wolverine-ai 4.5.4 → 4.6.1

package/bin/wolverine.js

@@ -27,6 +27,7 @@ ${chalk.bold("Options:")}
   --single         Force single-worker mode (no clustering)
   --workers <n>    Force specific worker count
   --info           Show system info and exit
+  --init           Scan server/ and build context map (routes, DB, config, deps)
 
 ${chalk.bold("Configuration:")}
   server/config/settings.json    Models, telemetry, limits, health checks
@@ -54,6 +55,38 @@ if (args.includes("--info")) {
   process.exit(0);
 }
 
+// --init: scan server/ and build context map
+if (args.includes("--init")) {
+  const { scan } = require("../src/core/server-context");
+  console.log(chalk.blue("\n  🔍 Scanning server/ directory...\n"));
+  const ctx = scan(process.cwd());
+  if (!ctx) {
+    console.log(chalk.yellow("  No server/ directory found."));
+    process.exit(1);
+  }
+  console.log(chalk.green(`  ✅ Server context built:`));
+  console.log(chalk.gray(`     Routes: ${ctx.routes.reduce((s, r) => s + r.endpoints.length, 0)}`));
+  console.log(chalk.gray(`     Middleware: ${ctx.middleware.length}`));
+  console.log(chalk.gray(`     Database: ${ctx.database.type || "none"}${ctx.database.tables.length > 0 ? ` (${ctx.database.tables.length} tables)` : ""}`));
+  console.log(chalk.gray(`     Env vars: ${ctx.envVars.length}`));
+  console.log(chalk.gray(`     Files: ${ctx.structure.length}`));
+  console.log(chalk.gray(`     Saved to: .wolverine/server-context.json`));
+  if (ctx.warnings && ctx.warnings.length > 0) {
+    console.log(chalk.yellow(`\n  ⚠️  Security warnings (${ctx.warnings.length}):`));
+    const seen = new Set();
+    for (const w of ctx.warnings) {
+      const key = `${w.file}:${w.type}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      console.log(chalk.yellow(`     ${w.file}: ${w.label}`));
+    }
+  } else {
+    console.log(chalk.green(`     No security warnings`));
+  }
+  console.log("");
+  process.exit(0);
+}
+
 // --update: safe framework update
 if (args.includes("--update")) {
   const { safeUpdate } = require("../src/skills/update");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "4.5.4",
+  "version": "4.6.1",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {

package/src/brain/brain.js

@@ -138,9 +138,13 @@ const SEED_DOCS = [
     metadata: { topic: "prompt-caching" },
   },
   {
-    text: "Platform telemetry: lightweight background process, zero-config. Default platform: api.wolverinenode.xyz. Auto-registers on first run (retries every 60s until platform responds), saves key to .wolverine/platform-key. Heartbeat payload matches PLATFORM.md spec: instanceId, server (name/port/uptime/status/pid), process (memoryMB/cpuPercent), routes, repairs, usage (tokens/cost/calls/byCategory), brain, backups. Offline-resilient: queues up to 1440 heartbeats locally, drains on reconnect. No chalk dependency, cached version/key in memory, minimal IO. Opt out: WOLVERINE_TELEMETRY=false. Override URL: WOLVERINE_PLATFORM_URL.",
+    text: "Platform telemetry: lightweight background process, zero-config. Default platform: api.wolverinenode.xyz. Auto-registers on first run, heartbeats every 60s. Offline-resilient: queues up to 1440 heartbeats locally, drains on reconnect. Opt out: WOLVERINE_TELEMETRY=false.",
     metadata: { topic: "platform-telemetry" },
   },
+  {
+    text: "Server context scanner (wolverine --init): scans server/ directory on every startup to build .wolverine/server-context.json. Extracts routes (HTTP methods + paths from fastify/express), middleware stack, database type + tables, config structure, dependencies, env vars used (process.env.X patterns), and full file tree. Context summary auto-injected into agent's heal prompt so it knows the server's route map, DB schema, and dependencies without re-scanning. Manual scan: wolverine --init. Auto-scan: runs silently on every boot. The context is read-only — never modified by the agent.",
+    metadata: { topic: "server-context" },
+  },
   {
     text: "Telemetry architecture: 4 files, ~250 lines total. heartbeat.js sends one HTTP POST every 60s (5s timeout, non-blocking). register.js auto-registers and caches key in memory + disk. queue.js appends to JSONL file only on failure, trims lazily. telemetry.js collects from subsystems using optional chaining (no crashes if subsystem missing). All secrets redacted before sending. Response bodies drained immediately (res.resume). No blocking, no delays, no busy waits.",
     metadata: { topic: "telemetry-architecture" },

package/src/core/runner.js

@@ -211,6 +211,18 @@ class WolverineRunner {
       console.log(chalk.yellow(`  ⚠️  Vault init failed (non-fatal): ${err.message}`));
     }
 
+    // Scan server context (routes, DB, config, deps) for agent knowledge
+    try {
+      const { scan } = require("./server-context");
+      const ctx = scan(this.cwd);
+      if (ctx) {
+        const routes = ctx.routes.reduce((s, r) => s + r.endpoints.length, 0);
+        const warns = (ctx.warnings || []).length;
+        console.log(chalk.gray(`  🗺️  Server context: ${routes} routes, ${ctx.structure.length} files, ${ctx.envVars.length} env vars`));
+        if (warns > 0) console.log(chalk.yellow(`  ⚠️  ${warns} security warning(s) — run wolverine --init for details`));
+      }
+    } catch {}
+
     // Log redactor stats
     const redactorStats = this.redactor.getStats();
     console.log(chalk.gray(`  🔐 Secret redactor: ${redactorStats.trackedSecrets} secrets tracked from ${redactorStats.envFiles} env file(s)`));

package/src/core/server-context.js

@@ -0,0 +1,277 @@
+const fs = require("fs");
+const path = require("path");
+
+/**
+ * Server Context Scanner — builds a structured map of the server/ directory.
+ *
+ * Scans routes, middleware, config, database, dependencies, and file structure
+ * to give the AI agent full context when diagnosing errors.
+ *
+ * Runs automatically on startup (stored in .wolverine/server-context.json).
+ * Can be triggered manually: wolverine --init or require('./server-context').scan(cwd)
+ *
+ * The context is injected into the agent's system prompt so it knows the
+ * server's structure without re-scanning on every heal.
+ */
+
+const CONTEXT_PATH = ".wolverine/server-context.json";
+const MAX_FILE_SCAN = 200; // don't scan more than 200 files
+const SKIP_DIRS = new Set(["node_modules", ".git", ".wolverine", "dist", ".next", ".cache", "coverage", "__pycache__"]);
+
+function scan(cwd) {
+  const serverDir = path.join(cwd, "server");
+  if (!fs.existsSync(serverDir)) return null;
+
+  const context = {
+    scannedAt: new Date().toISOString(),
+    routes: [],
+    middleware: [],
+    database: { tables: [], config: null },
+    config: {},
+    dependencies: {},
+    structure: [],
+    exports: [],
+    envVars: [],
+  };
+
+  // 1. Scan routes
+  const routesDir = path.join(serverDir, "routes");
+  if (fs.existsSync(routesDir)) {
+    for (const file of _listFiles(routesDir, ".js")) {
+      try {
+        const code = fs.readFileSync(file, "utf-8");
+        const relPath = path.relative(cwd, file);
+        const methods = [];
+        // Match fastify.get/post/put/delete/patch or app.get/post etc
+        const routeRegex = /(?:fastify|app|router)\.(get|post|put|delete|patch|options|head)\s*\(\s*['"`]([^'"`]+)/gi;
+        let m;
+        while ((m = routeRegex.exec(code)) !== null) {
+          methods.push({ method: m[1].toUpperCase(), path: m[2] });
+        }
+        // Match fastify.register with prefix
+        const registerRegex = /register\s*\(.*?prefix\s*:\s*['"`]([^'"`]+)/gi;
+        while ((m = registerRegex.exec(code)) !== null) {
+          methods.push({ method: "REGISTER", path: m[1] });
+        }
+        if (methods.length > 0) {
+          context.routes.push({ file: relPath, endpoints: methods });
+        }
+      } catch {}
+    }
+  }
+
+  // 2. Scan middleware
+  const indexFile = path.join(serverDir, "index.js");
+  if (fs.existsSync(indexFile)) {
+    try {
+      const code = fs.readFileSync(indexFile, "utf-8");
+      // Find app.use() or fastify.register() calls
+      const mwRegex = /(?:app\.use|fastify\.register)\s*\(\s*(?:require\s*\(\s*['"`]([^'"`]+)['"`]\s*\)|(\w+))/gi;
+      let m;
+      while ((m = mwRegex.exec(code)) !== null) {
+        context.middleware.push(m[1] || m[2]);
+      }
+    } catch {}
+  }
+
+  // 3. Scan database
+  const dbFiles = [
+    path.join(serverDir, "lib", "db.js"),
+    path.join(serverDir, "db.js"),
+    path.join(serverDir, "models", "index.js"),
+    path.join(serverDir, "database.js"),
+  ];
+  for (const dbFile of dbFiles) {
+    if (!fs.existsSync(dbFile)) continue;
+    try {
+      const code = fs.readFileSync(dbFile, "utf-8");
+      // Detect database type
+      if (/require\s*\(\s*['"]pg['"]/.test(code)) context.database.type = "postgresql";
+      else if (/require\s*\(\s*['"]better-sqlite3['"]/.test(code)) context.database.type = "sqlite";
+      else if (/require\s*\(\s*['"]mysql/.test(code)) context.database.type = "mysql";
+      else if (/require\s*\(\s*['"]mongoose['"]/.test(code)) context.database.type = "mongodb";
+      else if (/require\s*\(\s*['"]ioredis['"]/.test(code)) context.database.hasRedis = true;
+      // Find CREATE TABLE statements
+      const tableRegex = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?["`]?(\w+)/gi;
+      let m;
+      while ((m = tableRegex.exec(code)) !== null) {
+        context.database.tables.push(m[1]);
+      }
+      context.database.config = path.relative(cwd, dbFile);
+    } catch {}
+  }
+
+  // 4. Scan config
+  const settingsPath = path.join(serverDir, "config", "settings.json");
+  if (fs.existsSync(settingsPath)) {
+    try {
+      const settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+      // Only include non-secret top-level keys
+      context.config = Object.keys(settings).reduce((acc, k) => {
+        if (typeof settings[k] === "object") acc[k] = Object.keys(settings[k]);
+        else acc[k] = typeof settings[k];
+        return acc;
+      }, {});
+    } catch {}
+  }
+
+  // 5. Dependencies
+  const pkgPath = path.join(cwd, "package.json");
+  if (fs.existsSync(pkgPath)) {
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+      context.dependencies = {
+        production: Object.keys(pkg.dependencies || {}),
+        dev: Object.keys(pkg.devDependencies || {}),
+        optional: Object.keys(pkg.optionalDependencies || {}),
+      };
+      context.nodeVersion = pkg.engines?.node || "unknown";
+      context.version = pkg.version;
+    } catch {}
+  }
+
+  // 6. File structure (server/ tree)
+  const tree = [];
+  let fileCount = 0;
+  const walk = (dir, depth) => {
+    if (depth > 4 || fileCount > MAX_FILE_SCAN) return;
+    try {
+      for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        if (SKIP_DIRS.has(entry.name)) continue;
+        const rel = path.relative(cwd, path.join(dir, entry.name));
+        if (entry.isDirectory()) {
+          tree.push(rel + "/");
+          walk(path.join(dir, entry.name), depth + 1);
+        } else {
+          tree.push(rel);
+          fileCount++;
+        }
+      }
+    } catch {}
+  };
+  walk(serverDir, 0);
+  context.structure = tree;
+
+  // 7. Env vars used (scan for process.env.X patterns)
+  const envVars = new Set();
+  const scanForEnv = (dir) => {
+    if (!fs.existsSync(dir)) return;
+    for (const file of _listFiles(dir, ".js")) {
+      try {
+        const code = fs.readFileSync(file, "utf-8");
+        const envRegex = /process\.env\.([A-Z_][A-Z0-9_]*)/g;
+        let m;
+        while ((m = envRegex.exec(code)) !== null) envVars.add(m[1]);
+      } catch {}
+    }
+  };
+  scanForEnv(serverDir);
+  context.envVars = [...envVars].sort();
+
+  // 8. Security scan — detect dangerous patterns in server code
+  context.warnings = [];
+  const scanForDangers = (dir) => {
+    if (!fs.existsSync(dir)) return;
+    for (const file of _listFiles(dir, ".js")) {
+      try {
+        const code = fs.readFileSync(file, "utf-8");
+        const rel = path.relative(cwd, file);
+        // Hardcoded secrets
+        if (/['"][a-zA-Z0-9_-]{20,}['"]/.test(code)) {
+          const secretPatterns = [
+            { regex: /sk-[a-zA-Z0-9]{20,}/g, label: "OpenAI API key" },
+            { regex: /sk-ant-[a-zA-Z0-9_-]{20,}/g, label: "Anthropic API key" },
+            { regex: /ghp_[a-zA-Z0-9]{36,}/g, label: "GitHub token" },
+            { regex: /AKIA[0-9A-Z]{16}/g, label: "AWS access key" },
+            { regex: /['"](?:password|secret|token|api_key|apikey|auth)\s*['"]?\s*[:=]\s*['"][^'"]{8,}['"]/gi, label: "Hardcoded credential" },
+            { regex: /mongodb\+srv:\/\/[^\s'"]+/g, label: "MongoDB connection string" },
+            { regex: /postgres:\/\/[^\s'"]+/g, label: "PostgreSQL connection string" },
+            { regex: /redis:\/\/[^\s'"]+/g, label: "Redis connection string" },
+          ];
+          for (const p of secretPatterns) {
+            if (p.regex.test(code)) {
+              context.warnings.push({ file: rel, type: "hardcoded_secret", label: p.label });
+              p.regex.lastIndex = 0;
+            }
+          }
+        }
+        // eval / Function constructor
+        if (/\beval\s*\(/.test(code)) context.warnings.push({ file: rel, type: "eval_usage", label: "eval() call" });
+        if (/new\s+Function\s*\(/.test(code)) context.warnings.push({ file: rel, type: "function_constructor", label: "new Function() call" });
+        // SQL injection risk (string concat in queries)
+        if (/\.(query|exec|prepare)\s*\(\s*['"`].*\$\{/.test(code) || /\.(query|exec)\s*\(\s*.*\+\s*(?:req|args|params|body)/i.test(code)) {
+          context.warnings.push({ file: rel, type: "sql_injection_risk", label: "String concatenation in SQL query" });
+        }
+        // Unvalidated redirect
+        if (/res\.redirect\s*\(\s*(?:req\.|args\.|params\.)/.test(code)) {
+          context.warnings.push({ file: rel, type: "open_redirect", label: "Unvalidated redirect from user input" });
+        }
+      } catch {}
+    }
+  };
+  scanForDangers(serverDir);
+
+  // Sanitize: strip any actual secret values that might have leaked into context
+  const contextStr = JSON.stringify(context);
+  const { redact } = require("../security/secret-redactor");
+  const sanitized = JSON.parse(redact(contextStr));
+
+  // Save
+  const outPath = path.join(cwd, CONTEXT_PATH);
+  fs.mkdirSync(path.dirname(outPath), { recursive: true });
+  fs.writeFileSync(outPath, JSON.stringify(sanitized, null, 2), "utf-8");
+
+  return sanitized;
+}
+
+/**
+ * Load cached context (fast — no rescan).
+ */
+function load(cwd) {
+  const ctxPath = path.join(cwd, CONTEXT_PATH);
+  if (!fs.existsSync(ctxPath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(ctxPath, "utf-8"));
+  } catch { return null; }
+}
+
+/**
+ * Get a compact text summary for injecting into AI prompts.
+ */
+function getSummary(cwd) {
+  const ctx = load(cwd);
+  if (!ctx) return "";
+
+  const lines = [];
+  if (ctx.routes.length > 0) {
+    const allEndpoints = ctx.routes.flatMap(r => r.endpoints.map(e => `${e.method} ${e.path}`));
+    lines.push(`Routes (${allEndpoints.length}): ${allEndpoints.slice(0, 20).join(", ")}${allEndpoints.length > 20 ? ` +${allEndpoints.length - 20} more` : ""}`);
+  }
+  if (ctx.middleware.length > 0) lines.push(`Middleware: ${ctx.middleware.join(", ")}`);
+  if (ctx.database.type) lines.push(`Database: ${ctx.database.type}${ctx.database.tables.length > 0 ? ` (tables: ${ctx.database.tables.join(", ")})` : ""}${ctx.database.hasRedis ? " + Redis" : ""}`);
+  if (ctx.envVars.length > 0) lines.push(`Env vars used: ${ctx.envVars.slice(0, 15).join(", ")}${ctx.envVars.length > 15 ? ` +${ctx.envVars.length - 15} more` : ""}`);
+  if (ctx.structure.length > 0) lines.push(`Server files: ${ctx.structure.length}`);
+  if (ctx.version) lines.push(`Version: ${ctx.version}`);
+
+  return lines.length > 0 ? "SERVER CONTEXT:\n" + lines.join("\n") : "";
+}
+
+function _listFiles(dir, ext) {
+  const results = [];
+  let count = 0;
+  const walk = (d) => {
+    if (count > MAX_FILE_SCAN) return;
+    try {
+      for (const entry of fs.readdirSync(d, { withFileTypes: true })) {
+        if (SKIP_DIRS.has(entry.name)) continue;
+        const full = path.join(d, entry.name);
+        if (entry.isDirectory()) walk(full);
+        else if (!ext || entry.name.endsWith(ext)) { results.push(full); count++; }
+      }
+    } catch {}
+  };
+  walk(dir);
+  return results;
+}
+
+module.exports = { scan, load, getSummary, CONTEXT_PATH };

package/src/core/wolverine.js

@@ -208,6 +208,12 @@ async function _healImpl({ stderr, cwd, sandbox, notifier, rateLimiter, backupMa
   }
 
   let brainContext = "";
+  // Inject server context (routes, DB, config, deps) if available
+  try {
+    const { getSummary } = require("./server-context");
+    const serverCtx = getSummary(cwd);
+    if (serverCtx) brainContext += serverCtx + "\n\n";
+  } catch {}
   // Inject relevant skill context (claw-code: pre-enrich prompt with matched tools)
   if (skills) {
     const skillCtx = skills.buildContext(parsed.errorMessage);