NEXO 7.13.3 — unified doctor, protocol, headless, Guardian, and Codex CLI config gates

Published 2026-05-05. Unified release over v7.12.15 — collapses the planned 7.13.0, 7.13.1, 7.13.2, and 7.13.3 work into one shipped Brain line for the coordinated Desktop bundle.

Doctor repairs instead of only warning

nexo doctor --fix and script reconcile can now infer inline metadata for personal scripts that already have managed LaunchAgent records but no valid schedule declaration. Runtime and weekday schedule aliases normalize before validation, and doctor ignores historical core/versions/** snapshots so old runtime copies stop re-triggering current false positives.

Updates clean their version snapshots

After activating a versioned runtime snapshot, nexo update prunes snapshots older than the active version plus the newest two. This keeps packaged Desktop refreshes from accumulating stale runtime trees while preserving rollback depth.

Protocol compliance self-heals common gaps

Stale sessions now close still-open protocol tasks as partial, PreToolUse auto-opens a task when a write/delete lacks one, and PostToolUse records best-effort change-log visibility for write tools. R14 correction detection remains active, and task-close can capture reusable learnings when a correction is explicitly declared.

Headless and Codex stop stalling silently

Deep Sleep extract/synthesize, followup-runner, and related automation use the shared three-hour timeout instead of the older six-hour hang path, while email-monitor declares a bounded 30-minute runtime timeout. Managed Codex config defaults to non-interactive approval/sandbox settings only when the user has not explicitly configured them.

Guardian and Codex CLI config/default checks are release-gated

Guardian filters more G4 false path tokens, downgrades active-session strict write debt when a fresh heartbeat exists, keeps the SSH/Cortex retry path scoped, and avoids false LaunchAgent repair confidence. Codex bootstrap/config, interactive launch flags, headless telemetry, and doctor/self-audit discipline checks are covered by tests and release readiness.

Validation

python3 -m pytest tests/test_client_sync.py::test_sync_codex_uses_codex_cli_when_available tests/test_client_sync.py::test_sync_codex_preserves_explicit_approval_and_sandbox tests/test_deep_sleep_extract.py::test_extract_uses_shared_headless_timeout tests/test_deep_sleep_synthesize.py::test_synthesize_uses_shared_headless_timeout tests/test_headless_timeout_contract.py -q

6 passed

python3 -m pytest tests/test_post_edit_change_log.py tests/test_hook_guardrails.py tests/test_auto_close_sessions_protocol.py tests/test_script_registry.py tests/test_doctor.py tests/test_continuity_runtime.py -q

216 passed, 3 xpassed

Full changelog entry → · src/script_registry.py · src/hook_guardrails.py · src/client_sync.py