSTICS ──
+  {
+    type: "function",
+    function: {
+      name: "verify_node_modules",
+      description: "Verify node_modules integrity against package-lock.json. Detects corruption, missing packages, broken bin links.",
+      parameters: { type: "object", properties: {}, required: [] },
+    },
+  },
+  {
+    type: "function",
+    function: {
+      name: "inspect_certificate",
+      description: "Inspect SSL/TLS certificate for a host or local file. Shows expiry, subject, SAN list, chain validity.",
+      parameters: {
+        type: "object",
+        properties: {
+          host: { type: "string", description: "Hostname to check (e.g. api.example.com)" },
+          port: { type: "number", description: "Port (default: 443)" },
+        },
+        required: ["host"],
+      },
+    },
+  },
+  {
+    type: "function",
+    function: {
+      name: "inspect_cache",
+      description: "Check Redis/cache server health: connectivity, auth, memory usage, connected clients.",
+      parameters: {
+        type: "object",
+        properties: {
+          host: { type: "string", description: "Redis host (default: 127.0.0.1)" },
+          port: { type: "number", description: "Redis port (default: 6379)" },
+        },
+        required: [],
+      },
+    },
+  },
+  {
+    type: "function",
+    function: {
+      name: "disk_cleanup",
+      description: "Find and optionally clean safe-to-delete files (old backups, caches, logs) to free disk space. Dry run by default.",
+      parameters: {
+        type: "object",
+        properties: {
+          dry_run: { type: "boolean", description: "If true (default), only report what would be cleaned" },
+        },
+        required: [],
+      },
+    },
+  },
+  {
+    type: "function",
+    function: {
+      name: "check_file_descriptors",
+      description: "Check open file descriptor count, limits, and identify potential FD leaks (EMFILE prevention).",
+      parameters: { type: "object", properties: {}, required: [] },
+    },
+  },
+  {
+    type: "function",
+    function: {
+      name: "check_event_loop",
+      description: "Scan server code for event loop blocking patterns (readFileSync, execSync, large JSON.parse) and check active handles.",
+      parameters: { type: "object", properties: {}, required: [] },
+    },
+  },
+  {
+    type: "function",
+    function: {
+      name: "check_websocket",
+      description: "Test a WebSocket endpoint by performing a real handshake. Reports connection success, upgrade status, latency.",
+      parameters: {
+        type: "object",
+        properties: {
+          url: { type: "string", description: "WebSocket URL (ws:// or wss://)" },
+          timeout_ms: { type: "number", description: "Connection timeout (default: 5000)" },
+        },
+        required: ["url"],
+      },
+    },
+  },
   // ── TASK MANAGEMENT ──
   {
     type: "function",
@@ -645,6 +729,13 @@ class AgentEngine {
       case "restart_service": return this._restartService(args);
       case "check_network": return this._checkNetwork(args);
       case "inspect_env":   return this._inspectEnv(args);
+      case "verify_node_modules": return this._verifyNodeModules(args);
+      case "inspect_certificate": return this._inspectCertificate(args);
+      case "inspect_cache": return this._inspectCache(args);
+      case "disk_cleanup":  return this._diskCleanup(args);
+      case "check_file_descriptors": return this._checkFileDescriptors(args);
+      case "check_event_loop": return this._checkEventLoop(args);
+      case "check_websocket": return this._checkWebsocket(args);
       case "done":          return this._done(args);
       // Legacy aliases
       case "list_files":    return this._globFiles({ pattern: (args.dir || ".") + "/*" + (args.pattern || "") });
@@ -1244,6 +1335,268 @@ class AgentEngine {
     return { content: lines.join("\n") };
   }
 
+  // ── ADVANCED DIAGNOSTICS ──
+
+  _verifyNodeModules() {
+    try {
+      const lockPath = path.join(this.cwd, "package-lock.json");
+      const pkgPath = path.join(this.cwd, "package.json");
+      if (!fs.existsSync(lockPath)) return { content: "No package-lock.json found. Run: npm install" };
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+      const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+      const missing = [];
+      const broken = [];
+      for (const [name] of Object.entries(deps)) {
+        const modPath = path.join(this.cwd, "node_modules", name);
+        if (!fs.existsSync(modPath)) { missing.push(name); continue; }
+        const modPkg = path.join(modPath, "package.json");
+        if (!fs.existsSync(modPkg)) { broken.push(name + " (no package.json)"); continue; }
+      }
+      // Check .bin links
+      const binDir = path.join(this.cwd, "node_modules", ".bin");
+      let brokenBins = 0;
+      if (fs.existsSync(binDir)) {
+        for (const bin of fs.readdirSync(binDir)) {
+          const target = path.join(binDir, bin);
+          try { fs.readlinkSync(target); } catch { brokenBins++; }
+        }
+      }
+      const rec = missing.length > 5 || broken.length > 3 ? "rm -rf node_modules && npm install" : missing.length > 0 ? "npm install" : "ok";
+      const lines = [
+        `Dependencies: ${Object.keys(deps).length}`,
+        `Missing from disk: ${missing.length > 0 ? missing.join(", ") : "none"}`,
+        `Broken packages: ${broken.length > 0 ? broken.join(", ") : "none"}`,
+        `Broken .bin links: ${brokenBins}`,
+        `Recommendation: ${rec}`,
+      ];
+      return { content: lines.join("\n") };
+    } catch (e) { return { content: `Error: ${e.message}` }; }
+  }
+
+  _inspectCertificate(args) {
+    try {
+      const tls = require("tls");
+      const host = args.host;
+      const port = args.port || 443;
+      return new Promise((resolve) => {
+        const socket = tls.connect({ host, port, servername: host, rejectUnauthorized: false, timeout: 5000 }, () => {
+          const cert = socket.getPeerCertificate();
+          const validTo = new Date(cert.valid_to);
+          const daysLeft = Math.round((validTo - Date.now()) / 86400000);
+          const lines = [
+            `Subject: ${cert.subject?.CN || "unknown"}`,
+            `Issuer: ${cert.issuer?.O || cert.issuer?.CN || "unknown"}`,
+            `Valid: ${cert.valid_from} → ${cert.valid_to}`,
+            `Days until expiry: ${daysLeft}${daysLeft < 30 ? " ⚠️ EXPIRING SOON" : daysLeft < 0 ? " ❌ EXPIRED" : ""}`,
+            `SAN: ${(cert.subjectaltname || "").replace(/DNS:/g, "").split(",").map(s => s.trim()).join(", ") || "none"}`,
+            `Self-signed: ${cert.issuer?.CN === cert.subject?.CN ? "yes" : "no"}`,
+            `Authorized: ${socket.authorized}`,
+            socket.authorizationError ? `TLS error: ${socket.authorizationError}` : "",
+          ].filter(Boolean);
+          socket.destroy();
+          resolve({ content: lines.join("\n") });
+        });
+        socket.on("error", (e) => { resolve({ content: `TLS error for ${host}:${port}: ${e.message}` }); });
+        socket.setTimeout(5000, () => { socket.destroy(); resolve({ content: `Timeout connecting to ${host}:${port}` }); });
+      });
+    } catch (e) { return { content: `Error: ${e.message}` }; }
+  }
+
+  _inspectCache(args) {
+    try {
+      const host = args.host || "127.0.0.1";
+      const port = args.port || 6379;
+      const net = require("net");
+      return new Promise((resolve) => {
+        const client = net.createConnection({ host, port, timeout: 3000 }, () => {
+          let buf = "";
+          client.on("data", (d) => { buf += d.toString(); });
+          client.write("PING\r\nINFO memory\r\nINFO clients\r\nINFO keyspace\r\n");
+          setTimeout(() => {
+            client.destroy();
+            const pong = buf.includes("+PONG");
+            const memMatch = buf.match(/used_memory_human:(\S+)/);
+            const clientMatch = buf.match(/connected_clients:(\d+)/);
+            const lines = [
+              `Reachable: ${pong ? "yes" : "no"}`,
+              `Auth required: ${buf.includes("NOAUTH") ? "yes (failed)" : "no"}`,
+              `Memory: ${memMatch ? memMatch[1] : "unknown"}`,
+              `Connected clients: ${clientMatch ? clientMatch[1] : "unknown"}`,
+            ];
+            resolve({ content: lines.join("\n") });
+          }, 1500);
+        });
+        client.on("error", (e) => { resolve({ content: `Redis ${host}:${port} error: ${e.message}` }); });
+        client.setTimeout(3000, () => { client.destroy(); resolve({ content: `Redis ${host}:${port} timeout` }); });
+      });
+    } catch (e) { return { content: `Error: ${e.message}` }; }
+  }
+
+  _diskCleanup(args) {
+    try {
+      const dryRun = args.dry_run !== false;
+      const os = require("os");
+      const targets = [];
+      let reclaimable = 0;
+      // Old wolverine backups
+      const backupDir = path.join(os.homedir(), ".wolverine-safe-backups", "snapshots");
+      if (fs.existsSync(backupDir)) {
+        const now = Date.now();
+        for (const dir of fs.readdirSync(backupDir)) {
+          const full = path.join(backupDir, dir);
+          try {
+            const stat = fs.statSync(full);
+            const ageDays = (now - stat.mtimeMs) / 86400000;
+            if (ageDays > 7 && stat.isDirectory()) {
+              let size = 0;
+              const walk = (d) => { for (const f of fs.readdirSync(d)) { const p = path.join(d, f); const s = fs.statSync(p); if (s.isDirectory()) walk(p); else size += s.size; } };
+              walk(full);
+              const mb = Math.round(size / 1048576);
+              targets.push({ path: `~/.wolverine-safe-backups/snapshots/${dir}`, size_mb: mb, reason: `${Math.round(ageDays)}d old backup` });
+              reclaimable += mb;
+            }
+          } catch {}
+        }
+      }
+      // npm cache
+      const cacheDir = path.join(this.cwd, "node_modules", ".cache");
+      if (fs.existsSync(cacheDir)) {
+        try {
+          let size = 0;
+          const walk = (d) => { for (const f of fs.readdirSync(d)) { const p = path.join(d, f); try { const s = fs.statSync(p); if (s.isDirectory()) walk(p); else size += s.size; } catch {} } };
+          walk(cacheDir);
+          const mb = Math.round(size / 1048576);
+          if (mb > 1) { targets.push({ path: "node_modules/.cache/", size_mb: mb, reason: "build cache" }); reclaimable += mb; }
+        } catch {}
+      }
+      // Clean if not dry run
+      if (!dryRun && targets.length > 0) {
+        for (const t of targets) {
+          try { execSync(`rm -rf "${t.path.replace("~", os.homedir())}"`, { timeout: 10000 }); } catch {}
+        }
+      }
+      const diskFree = Math.round(parseInt(execSync("df -m . | tail -1 | awk '{print $4}'", { encoding: "utf-8", cwd: this.cwd, timeout: 3000 }).trim() || "0", 10));
+      const lines = [
+        `Disk free: ${diskFree}MB`,
+        `Reclaimable: ${reclaimable}MB (${targets.length} targets)`,
+        dryRun ? "Mode: DRY RUN (pass dry_run=false to clean)" : `Cleaned ${targets.length} targets`,
+        ...targets.map(t => `  ${t.path} (${t.size_mb}MB) — ${t.reason}`),
+      ];
+      return { content: lines.join("\n") };
+    } catch (e) { return { content: `Error: ${e.message}` }; }
+  }
+
+  _checkFileDescriptors() {
+    try {
+      if (process.platform === "win32") return { content: "FD check not available on Windows" };
+      const pid = process.pid;
+      const fdDir = `/proc/${pid}/fd`;
+      let count = 0;
+      try { count = fs.readdirSync(fdDir).length; } catch {}
+      let limits = "";
+      try { limits = execSync(`cat /proc/${pid}/limits | grep 'open files'`, { encoding: "utf-8", timeout: 3000 }).trim(); } catch {}
+      const softMatch = limits.match(/(\d+)\s+(\d+)/);
+      const soft = softMatch ? parseInt(softMatch[1]) : 0;
+      const hard = softMatch ? parseInt(softMatch[2]) : 0;
+      const pct = soft > 0 ? Math.round(count / soft * 100) : 0;
+      const lines = [
+        `Open FDs: ${count}`,
+        `Soft limit: ${soft}`,
+        `Hard limit: ${hard}`,
+        `Usage: ${pct}%${pct > 80 ? " ⚠️ HIGH — risk of EMFILE" : pct > 50 ? " — moderate" : " — ok"}`,
+      ];
+      // Find top consumers
+      try {
+        const top = execSync(`ls -la /proc/${pid}/fd 2>/dev/null | tail -20 | awk '{print $NF}' | sort | uniq -c | sort -rn | head -10`, { encoding: "utf-8", timeout: 3000 }).trim();
+        if (top) lines.push("Top FD targets:", top);
+      } catch {}
+      return { content: lines.join("\n") };
+    } catch (e) { return { content: `Error: ${e.message}` }; }
+  }
+
+  _checkEventLoop() {
+    try {
+      // Static analysis: find blocking patterns in server code
+      const patterns = [
+        { regex: /readFileSync\s*\(/g, name: "fs.readFileSync" },
+        { regex: /writeFileSync\s*\(/g, name: "fs.writeFileSync" },
+        { regex: /execSync\s*\(/g, name: "child_process.execSync" },
+        { regex: /pbkdf2Sync\s*\(/g, name: "crypto.pbkdf2Sync" },
+        { regex: /JSON\.parse\s*\(\s*fs\./g, name: "JSON.parse(fs.read...)" },
+        { regex: /\.forEach\s*\(\s*(async\s*)?\(/g, name: "forEach (blocks with async)" },
+      ];
+      const serverDir = path.join(this.cwd, "server");
+      const findings = [];
+      const walk = (dir) => {
+        if (!fs.existsSync(dir)) return;
+        for (const f of fs.readdirSync(dir)) {
+          if (f === "node_modules" || f.startsWith(".")) continue;
+          const full = path.join(dir, f);
+          const stat = fs.statSync(full);
+          if (stat.isDirectory()) { walk(full); continue; }
+          if (!f.endsWith(".js")) continue;
+          const code = fs.readFileSync(full, "utf-8");
+          for (const p of patterns) {
+            const matches = code.match(p.regex);
+            if (matches) {
+              findings.push(`${path.relative(this.cwd, full)}: ${matches.length}x ${p.name}`);
+            }
+          }
+        }
+      };
+      walk(serverDir);
+      const handles = process._getActiveHandles?.()?.length || "unknown";
+      const requests = process._getActiveRequests?.()?.length || "unknown";
+      const lines = [
+        `Active handles: ${handles}`,
+        `Active requests: ${requests}`,
+        findings.length > 0 ? `\nBlocking patterns found (${findings.length}):` : "No blocking patterns found in server/",
+        ...findings.slice(0, 20),
+      ];
+      return { content: lines.join("\n") };
+    } catch (e) { return { content: `Error: ${e.message}` }; }
+  }
+
+  _checkWebsocket(args) {
+    try {
+      const url = args.url;
+      const timeout = args.timeout_ms || 5000;
+      const urlObj = new (require("url").URL)(url);
+      const isSecure = urlObj.protocol === "wss:";
+      const client = isSecure ? require("https") : require("http");
+      return new Promise((resolve) => {
+        const req = client.request({
+          hostname: urlObj.hostname,
+          port: urlObj.port || (isSecure ? 443 : 80),
+          path: urlObj.pathname + urlObj.search,
+          method: "GET",
+          headers: {
+            "Upgrade": "websocket",
+            "Connection": "Upgrade",
+            "Sec-WebSocket-Key": require("crypto").randomBytes(16).toString("base64"),
+            "Sec-WebSocket-Version": "13",
+          },
+          timeout,
+        }, (res) => {
+          resolve({ content: `HTTP ${res.statusCode} (expected 101 for WS upgrade)\nHeaders: ${JSON.stringify(res.headers, null, 2).slice(0, 500)}` });
+          res.resume();
+        });
+        req.on("upgrade", (res, socket) => {
+          const lines = [
+            `WebSocket upgrade: SUCCESS (101)`,
+            `Protocol: ${res.headers["sec-websocket-protocol"] || "none"}`,
+            `Latency: connected`,
+          ];
+          socket.destroy();
+          resolve({ content: lines.join("\n") });
+        });
+        req.on("error", (e) => { resolve({ content: `WebSocket error for ${url}: ${e.message}` }); });
+        req.on("timeout", () => { req.destroy(); resolve({ content: `WebSocket timeout for ${url} (${timeout}ms)` }); });
+        req.end();
+      });
+    } catch (e) { return { content: `Error: ${e.message}` }; }
+  }
+
   _done(args) {
     console.log(chalk.green(`    ✅ Agent done: ${args.summary}`));
     if (this.logger) {

package/src/brain/brain.js

@@ -66,7 +66,7 @@ const SEED_DOCS = [
     metadata: { topic: "verification" },
   },
   {
-    text: "Wolverine multi-file agent: turn-limited agent loop with 24 tools across 8 categories. Turn budget adapts to error type: simple (TypeError)=4, config/ENOENT=5, complex=8. Each AI call has 90s timeout via Promise.race. FILE: read_file, write_file, edit_file, glob_files, grep_code, list_dir, move_file. SHELL: bash_exec (30s default, 60s cap), git_log, git_diff. DATABASE: inspect_db (tables/schema/SELECT on SQLite), run_db_fix (UPDATE/DELETE/ALTER with auto-backup). DIAGNOSTICS: check_port, check_env, check_memory (RSS/heap/system with OOM detection), list_processes (find zombie/orphan node processes), check_logs (read recent journalctl/log file), check_network (DNS/port/URL reachability), inspect_env (list env var names without values, check if required vars exist). SERVER: restart_service (request graceful restart after fix). DEPS: audit_deps, check_migration. RESEARCH: web_fetch. CONTROL: done.",
+    text: "Wolverine multi-file agent: turn-limited agent loop with 31 tools across 9 categories. Turn budget: simple=4, config=5, complex=8. 90s/call timeout. FILE (7): read_file, write_file, edit_file, glob_files, grep_code, list_dir, move_file. SHELL (3): bash_exec, git_log, git_diff. DATABASE (2): inspect_db, run_db_fix. DIAGNOSTICS (7): check_port, check_env, check_memory, list_processes, check_logs, check_network, inspect_env. SERVER (1): restart_service. DEPS (2): audit_deps, check_migration. RESEARCH (1): web_fetch. ADVANCED (7): verify_node_modules (integrity check — detects corruption, missing pkgs, broken .bin links), inspect_certificate (TLS cert expiry/SAN/chain for SSL errors), inspect_cache (Redis health — PING, memory, clients), disk_cleanup (safe cleanup of old backups/caches for ENOSPC), check_file_descriptors (FD count/limits for EMFILE), check_event_loop (scan for blocking patterns — readFileSync/execSync/pbkdf2Sync), check_websocket (WS handshake test). CONTROL (1): done.",
     metadata: { topic: "agent" },
   },
   {
@@ -118,7 +118,7 @@ const SEED_DOCS = [
     metadata: { topic: "heal-escalation" },
   },
   {
-    text: "Process manager: wolverine monitors memory (RSS/heap) every 10s, detects memory leaks (N consecutive growth samples → auto-restart), enforces memory limit (default 512MB), tracks CPU%, probes all routes every 30s, detects response time degradation trends (stable/degrading/improving). Analytics dashboard shows memory/CPU charts and per-route health.",
+    text: "Process manager: wolverine monitors memory (RSS/heap) every 10s, detects memory leaks (N consecutive growth samples → auto-restart), enforces memory limit (default 512MB), tracks CPU%, probes all routes every 30s, detects response time degradation trends (stable/degrading/improving). Adaptive rate limiter: auto-injected via error-hook.js into Fastify/Express. Three zones based on CPU + memory: GREEN (<70%) = full throughput, YELLOW (70-85%) = shed 30% of requests, RED (>85%) = reject non-essential with 503 + Retry-After. Always allows health checks and wolverine internal routes. Reserves 200MB for heal tools. Enable: WOLVERINE_ADAPTIVE_LIMIT=true (default). Disable: WOLVERINE_ADAPTIVE_LIMIT=false. Response includes X-Wolverine-Zone header.",
     metadata: { topic: "process-manager" },
   },
   {

package/src/core/error-hook.js

@@ -72,6 +72,28 @@ Module._load = function (request, parent, isMain) {
 };
 
 function _hookFastify(fastify) {
+  // Adaptive rate limiter — auto-protects based on CPU/memory pressure
+  if (process.env.WOLVERINE_ADAPTIVE_LIMIT !== "false") {
+    try {
+      const { getLimiter } = require("../monitor/adaptive-limiter");
+      const limiter = getLimiter();
+      fastify.addHook("onRequest", function (request, reply, done) {
+        if (!limiter.shouldAllow(request.url, request.headers)) {
+          const status = limiter.getStatus();
+          reply.code(503).header("Retry-After", "5").header("X-Wolverine-Zone", status.zone).send({
+            error: "Service temporarily unavailable",
+            zone: status.zone,
+            cpu: status.cpuAvg + "%",
+            memory: status.memAvg + "%",
+            retry_after: 5,
+          });
+          return;
+        }
+        done();
+      });
+    } catch {}
+  }
+
   // Wrap setErrorHandler so our IPC reporting runs BEFORE the user's handler
   const origSetError = fastify.setErrorHandler;
   let customErrorHandlerSet = false;
@@ -107,6 +129,24 @@ function _hookFastify(fastify) {
 }
 
 function _hookExpress(app) {
+  // Adaptive rate limiter for Express
+  if (process.env.WOLVERINE_ADAPTIVE_LIMIT !== "false") {
+    try {
+      const { getLimiter } = require("../monitor/adaptive-limiter");
+      const limiter = getLimiter();
+      app.use(function _wolverineAdaptiveLimiter(req, res, next) {
+        if (!limiter.shouldAllow(req.url, req.headers)) {
+          const status = limiter.getStatus();
+          res.status(503).set("Retry-After", "5").set("X-Wolverine-Zone", status.zone).json({
+            error: "Service temporarily unavailable", zone: status.zone, retry_after: 5,
+          });
+          return;
+        }
+        next();
+      });
+    } catch {}
+  }
+
   // Wrap app.listen to inject error middleware AFTER all user middleware
   const originalListen = app.listen;
   app.listen = function (...args) {

package/src/core/error-parser.js

@@ -120,6 +120,22 @@ function classifyError(errorMessage, fullStderr) {
   if (/typeerror|referenceerror|rangeerror/.test(msg)) {
     return "runtime";
   }
+  // Disk full
+  if (/enospc/.test(msg)) {
+    return "disk_full";
+  }
+  // Too many open files
+  if (/emfile|enfile/.test(msg)) {
+    return "file_descriptors";
+  }
+  // Connection issues (DB, Redis, external services)
+  if (/econnrefused|econnreset|etimedout/.test(msg) && !/eaddrinuse/.test(msg)) {
+    return "connection";
+  }
+  // TLS/SSL certificate errors
+  if (/cert_|certificate|self.signed|unable_to_verify/.test(msg)) {
+    return "certificate";
+  }
   return "unknown";
 }
 

package/src/core/wolverine.js

@@ -654,6 +654,44 @@ async function tryOperationalFix(parsed, cwd, logger, sandbox) {
     }
   }
 
+  // Pattern 5: ENOSPC — disk full, try automated cleanup
+  if (/ENOSPC/.test(msg)) {
+    try {
+      const os = require("os");
+      const backupDir = path.join(os.homedir(), ".wolverine-safe-backups", "snapshots");
+      let cleaned = 0;
+      if (fs.existsSync(backupDir)) {
+        const now = Date.now();
+        for (const dir of fs.readdirSync(backupDir)) {
+          const full = path.join(backupDir, dir);
+          try {
+            const stat = fs.statSync(full);
+            if (stat.isDirectory() && (now - stat.mtimeMs) > 7 * 86400000) {
+              execSync(`rm -rf "${full}"`, { timeout: 10000 });
+              cleaned++;
+            }
+          } catch {}
+        }
+      }
+      try { execSync("npm cache clean --force", { cwd, stdio: "pipe", timeout: 30000 }); cleaned++; } catch {}
+      if (cleaned > 0) {
+        console.log(chalk.blue(`  🧹 Cleaned ${cleaned} items to free disk space`));
+        return { fixed: true, action: `Disk full — cleaned ${cleaned} old backups/caches to free space` };
+      }
+    } catch {}
+  }
+
+  // Pattern 6: EMFILE — too many open files, try raising ulimit
+  if (/EMFILE|ENFILE/.test(msg)) {
+    try {
+      if (process.platform !== "win32") {
+        execSync("ulimit -n 65536 2>/dev/null || true", { cwd, stdio: "pipe", timeout: 3000 });
+        console.log(chalk.blue("  📂 Raised file descriptor limit to 65536"));
+        return { fixed: true, action: "EMFILE — raised file descriptor limit (ulimit -n 65536)" };
+      }
+    } catch {}
+  }
+
   return { fixed: false };
 }
 

package/src/monitor/adaptive-limiter.js

@@ -0,0 +1,142 @@
+const os = require("os");
+
+/**
+ * Adaptive Rate Limiter — auto-protects server based on system resources.
+ *
+ * Injected into child server via error-hook.js. Monitors CPU and memory
+ * in real-time and throttles incoming requests when the server is under
+ * pressure, reserving ~20% headroom for wolverine's heal tools.
+ *
+ * Three zones:
+ *   GREEN  (< 70% resources) — no limiting, full throughput
+ *   YELLOW (70-85%)          — shed new connections gradually
+ *   RED    (> 85%)           — reject non-essential requests with 503
+ *
+ * Enable: WOLVERINE_ADAPTIVE_LIMIT=true (or settings.json adaptiveLimiter.enabled)
+ * Disable: WOLVERINE_ADAPTIVE_LIMIT=false (default: enabled)
+ *
+ * The limiter NEVER blocks:
+ *   - Health check routes (/health, /healthz, /ready)
+ *   - Wolverine internal routes (/api/v1/heartbeat, /api/v1/register)
+ *   - Requests with X-Wolverine-Internal header
+ */
+
+const SAMPLE_INTERVAL_MS = 5000;
+const HISTORY_SIZE = 12; // 1 minute of samples at 5s intervals
+const EXEMPT_PATHS = new Set(["/health", "/healthz", "/ready", "/api/v1/heartbeat", "/api/v1/register"]);
+
+class AdaptiveLimiter {
+  constructor(opts = {}) {
+    this.enabled = opts.enabled !== false;
+    this.thresholdYellow = opts.thresholdYellow || 70; // % — start shedding
+    this.thresholdRed = opts.thresholdRed || 85;       // % — reject non-essential
+    this.reserveMB = opts.reserveMB || 200;             // MB reserved for wolverine tools
+
+    this._cpuHistory = [];
+    this._memHistory = [];
+    this._lastCpuTimes = os.cpus().map(c => ({ idle: c.times.idle, total: Object.values(c.times).reduce((a, b) => a + b) }));
+    this._zone = "green";
+    this._requestCount = 0;
+    this._rejectedCount = 0;
+    this._timer = null;
+
+    if (this.enabled) {
+      this._timer = setInterval(() => this._sample(), SAMPLE_INTERVAL_MS);
+      this._timer.unref(); // don't prevent process exit
+    }
+  }
+
+  _sample() {
+    // CPU usage
+    const cpus = os.cpus();
+    let totalIdle = 0, totalTick = 0;
+    for (let i = 0; i < cpus.length; i++) {
+      const prev = this._lastCpuTimes[i] || { idle: 0, total: 0 };
+      const total = Object.values(cpus[i].times).reduce((a, b) => a + b);
+      const idle = cpus[i].times.idle;
+      totalIdle += idle - prev.idle;
+      totalTick += total - prev.total;
+      this._lastCpuTimes[i] = { idle, total };
+    }
+    const cpuPct = totalTick > 0 ? Math.round((1 - totalIdle / totalTick) * 100) : 0;
+
+    // Memory usage (% of total, accounting for reserve)
+    const totalMem = os.totalmem();
+    const freeMem = os.freemem();
+    const reserveBytes = this.reserveMB * 1048576;
+    const effectiveFree = Math.max(0, freeMem - reserveBytes);
+    const memPct = Math.round((1 - effectiveFree / totalMem) * 100);
+
+    this._cpuHistory.push(cpuPct);
+    this._memHistory.push(memPct);
+    if (this._cpuHistory.length > HISTORY_SIZE) this._cpuHistory.shift();
+    if (this._memHistory.length > HISTORY_SIZE) this._memHistory.shift();
+
+    // Use max of CPU and memory pressure
+    const avgCpu = this._cpuHistory.reduce((a, b) => a + b, 0) / this._cpuHistory.length;
+    const avgMem = this._memHistory.reduce((a, b) => a + b, 0) / this._memHistory.length;
+    const pressure = Math.max(avgCpu, avgMem);
+
+    if (pressure >= this.thresholdRed) this._zone = "red";
+    else if (pressure >= this.thresholdYellow) this._zone = "yellow";
+    else this._zone = "green";
+  }
+
+  /**
+   * Middleware function for Fastify (onRequest hook) or Express.
+   * Returns true if request should be allowed, false if rejected.
+   */
+  shouldAllow(url, headers) {
+    if (!this.enabled) return true;
+
+    this._requestCount++;
+
+    // Always allow exempt paths and internal requests
+    const path = (url || "").split("?")[0];
+    if (EXEMPT_PATHS.has(path)) return true;
+    if (headers?.["x-wolverine-internal"]) return true;
+
+    if (this._zone === "green") return true;
+
+    if (this._zone === "yellow") {
+      // Probabilistic shedding — reject ~30% of requests
+      if (Math.random() < 0.3) {
+        this._rejectedCount++;
+        return false;
+      }
+      return true;
+    }
+
+    // RED zone — reject all non-exempt
+    this._rejectedCount++;
+    return false;
+  }
+
+  /**
+   * Get current limiter status for health endpoints / dashboard.
+   */
+  getStatus() {
+    return {
+      enabled: this.enabled,
+      zone: this._zone,
+      cpuAvg: this._cpuHistory.length > 0 ? Math.round(this._cpuHistory.reduce((a, b) => a + b, 0) / this._cpuHistory.length) : 0,
+      memAvg: this._memHistory.length > 0 ? Math.round(this._memHistory.reduce((a, b) => a + b, 0) / this._memHistory.length) : 0,
+      totalRequests: this._requestCount,
+      rejectedRequests: this._rejectedCount,
+      reserveMB: this.reserveMB,
+    };
+  }
+
+  stop() {
+    if (this._timer) { clearInterval(this._timer); this._timer = null; }
+  }
+}
+
+// Singleton — shared across the child process
+let _instance = null;
+function getLimiter(opts) {
+  if (!_instance) _instance = new AdaptiveLimiter(opts);
+  return _instance;
+}
+
+module.exports = { AdaptiveLimiter, getLimiter };