wolverine-ai 6.0.1 → 6.1.0

package/bin/wolverine.js

@@ -246,12 +246,15 @@ if (args.includes("--backups")) {
 const scriptPath = args.find(a => !a.startsWith("--")) || "server/index.js";
 
 // Initialize server/ from template if it doesn't exist (first run)
-const { initServer, ensureX402Deps } = require("../src/core/init-server");
+const { initServer, ensureX402Deps, securityAudit } = require("../src/core/init-server");
 initServer(process.cwd(), scriptPath);
 
 // Ensure x402 payment deps are installed (if vault exists)
 ensureX402Deps(process.cwd());
 
+// Security audit — detect and auto-fix CVEs on startup
+securityAudit(process.cwd());
+
 // System detection (for analytics + dashboard, NOT for forking)
 // Wolverine runs as a single process manager. If users want clustering,
 // they handle it inside their server (e.g. @fastify/cluster, pm2 cluster mode).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "6.0.1",
+  "version": "6.1.0",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {

package/src/core/config.js

@@ -98,6 +98,36 @@ function loadConfig() {
       windowMs: parseInt(process.env.WOLVERINE_ERROR_WINDOW_MS, 10) || fileConfig.errorMonitor?.windowMs || 30000,
       cooldownMs: parseInt(process.env.WOLVERINE_ERROR_COOLDOWN_MS, 10) || fileConfig.errorMonitor?.cooldownMs || 60000,
     },
+
+    heal: {
+      healTimeoutMs:    parseInt(process.env.WOLVERINE_HEAL_TIMEOUT_MS, 10)         || fileConfig.heal?.healTimeoutMs    || 300000,
+      globalMaxHeals:   parseInt(process.env.WOLVERINE_RATE_MAX_GLOBAL_HEALS, 10)   || fileConfig.heal?.globalMaxHeals   || 5,
+      globalWindowMs:   parseInt(process.env.WOLVERINE_RATE_GLOBAL_WINDOW_MS, 10)   || fileConfig.heal?.globalWindowMs   || 300000,
+      loopMaxAttempts:  parseInt(process.env.WOLVERINE_LOOP_MAX_ATTEMPTS, 10)       || fileConfig.heal?.loopMaxAttempts  || 3,
+      loopWindowMs:     parseInt(process.env.WOLVERINE_LOOP_WINDOW_MS, 10)          || fileConfig.heal?.loopWindowMs     || 600000,
+    },
+
+    agent: {
+      aiCallTimeoutMs: parseInt(process.env.WOLVERINE_AI_CALL_TIMEOUT_MS, 10) || fileConfig.agent?.aiCallTimeoutMs || 90000,
+      maxTurns:        parseInt(process.env.WOLVERINE_AGENT_MAX_TURNS, 10)    || fileConfig.agent?.maxTurns        || 8,
+      tokenBudget: {
+        simple:   fileConfig.agent?.tokenBudget?.simple   || 20000,
+        moderate: fileConfig.agent?.tokenBudget?.moderate  || 50000,
+        complex:  fileConfig.agent?.tokenBudget?.complex   || 100000,
+      },
+    },
+
+    adaptiveLimiter: {
+      thresholdYellow: fileConfig.adaptiveLimiter?.thresholdYellow || 70,
+      thresholdRed:    fileConfig.adaptiveLimiter?.thresholdRed    || 85,
+      reserveMB:       fileConfig.adaptiveLimiter?.reserveMB       || 200,
+    },
+
+    backup: {
+      stabilityMs:   fileConfig.backup?.stabilityMs   || 1800000,
+      retentionDays: fileConfig.backup?.retentionDays  || 7,
+      maxFileSizeMB: fileConfig.backup?.maxFileSizeMB  || 10,
+    },
   };
 
   // Migrate old settings.json to new format + ensure defaults

package/src/core/init-server.js

@@ -89,4 +89,47 @@ function ensureX402Deps(cwd) {
   }
 }
 
-module.exports = { initServer, ensureX402Deps };
+/**
+ * Run security audit on startup — detect and auto-fix CVEs.
+ * Only runs if node_modules exists. Non-blocking (doesn't prevent startup).
+ */
+function securityAudit(cwd) {
+  if (!fs.existsSync(path.join(cwd, "node_modules"))) return;
+
+  try {
+    const { audit } = require("../skills/deps");
+    const result = audit(cwd);
+
+    if (result.vulnerabilities === 0) return;
+
+    const severity = result.critical > 0 ? "critical" : result.high > 0 ? "high" : "moderate";
+    console.log(chalk.yellow(`  🛡️  Security: ${result.vulnerabilities} vulnerabilities (${result.critical} critical, ${result.high} high, ${result.moderate} moderate)`));
+
+    // Auto-fix if possible (non-breaking only)
+    if (result.critical > 0 || result.high > 0) {
+      console.log(chalk.blue("  🛡️  Running npm audit fix..."));
+      try {
+        const { execSync } = require("child_process");
+        const output = execSync("npm audit fix 2>&1", { cwd, encoding: "utf-8", timeout: 60000 });
+        const changed = output.match(/changed (\d+) package/);
+        if (changed) {
+          console.log(chalk.green(`  ✅ Fixed: ${changed[0]}`));
+        } else {
+          console.log(chalk.gray("  🛡️  No auto-fixable vulnerabilities (may need --force or manual update)"));
+        }
+      } catch (e) {
+        console.log(chalk.gray(`  🛡️  npm audit fix: ${e.message?.slice(0, 80)}`));
+      }
+
+      // Re-check
+      const after = audit(cwd);
+      if (after.vulnerabilities < result.vulnerabilities) {
+        console.log(chalk.green(`  ✅ Reduced from ${result.vulnerabilities} to ${after.vulnerabilities} vulnerabilities`));
+      } else if (after.critical > 0 || after.high > 0) {
+        console.log(chalk.yellow(`  ⚠️  ${after.critical + after.high} critical/high vulnerabilities remain — run 'npm audit' for details`));
+      }
+    }
+  } catch {}
+}
+
+module.exports = { initServer, ensureX402Deps, securityAudit };

package/src/core/runner.js

@@ -69,8 +69,8 @@ class WolverineRunner {
       windowMs: cfg.rateLimiting.windowMs,
       minGapMs: cfg.rateLimiting.minGapMs,
       maxTokensPerHour: cfg.rateLimiting.maxTokensPerHour,
-      maxGlobalHealsPerWindow: parseInt(process.env.WOLVERINE_RATE_MAX_GLOBAL_HEALS, 10) || 5,
-      globalWindowMs: parseInt(process.env.WOLVERINE_RATE_GLOBAL_WINDOW_MS, 10) || 300000,
+      maxGlobalHealsPerWindow: cfg.heal?.globalMaxHeals || 5,
+      globalWindowMs: cfg.heal?.globalWindowMs || 300000,
     });
     this.backupManager = new BackupManager(this.cwd);
     this.logger = new EventLogger(this.cwd);

package/src/core/wolverine.js

@@ -32,7 +32,9 @@ const { getSummary: getServerContextSummary } = require("./server-context");
  * The engine tries fast path first. If that fails verification, it escalates to the agent.
  */
 async function heal(opts) {
-  const HEAL_TIMEOUT_MS = parseInt(process.env.WOLVERINE_HEAL_TIMEOUT_MS, 10) || 300000; // 5 min
+  const { loadConfig } = require("./config");
+  const _cfg = loadConfig();
+  const HEAL_TIMEOUT_MS = _cfg.heal?.healTimeoutMs || 300000;
   try {
     return await Promise.race([
       _healImpl(opts),

package/src/templates/server/config/settings.json

@@ -7,7 +7,7 @@
     "env": "development"
   },
 
-  "_models": "AI models for each task. Provider auto-detected from name (claude-* = Anthropic, gpt-* = OpenAI). Using one model across all roles maximizes prompt cache hits. See wolverine dashboard at localhost:PORT+1/analytics for per-role cost/speed metrics.",
+  "_models": "AI models for each task. Provider auto-detected from name (claude-* = Anthropic, gpt-* = OpenAI). Using one model across all roles maximizes prompt cache hits. Dashboard at localhost:PORT+1/analytics shows per-role cost/speed.",
   "models": {
     "reasoning": "claude-sonnet-4-6",
     "coding": "claude-sonnet-4-6",
@@ -22,20 +22,40 @@
   "_embedding": "Vector embedding model for brain memory. Requires OPENAI_API_KEY.",
   "embedding": "text-embedding-3-small",
 
-  "_server": "port: server listen port | maxRetries: consecutive crashes before giving up | maxMemoryMB: OOM threshold",
+  "_server": "port: listen port (3000) | maxRetries: crashes before giving up | maxMemoryMB: OOM kill threshold",
   "server": {
     "port": 3000,
     "maxRetries": 3,
     "maxMemoryMB": 512
   },
 
+  "_heal": "Controls the self-healing pipeline. healTimeoutMs: max time for entire heal attempt. globalMaxHeals/globalWindowMs: rate limit across ALL errors (prevents runaway costs). loopMaxAttempts/loopWindowMs: same-error loop guard (stops after N failures on the same error).",
+  "heal": {
+    "healTimeoutMs": 300000,
+    "globalMaxHeals": 5,
+    "globalWindowMs": 300000,
+    "loopMaxAttempts": 3,
+    "loopWindowMs": 600000
+  },
+
+  "_agent": "Controls the AI agent. aiCallTimeoutMs: max time per AI API call. maxTurns: agent tool-use iterations per heal. tokenBudget: max tokens per heal attempt (simple/moderate/complex auto-selected).",
+  "agent": {
+    "aiCallTimeoutMs": 90000,
+    "maxTurns": 8,
+    "tokenBudget": {
+      "simple": 20000,
+      "moderate": 50000,
+      "complex": 100000
+    }
+  },
+
   "_telemetry": "Heartbeat reports server health to the dashboard. Disable for fully offline servers.",
   "telemetry": {
     "enabled": true,
     "heartbeatIntervalMs": 60000
   },
 
-  "_rateLimiting": "AI call budget. Prevents runaway costs from heal loops.",
+  "_rateLimiting": "AI call budget per window. Prevents runaway costs from heal loops.",
   "rateLimiting": {
     "maxCallsPerWindow": 32,
     "windowMs": 100000,
@@ -51,13 +71,27 @@
     "startDelayMs": 10000
   },
 
-  "_errorMonitor": "Tracks caught 500 errors per route. defaultThreshold: how many 500s before triggering a heal. cooldownMs: minimum time between heals on the same route.",
+  "_errorMonitor": "Tracks caught 500 errors per route. defaultThreshold: how many 500s trigger a heal. cooldownMs: min time between heals on same route.",
   "errorMonitor": {
     "defaultThreshold": 1,
     "windowMs": 30000,
     "cooldownMs": 60000
   },
 
+  "_adaptiveLimiter": "CPU/memory-based request throttling. thresholdYellow: start shedding 30% of requests. thresholdRed: reject all non-essential. reserveMB: memory reserved for heal tools.",
+  "adaptiveLimiter": {
+    "thresholdYellow": 70,
+    "thresholdRed": 85,
+    "reserveMB": 200
+  },
+
+  "_backup": "Server snapshots. stabilityMs: time before backup is marked STABLE. retentionDays: auto-delete old backups. maxFileSizeMB: skip files larger than this.",
+  "backup": {
+    "stabilityMs": 1800000,
+    "retentionDays": 7,
+    "maxFileSizeMB": 10
+  },
+
   "_autoUpdate": "Auto-updates wolverine framework from git. Only updates src/ and bin/ — never touches server/ code.",
   "autoUpdate": {
     "enabled": false,