wolverine-ai 4.6.0 → 4.7.0

package/bin/wolverine.js

@@ -4,6 +4,16 @@ const path = require("path");
 const dotenv = require("dotenv");
 const chalk = require("chalk");
 
+// Global error handlers — prevent parent process death from unhandled errors
+process.on("uncaughtException", (err) => {
+  console.error(chalk.red(`\n  ⚠️  Uncaught exception (wolverine survived): ${err.message}`));
+  console.error(chalk.gray(`  ${err.stack?.split("\n")[1]?.trim() || ""}`));
+});
+process.on("unhandledRejection", (reason) => {
+  const msg = reason instanceof Error ? reason.message : String(reason);
+  console.error(chalk.red(`\n  ⚠️  Unhandled rejection (wolverine survived): ${msg}`));
+});
+
 // Load secrets
 dotenv.config({ path: path.resolve(process.cwd(), ".env.local") });
 dotenv.config({ path: path.resolve(process.cwd(), ".env") });
@@ -70,7 +80,20 @@ if (args.includes("--init")) {
   console.log(chalk.gray(`     Database: ${ctx.database.type || "none"}${ctx.database.tables.length > 0 ? ` (${ctx.database.tables.length} tables)` : ""}`));
   console.log(chalk.gray(`     Env vars: ${ctx.envVars.length}`));
   console.log(chalk.gray(`     Files: ${ctx.structure.length}`));
-  console.log(chalk.gray(`     Saved to: .wolverine/server-context.json\n`));
+  console.log(chalk.gray(`     Saved to: .wolverine/server-context.json`));
+  if (ctx.warnings && ctx.warnings.length > 0) {
+    console.log(chalk.yellow(`\n  ⚠️  Security warnings (${ctx.warnings.length}):`));
+    const seen = new Set();
+    for (const w of ctx.warnings) {
+      const key = `${w.file}:${w.type}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      console.log(chalk.yellow(`     ${w.file}: ${w.label}`));
+    }
+  } else {
+    console.log(chalk.green(`     No security warnings`));
+  }
+  console.log("");
   process.exit(0);
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "4.6.0",
+  "version": "4.7.0",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {
@@ -58,14 +58,14 @@
     "diff": "^7.0.0",
     "dotenv": "^16.4.7",
     "fastify": "^5.8.4",
-    "ioredis": "^5.0.0",
-    "openai": "^4.73.0",
-    "pg": "^8.0.0"
+    "openai": "^4.73.0"
   },
   "optionalDependencies": {
     "@privy-io/server-auth": "1.14.0",
     "better-sqlite3": "^11.0.0",
     "ethers": "^6.0.0",
+    "ioredis": "^5.0.0",
+    "pg": "^8.0.0",
     "stripe": "^18.0.0"
   },
   "engines": {

package/src/agent/agent-engine.js

@@ -544,6 +544,16 @@ function _detectSandboxEscape(cmd, cwd) {
     return "curl uploading local file (potential data exfiltration)";
   }
 
+  // 6. Environment variable dumping to file/network (staging attack via /tmp)
+  if (/\b(env|printenv|set)\s*>/.test(c) || /\b(env|printenv)\s*\|/.test(c)) {
+    return "Environment variable dump detected (exfiltration risk)";
+  }
+
+  // 7. Reading secrets and piping to network
+  if (/cat\s+.*\.(env|key|pem|crt)\s*\|/.test(c) || /cat\s+.*secret.*\|/.test(c)) {
+    return "Reading sensitive file and piping to output";
+  }
+
   return null; // safe
 }
 
@@ -1075,6 +1085,10 @@ class AgentEngine {
           /^192\.168\./,
           /^fd[0-9a-f]{2}:/i,
           /^::1$/,
+          /^0\.0\.0\.0$/,
+          /^0\./,
+          /^\[::1\]$/,
+          /^metadata\.google\.internal$/i,
         ];
         if (privatePatterns.some(p => p.test(hostname))) {
           resolve({ content: `BLOCKED: Cannot fetch private/internal address "${hostname}"` });

package/src/core/runner.js

@@ -213,11 +213,13 @@ class WolverineRunner {
 
     // Scan server context (routes, DB, config, deps) for agent knowledge
     try {
-      const { scan, load } = require("./server-context");
+      const { scan } = require("./server-context");
       const ctx = scan(this.cwd);
       if (ctx) {
         const routes = ctx.routes.reduce((s, r) => s + r.endpoints.length, 0);
+        const warns = (ctx.warnings || []).length;
         console.log(chalk.gray(`  🗺️  Server context: ${routes} routes, ${ctx.structure.length} files, ${ctx.envVars.length} env vars`));
+        if (warns > 0) console.log(chalk.yellow(`  ⚠️  ${warns} security warning(s) — run wolverine --init for details`));
       }
     } catch {}
 
@@ -708,14 +710,16 @@ class WolverineRunner {
     }
     this._healInProgress = true;
 
-    // #8: Safety timeout — if heal hangs, force-release the lock after 6 minutes
+    // Safety timeout — must be strictly greater than heal()'s 5-min timeout to avoid concurrent heals
+    const HEAL_TIMEOUT_MS = parseInt(process.env.WOLVERINE_HEAL_TIMEOUT_MS, 10) || 300000;
+    const safetyMs = HEAL_TIMEOUT_MS + 30000; // heal timeout + 30s grace
     const healTimeout = setTimeout(() => {
       if (this._healInProgress) {
-        console.log(chalk.red(`  ⚠️  _healFromError safety timeout (6min) — releasing heal lock`));
+        console.log(chalk.red(`  ⚠️  _healFromError safety timeout (${Math.round(safetyMs / 60000)}min) — releasing heal lock`));
         this._healInProgress = false;
         this._healStatus = null;
       }
-    }, 360000);
+    }, safetyMs);
 
     console.log(chalk.yellow(`\n🐺 Wolverine healing caught error on ${routePath}...`));
     this._healStatus = { active: true, route: routePath, error: errorDetails?.message?.slice(0, 200), phase: "diagnosing", startedAt: Date.now() };

package/src/core/server-context.js

@@ -168,12 +168,60 @@ function scan(cwd) {
   scanForEnv(serverDir);
   context.envVars = [...envVars].sort();
 
+  // 8. Security scan — detect dangerous patterns in server code
+  context.warnings = [];
+  const scanForDangers = (dir) => {
+    if (!fs.existsSync(dir)) return;
+    for (const file of _listFiles(dir, ".js")) {
+      try {
+        const code = fs.readFileSync(file, "utf-8");
+        const rel = path.relative(cwd, file);
+        // Hardcoded secrets
+        if (/['"][a-zA-Z0-9_-]{20,}['"]/.test(code)) {
+          const secretPatterns = [
+            { regex: /sk-[a-zA-Z0-9]{20,}/g, label: "OpenAI API key" },
+            { regex: /sk-ant-[a-zA-Z0-9_-]{20,}/g, label: "Anthropic API key" },
+            { regex: /ghp_[a-zA-Z0-9]{36,}/g, label: "GitHub token" },
+            { regex: /AKIA[0-9A-Z]{16}/g, label: "AWS access key" },
+            { regex: /['"](?:password|secret|token|api_key|apikey|auth)\s*['"]?\s*[:=]\s*['"][^'"]{8,}['"]/gi, label: "Hardcoded credential" },
+            { regex: /mongodb\+srv:\/\/[^\s'"]+/g, label: "MongoDB connection string" },
+            { regex: /postgres:\/\/[^\s'"]+/g, label: "PostgreSQL connection string" },
+            { regex: /redis:\/\/[^\s'"]+/g, label: "Redis connection string" },
+          ];
+          for (const p of secretPatterns) {
+            if (p.regex.test(code)) {
+              context.warnings.push({ file: rel, type: "hardcoded_secret", label: p.label });
+              p.regex.lastIndex = 0;
+            }
+          }
+        }
+        // eval / Function constructor
+        if (/\beval\s*\(/.test(code)) context.warnings.push({ file: rel, type: "eval_usage", label: "eval() call" });
+        if (/new\s+Function\s*\(/.test(code)) context.warnings.push({ file: rel, type: "function_constructor", label: "new Function() call" });
+        // SQL injection risk (string concat in queries)
+        if (/\.(query|exec|prepare)\s*\(\s*['"`].*\$\{/.test(code) || /\.(query|exec)\s*\(\s*.*\+\s*(?:req|args|params|body)/i.test(code)) {
+          context.warnings.push({ file: rel, type: "sql_injection_risk", label: "String concatenation in SQL query" });
+        }
+        // Unvalidated redirect
+        if (/res\.redirect\s*\(\s*(?:req\.|args\.|params\.)/.test(code)) {
+          context.warnings.push({ file: rel, type: "open_redirect", label: "Unvalidated redirect from user input" });
+        }
+      } catch {}
+    }
+  };
+  scanForDangers(serverDir);
+
+  // Sanitize: strip any actual secret values that might have leaked into context
+  const contextStr = JSON.stringify(context);
+  const { redact } = require("../security/secret-redactor");
+  const sanitized = JSON.parse(redact(contextStr));
+
   // Save
   const outPath = path.join(cwd, CONTEXT_PATH);
   fs.mkdirSync(path.dirname(outPath), { recursive: true });
-  fs.writeFileSync(outPath, JSON.stringify(context, null, 2), "utf-8");
+  fs.writeFileSync(outPath, JSON.stringify(sanitized, null, 2), "utf-8");
 
-  return context;
+  return sanitized;
 }
 
 /**

package/src/core/wolverine.js

@@ -249,27 +249,35 @@ async function _healImpl({ stderr, cwd, sandbox, notifier, rateLimiter, backupMa
     } catch {}
   }
 
-  // 7. Classify error complexity — CLASSIFIER_MODEL determines strategy
+  // 7. Classify error complexity — regex first (fast, free), AI only when uncertain
   let errorComplexity = "moderate";
-  try {
-    const classifyResult = await aiCall({
-      model: getModel("classifier"),
-      systemPrompt: "You classify Node.js errors. Respond with ONLY one word: SIMPLE, MODERATE, or COMPLEX.",
-      userPrompt: `Classify this error:\n${parsed.errorMessage}\n\nFile: ${parsed.filePath || "unknown"}\nType: ${parsed.errorType || "unknown"}`,
-      maxTokens: 10,
-      category: "classifier",
-    });
-    const word = (classifyResult.content || "").trim().toUpperCase();
-    if (word.includes("SIMPLE")) errorComplexity = "simple";
-    else if (word.includes("COMPLEX")) errorComplexity = "complex";
-    else errorComplexity = "moderate";
-    console.log(chalk.gray(`  🏷️  Classifier: ${errorComplexity}`));
-  } catch {
-    // Fallback to regex classification
-    if (/TypeError|ReferenceError|SyntaxError|Cannot find module/.test(parsed.errorMessage)) errorComplexity = "simple";
-    else if (/ECONNREFUSED|timeout|ENOENT|EACCES/.test(parsed.errorMessage)) errorComplexity = "moderate";
-    else errorComplexity = "complex";
-    console.log(chalk.gray(`  🏷️  Classifier (fallback): ${errorComplexity}`));
+  const isObviouslySimple = /TypeError|ReferenceError|SyntaxError|Cannot find module|Cannot read prop/.test(parsed.errorMessage);
+  const isObviouslyModerate = /ECONNREFUSED|timeout|ENOENT|EACCES|EADDRINUSE|ENOSPC|EMFILE/.test(parsed.errorMessage);
+  if (isObviouslySimple) {
+    errorComplexity = "simple";
+    console.log(chalk.gray(`  🏷️  Classifier (fast): simple`));
+  } else if (isObviouslyModerate) {
+    errorComplexity = "moderate";
+    console.log(chalk.gray(`  🏷️  Classifier (fast): moderate`));
+  } else {
+    // Uncertain — use AI classifier
+    try {
+      const classifyResult = await aiCall({
+        model: getModel("classifier"),
+        systemPrompt: "You classify Node.js errors. Respond with ONLY one word: SIMPLE, MODERATE, or COMPLEX.",
+        userPrompt: `Classify this error:\n${parsed.errorMessage}\n\nFile: ${parsed.filePath || "unknown"}\nType: ${parsed.errorType || "unknown"}`,
+        maxTokens: 10,
+        category: "classifier",
+      });
+      const word = (classifyResult.content || "").trim().toUpperCase();
+      if (word.includes("SIMPLE")) errorComplexity = "simple";
+      else if (word.includes("COMPLEX")) errorComplexity = "complex";
+      else errorComplexity = "moderate";
+      console.log(chalk.gray(`  🏷️  Classifier (AI): ${errorComplexity}`));
+    } catch {
+      errorComplexity = "complex"; // unknown = treat as complex to be safe
+      console.log(chalk.gray(`  🏷️  Classifier (fallback): complex`));
+    }
   }
 
   // 7b. Research — look up past fixes AND search for solutions
@@ -687,13 +695,15 @@ async function tryOperationalFix(parsed, cwd, logger, sandbox) {
     } catch {}
   }
 
-  // Pattern 6: EMFILE — too many open files, try raising ulimit
+  // Pattern 6: EMFILE — too many open files
   if (/EMFILE|ENFILE/.test(msg)) {
+    // Close stale file handles by clearing node_modules/.cache and restarting
     try {
-      if (process.platform !== "win32") {
-        execSync("ulimit -n 65536 2>/dev/null || true", { cwd, stdio: "pipe", timeout: 3000 });
-        console.log(chalk.blue("  📂 Raised file descriptor limit to 65536"));
-        return { fixed: true, action: "EMFILE — raised file descriptor limit (ulimit -n 65536)" };
+      const cachePath = path.join(cwd, "node_modules", ".cache");
+      if (fs.existsSync(cachePath)) {
+        execSync(`rm -rf "${cachePath}"`, { timeout: 10000 });
+        console.log(chalk.blue("  📂 Cleared node_modules/.cache to reduce open FDs"));
+        return { fixed: true, action: "EMFILE — cleared build cache to reduce open file descriptors. Consider increasing ulimit -n in your system profile." };
       }
     } catch {}
   }