@askexenow/exe-os 0.9.100 → 0.9.101
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bin/agentic-ontology-backfill.js +6 -0
- package/dist/bin/agentic-reflection-backfill.js +6 -0
- package/dist/bin/agentic-semantic-label.js +6 -0
- package/dist/bin/backfill-conversations.js +6 -0
- package/dist/bin/backfill-responses.js +6 -0
- package/dist/bin/backfill-vectors.js +6 -0
- package/dist/bin/bulk-sync-postgres.js +6 -0
- package/dist/bin/cleanup-stale-review-tasks.js +6 -0
- package/dist/bin/cli.js +6 -0
- package/dist/bin/exe-agent.js +6 -0
- package/dist/bin/exe-assign.js +6 -0
- package/dist/bin/exe-boot.js +6 -0
- package/dist/bin/exe-call.js +6 -0
- package/dist/bin/exe-cloud.js +6 -0
- package/dist/bin/exe-dispatch.js +6 -0
- package/dist/bin/exe-doctor.js +6 -0
- package/dist/bin/exe-export-behaviors.js +6 -0
- package/dist/bin/exe-forget.js +6 -0
- package/dist/bin/exe-gateway.js +6 -0
- package/dist/bin/exe-heartbeat.js +6 -0
- package/dist/bin/exe-kill.js +6 -0
- package/dist/bin/exe-launch-agent.js +6 -0
- package/dist/bin/exe-new-employee.js +6 -0
- package/dist/bin/exe-pending-messages.js +6 -0
- package/dist/bin/exe-pending-notifications.js +6 -0
- package/dist/bin/exe-pending-reviews.js +6 -0
- package/dist/bin/exe-rename.js +6 -0
- package/dist/bin/exe-review.js +6 -0
- package/dist/bin/exe-search.js +6 -0
- package/dist/bin/exe-session-cleanup.js +6 -0
- package/dist/bin/exe-start-codex.js +6 -0
- package/dist/bin/exe-start-opencode.js +6 -0
- package/dist/bin/exe-status.js +6 -0
- package/dist/bin/exe-team.js +6 -0
- package/dist/bin/git-sweep.js +6 -0
- package/dist/bin/graph-backfill.js +6 -0
- package/dist/bin/graph-export.js +6 -0
- package/dist/bin/intercom-check.js +6 -0
- package/dist/bin/scan-tasks.js +6 -0
- package/dist/bin/setup.js +6 -0
- package/dist/bin/shard-migrate.js +6 -0
- package/dist/gateway/index.js +6 -0
- package/dist/hooks/bug-report-worker.js +6 -0
- package/dist/hooks/codex-stop-task-finalizer.js +6 -0
- package/dist/hooks/commit-complete.js +6 -0
- package/dist/hooks/error-recall.js +6 -0
- package/dist/hooks/ingest.js +6 -0
- package/dist/hooks/instructions-loaded.js +6 -0
- package/dist/hooks/notification.js +6 -0
- package/dist/hooks/post-compact.js +6 -0
- package/dist/hooks/post-tool-combined.js +6 -0
- package/dist/hooks/pre-compact.js +6 -0
- package/dist/hooks/pre-tool-use.js +6 -0
- package/dist/hooks/prompt-submit.js +6 -0
- package/dist/hooks/session-end.js +6 -0
- package/dist/hooks/session-start.js +6 -0
- package/dist/hooks/stop.js +6 -0
- package/dist/hooks/subagent-stop.js +6 -0
- package/dist/hooks/summary-worker.js +6 -0
- package/dist/index.js +6 -0
- package/dist/lib/employee-templates.js +6 -0
- package/dist/lib/exe-daemon.js +6 -0
- package/dist/lib/hybrid-search.js +6 -0
- package/dist/lib/schedules.js +6 -0
- package/dist/lib/store.js +6 -0
- package/dist/mcp/server.js +6 -0
- package/dist/runtime/index.js +6 -0
- package/dist/tui/App.js +6 -0
- package/package.json +1 -1
|
@@ -3523,6 +3523,12 @@ var init_platform_procedures = __esm({
|
|
|
3523
3523
|
priority: "p0",
|
|
3524
3524
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
3525
|
},
|
|
3526
|
+
{
|
|
3527
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3528
|
+
domain: "architecture",
|
|
3529
|
+
priority: "p1",
|
|
3530
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3531
|
+
},
|
|
3526
3532
|
// --- MCP is the ONLY data interface ---
|
|
3527
3533
|
{
|
|
3528
3534
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3523,6 +3523,12 @@ var init_platform_procedures = __esm({
|
|
|
3523
3523
|
priority: "p0",
|
|
3524
3524
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
3525
|
},
|
|
3526
|
+
{
|
|
3527
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3528
|
+
domain: "architecture",
|
|
3529
|
+
priority: "p1",
|
|
3530
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3531
|
+
},
|
|
3526
3532
|
// --- MCP is the ONLY data interface ---
|
|
3527
3533
|
{
|
|
3528
3534
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3523,6 +3523,12 @@ var init_platform_procedures = __esm({
|
|
|
3523
3523
|
priority: "p0",
|
|
3524
3524
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
3525
|
},
|
|
3526
|
+
{
|
|
3527
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3528
|
+
domain: "architecture",
|
|
3529
|
+
priority: "p1",
|
|
3530
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3531
|
+
},
|
|
3526
3532
|
// --- MCP is the ONLY data interface ---
|
|
3527
3533
|
{
|
|
3528
3534
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3663,6 +3663,12 @@ var init_platform_procedures = __esm({
|
|
|
3663
3663
|
priority: "p0",
|
|
3664
3664
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3665
3665
|
},
|
|
3666
|
+
{
|
|
3667
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3668
|
+
domain: "architecture",
|
|
3669
|
+
priority: "p1",
|
|
3670
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3671
|
+
},
|
|
3666
3672
|
// --- MCP is the ONLY data interface ---
|
|
3667
3673
|
{
|
|
3668
3674
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3663,6 +3663,12 @@ var init_platform_procedures = __esm({
|
|
|
3663
3663
|
priority: "p0",
|
|
3664
3664
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3665
3665
|
},
|
|
3666
|
+
{
|
|
3667
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3668
|
+
domain: "architecture",
|
|
3669
|
+
priority: "p1",
|
|
3670
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3671
|
+
},
|
|
3666
3672
|
// --- MCP is the ONLY data interface ---
|
|
3667
3673
|
{
|
|
3668
3674
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3659,6 +3659,12 @@ var init_platform_procedures = __esm({
|
|
|
3659
3659
|
priority: "p0",
|
|
3660
3660
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3661
3661
|
},
|
|
3662
|
+
{
|
|
3663
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3664
|
+
domain: "architecture",
|
|
3665
|
+
priority: "p1",
|
|
3666
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3667
|
+
},
|
|
3662
3668
|
// --- MCP is the ONLY data interface ---
|
|
3663
3669
|
{
|
|
3664
3670
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3831,6 +3831,12 @@ var init_platform_procedures = __esm({
|
|
|
3831
3831
|
priority: "p0",
|
|
3832
3832
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3833
3833
|
},
|
|
3834
|
+
{
|
|
3835
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3836
|
+
domain: "architecture",
|
|
3837
|
+
priority: "p1",
|
|
3838
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3839
|
+
},
|
|
3834
3840
|
// --- MCP is the ONLY data interface ---
|
|
3835
3841
|
{
|
|
3836
3842
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4306,6 +4306,12 @@ var init_platform_procedures = __esm({
|
|
|
4306
4306
|
priority: "p0",
|
|
4307
4307
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4308
4308
|
},
|
|
4309
|
+
{
|
|
4310
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4311
|
+
domain: "architecture",
|
|
4312
|
+
priority: "p1",
|
|
4313
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4314
|
+
},
|
|
4309
4315
|
// --- MCP is the ONLY data interface ---
|
|
4310
4316
|
{
|
|
4311
4317
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/cli.js
CHANGED
|
@@ -9012,6 +9012,12 @@ var init_platform_procedures = __esm({
|
|
|
9012
9012
|
priority: "p0",
|
|
9013
9013
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
9014
9014
|
},
|
|
9015
|
+
{
|
|
9016
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
9017
|
+
domain: "architecture",
|
|
9018
|
+
priority: "p1",
|
|
9019
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
9020
|
+
},
|
|
9015
9021
|
// --- MCP is the ONLY data interface ---
|
|
9016
9022
|
{
|
|
9017
9023
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-agent.js
CHANGED
|
@@ -1500,6 +1500,12 @@ var PLATFORM_PROCEDURES = [
|
|
|
1500
1500
|
priority: "p0",
|
|
1501
1501
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
1502
1502
|
},
|
|
1503
|
+
{
|
|
1504
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
1505
|
+
domain: "architecture",
|
|
1506
|
+
priority: "p1",
|
|
1507
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
1508
|
+
},
|
|
1503
1509
|
// --- MCP is the ONLY data interface ---
|
|
1504
1510
|
{
|
|
1505
1511
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-assign.js
CHANGED
|
@@ -3673,6 +3673,12 @@ var init_platform_procedures = __esm({
|
|
|
3673
3673
|
priority: "p0",
|
|
3674
3674
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3675
3675
|
},
|
|
3676
|
+
{
|
|
3677
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3678
|
+
domain: "architecture",
|
|
3679
|
+
priority: "p1",
|
|
3680
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3681
|
+
},
|
|
3676
3682
|
// --- MCP is the ONLY data interface ---
|
|
3677
3683
|
{
|
|
3678
3684
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-boot.js
CHANGED
|
@@ -3410,6 +3410,12 @@ var init_platform_procedures = __esm({
|
|
|
3410
3410
|
priority: "p0",
|
|
3411
3411
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3412
3412
|
},
|
|
3413
|
+
{
|
|
3414
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3415
|
+
domain: "architecture",
|
|
3416
|
+
priority: "p1",
|
|
3417
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3418
|
+
},
|
|
3413
3419
|
// --- MCP is the ONLY data interface ---
|
|
3414
3420
|
{
|
|
3415
3421
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-call.js
CHANGED
|
@@ -438,6 +438,12 @@ var init_platform_procedures = __esm({
|
|
|
438
438
|
priority: "p0",
|
|
439
439
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
440
440
|
},
|
|
441
|
+
{
|
|
442
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
443
|
+
domain: "architecture",
|
|
444
|
+
priority: "p1",
|
|
445
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
446
|
+
},
|
|
441
447
|
// --- MCP is the ONLY data interface ---
|
|
442
448
|
{
|
|
443
449
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-cloud.js
CHANGED
|
@@ -6821,6 +6821,12 @@ var init_platform_procedures = __esm({
|
|
|
6821
6821
|
priority: "p0",
|
|
6822
6822
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
6823
6823
|
},
|
|
6824
|
+
{
|
|
6825
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
6826
|
+
domain: "architecture",
|
|
6827
|
+
priority: "p1",
|
|
6828
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
6829
|
+
},
|
|
6824
6830
|
// --- MCP is the ONLY data interface ---
|
|
6825
6831
|
{
|
|
6826
6832
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-dispatch.js
CHANGED
|
@@ -8113,6 +8113,12 @@ var init_platform_procedures = __esm({
|
|
|
8113
8113
|
priority: "p0",
|
|
8114
8114
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8115
8115
|
},
|
|
8116
|
+
{
|
|
8117
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
8118
|
+
domain: "architecture",
|
|
8119
|
+
priority: "p1",
|
|
8120
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
8121
|
+
},
|
|
8116
8122
|
// --- MCP is the ONLY data interface ---
|
|
8117
8123
|
{
|
|
8118
8124
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-doctor.js
CHANGED
|
@@ -4634,6 +4634,12 @@ var init_platform_procedures = __esm({
|
|
|
4634
4634
|
priority: "p0",
|
|
4635
4635
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4636
4636
|
},
|
|
4637
|
+
{
|
|
4638
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4639
|
+
domain: "architecture",
|
|
4640
|
+
priority: "p1",
|
|
4641
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4642
|
+
},
|
|
4637
4643
|
// --- MCP is the ONLY data interface ---
|
|
4638
4644
|
{
|
|
4639
4645
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4371,6 +4371,12 @@ var init_platform_procedures = __esm({
|
|
|
4371
4371
|
priority: "p0",
|
|
4372
4372
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4373
4373
|
},
|
|
4374
|
+
{
|
|
4375
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4376
|
+
domain: "architecture",
|
|
4377
|
+
priority: "p1",
|
|
4378
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4379
|
+
},
|
|
4374
4380
|
// --- MCP is the ONLY data interface ---
|
|
4375
4381
|
{
|
|
4376
4382
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-forget.js
CHANGED
|
@@ -4295,6 +4295,12 @@ var init_platform_procedures = __esm({
|
|
|
4295
4295
|
priority: "p0",
|
|
4296
4296
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4297
4297
|
},
|
|
4298
|
+
{
|
|
4299
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4300
|
+
domain: "architecture",
|
|
4301
|
+
priority: "p1",
|
|
4302
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4303
|
+
},
|
|
4298
4304
|
// --- MCP is the ONLY data interface ---
|
|
4299
4305
|
{
|
|
4300
4306
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-gateway.js
CHANGED
|
@@ -4979,6 +4979,12 @@ var init_platform_procedures = __esm({
|
|
|
4979
4979
|
priority: "p0",
|
|
4980
4980
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4981
4981
|
},
|
|
4982
|
+
{
|
|
4983
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4984
|
+
domain: "architecture",
|
|
4985
|
+
priority: "p1",
|
|
4986
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4987
|
+
},
|
|
4982
4988
|
// --- MCP is the ONLY data interface ---
|
|
4983
4989
|
{
|
|
4984
4990
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4334,6 +4334,12 @@ var init_platform_procedures = __esm({
|
|
|
4334
4334
|
priority: "p0",
|
|
4335
4335
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4336
4336
|
},
|
|
4337
|
+
{
|
|
4338
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4339
|
+
domain: "architecture",
|
|
4340
|
+
priority: "p1",
|
|
4341
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4342
|
+
},
|
|
4337
4343
|
// --- MCP is the ONLY data interface ---
|
|
4338
4344
|
{
|
|
4339
4345
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-kill.js
CHANGED
|
@@ -4295,6 +4295,12 @@ var init_platform_procedures = __esm({
|
|
|
4295
4295
|
priority: "p0",
|
|
4296
4296
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4297
4297
|
},
|
|
4298
|
+
{
|
|
4299
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4300
|
+
domain: "architecture",
|
|
4301
|
+
priority: "p1",
|
|
4302
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4303
|
+
},
|
|
4298
4304
|
// --- MCP is the ONLY data interface ---
|
|
4299
4305
|
{
|
|
4300
4306
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4393,6 +4393,12 @@ var init_platform_procedures = __esm({
|
|
|
4393
4393
|
priority: "p0",
|
|
4394
4394
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4395
4395
|
},
|
|
4396
|
+
{
|
|
4397
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4398
|
+
domain: "architecture",
|
|
4399
|
+
priority: "p1",
|
|
4400
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4401
|
+
},
|
|
4396
4402
|
// --- MCP is the ONLY data interface ---
|
|
4397
4403
|
{
|
|
4398
4404
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -2815,6 +2815,12 @@ var PLATFORM_PROCEDURES = [
|
|
|
2815
2815
|
priority: "p0",
|
|
2816
2816
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
2817
2817
|
},
|
|
2818
|
+
{
|
|
2819
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
2820
|
+
domain: "architecture",
|
|
2821
|
+
priority: "p1",
|
|
2822
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
2823
|
+
},
|
|
2818
2824
|
// --- MCP is the ONLY data interface ---
|
|
2819
2825
|
{
|
|
2820
2826
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4774,6 +4774,12 @@ var init_platform_procedures = __esm({
|
|
|
4774
4774
|
priority: "p0",
|
|
4775
4775
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4776
4776
|
},
|
|
4777
|
+
{
|
|
4778
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4779
|
+
domain: "architecture",
|
|
4780
|
+
priority: "p1",
|
|
4781
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4782
|
+
},
|
|
4777
4783
|
// --- MCP is the ONLY data interface ---
|
|
4778
4784
|
{
|
|
4779
4785
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4840,6 +4840,12 @@ var init_platform_procedures = __esm({
|
|
|
4840
4840
|
priority: "p0",
|
|
4841
4841
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4842
4842
|
},
|
|
4843
|
+
{
|
|
4844
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4845
|
+
domain: "architecture",
|
|
4846
|
+
priority: "p1",
|
|
4847
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4848
|
+
},
|
|
4843
4849
|
// --- MCP is the ONLY data interface ---
|
|
4844
4850
|
{
|
|
4845
4851
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4879,6 +4879,12 @@ var init_platform_procedures = __esm({
|
|
|
4879
4879
|
priority: "p0",
|
|
4880
4880
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4881
4881
|
},
|
|
4882
|
+
{
|
|
4883
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4884
|
+
domain: "architecture",
|
|
4885
|
+
priority: "p1",
|
|
4886
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4887
|
+
},
|
|
4882
4888
|
// --- MCP is the ONLY data interface ---
|
|
4883
4889
|
{
|
|
4884
4890
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-rename.js
CHANGED
|
@@ -3178,6 +3178,12 @@ var init_platform_procedures = __esm({
|
|
|
3178
3178
|
priority: "p0",
|
|
3179
3179
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3180
3180
|
},
|
|
3181
|
+
{
|
|
3182
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3183
|
+
domain: "architecture",
|
|
3184
|
+
priority: "p1",
|
|
3185
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3186
|
+
},
|
|
3181
3187
|
// --- MCP is the ONLY data interface ---
|
|
3182
3188
|
{
|
|
3183
3189
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-review.js
CHANGED
|
@@ -4309,6 +4309,12 @@ var init_platform_procedures = __esm({
|
|
|
4309
4309
|
priority: "p0",
|
|
4310
4310
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4311
4311
|
},
|
|
4312
|
+
{
|
|
4313
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4314
|
+
domain: "architecture",
|
|
4315
|
+
priority: "p1",
|
|
4316
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4317
|
+
},
|
|
4312
4318
|
// --- MCP is the ONLY data interface ---
|
|
4313
4319
|
{
|
|
4314
4320
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-search.js
CHANGED
|
@@ -4294,6 +4294,12 @@ var init_platform_procedures = __esm({
|
|
|
4294
4294
|
priority: "p0",
|
|
4295
4295
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4296
4296
|
},
|
|
4297
|
+
{
|
|
4298
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4299
|
+
domain: "architecture",
|
|
4300
|
+
priority: "p1",
|
|
4301
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4302
|
+
},
|
|
4297
4303
|
// --- MCP is the ONLY data interface ---
|
|
4298
4304
|
{
|
|
4299
4305
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4338,6 +4338,12 @@ var init_platform_procedures = __esm({
|
|
|
4338
4338
|
priority: "p0",
|
|
4339
4339
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4340
4340
|
},
|
|
4341
|
+
{
|
|
4342
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4343
|
+
domain: "architecture",
|
|
4344
|
+
priority: "p1",
|
|
4345
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4346
|
+
},
|
|
4341
4347
|
// --- MCP is the ONLY data interface ---
|
|
4342
4348
|
{
|
|
4343
4349
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3610,6 +3610,12 @@ var init_platform_procedures = __esm({
|
|
|
3610
3610
|
priority: "p0",
|
|
3611
3611
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3612
3612
|
},
|
|
3613
|
+
{
|
|
3614
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3615
|
+
domain: "architecture",
|
|
3616
|
+
priority: "p1",
|
|
3617
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3618
|
+
},
|
|
3613
3619
|
// --- MCP is the ONLY data interface ---
|
|
3614
3620
|
{
|
|
3615
3621
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3610,6 +3610,12 @@ var init_platform_procedures = __esm({
|
|
|
3610
3610
|
priority: "p0",
|
|
3611
3611
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3612
3612
|
},
|
|
3613
|
+
{
|
|
3614
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3615
|
+
domain: "architecture",
|
|
3616
|
+
priority: "p1",
|
|
3617
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3618
|
+
},
|
|
3613
3619
|
// --- MCP is the ONLY data interface ---
|
|
3614
3620
|
{
|
|
3615
3621
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-status.js
CHANGED
|
@@ -4317,6 +4317,12 @@ var init_platform_procedures = __esm({
|
|
|
4317
4317
|
priority: "p0",
|
|
4318
4318
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4319
4319
|
},
|
|
4320
|
+
{
|
|
4321
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4322
|
+
domain: "architecture",
|
|
4323
|
+
priority: "p1",
|
|
4324
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4325
|
+
},
|
|
4320
4326
|
// --- MCP is the ONLY data interface ---
|
|
4321
4327
|
{
|
|
4322
4328
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-team.js
CHANGED
|
@@ -4306,6 +4306,12 @@ var init_platform_procedures = __esm({
|
|
|
4306
4306
|
priority: "p0",
|
|
4307
4307
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4308
4308
|
},
|
|
4309
|
+
{
|
|
4310
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4311
|
+
domain: "architecture",
|
|
4312
|
+
priority: "p1",
|
|
4313
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4314
|
+
},
|
|
4309
4315
|
// --- MCP is the ONLY data interface ---
|
|
4310
4316
|
{
|
|
4311
4317
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/git-sweep.js
CHANGED
|
@@ -8063,6 +8063,12 @@ var init_platform_procedures = __esm({
|
|
|
8063
8063
|
priority: "p0",
|
|
8064
8064
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8065
8065
|
},
|
|
8066
|
+
{
|
|
8067
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
8068
|
+
domain: "architecture",
|
|
8069
|
+
priority: "p1",
|
|
8070
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
8071
|
+
},
|
|
8066
8072
|
// --- MCP is the ONLY data interface ---
|
|
8067
8073
|
{
|
|
8068
8074
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3523,6 +3523,12 @@ var init_platform_procedures = __esm({
|
|
|
3523
3523
|
priority: "p0",
|
|
3524
3524
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
3525
|
},
|
|
3526
|
+
{
|
|
3527
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3528
|
+
domain: "architecture",
|
|
3529
|
+
priority: "p1",
|
|
3530
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3531
|
+
},
|
|
3526
3532
|
// --- MCP is the ONLY data interface ---
|
|
3527
3533
|
{
|
|
3528
3534
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|