NEXO 7.9.33 — Hotfix Bandit B324 in checkpoint hash
Published 2026-04-26. Patch release over v7.9.32.
Brief patch over v7.9.32. Bandit's B324 audit flagged a SHA-1 call introduced in 7.9.32 (_email_checkpoint_path in src/scripts/nexo-email-monitor.py) as a high-severity finding because SHA-1 is broken for cryptographic use. The hash here is purely a filename disambiguator — Message-IDs contain <, >, @ and other characters that mix badly with macOS filesystems, so the helper hashes them down to 16 hex characters before opening the file.
v7.9.33 adds usedforsecurity=False to the call so Bandit accepts the non-security usage and the publish workflow stops failing on it. The v7.9.32 git tag is preserved on the repo for traceability but no npm artifact ever shipped for it; nexo-brain@7.9.33 is the first npm release that carries the 7.9.32 email-recovery checkpoints (7-day lookback + per-email JSON checkpoints capturing files touched and last assistant narration so a retried email continues from where the previous attempt died).
Verification
Bandit clean (python3 -m bandit -r src/ --severity-level high --confidence-level high). 92 tests green across email_monitor_checkpoints, call_model_raw, call_model_raw_overrides, call_model_raw_overrides_e2e, agent_runner_override_env, fase4_lint_baseline, and security_baseline.