@askexenow/exe-os 0.9.110 → 0.9.112

package/dist/gateway/index.js

@@ -2681,6 +2681,13 @@ async function ensureSchema() {
   } catch (e) {
     logCatchDebug("migration", e);
   }
+  for (const col of ["created_by_agent TEXT", "created_by_device TEXT", "source_session_id TEXT"]) {
+    try {
+      await client.execute({ sql: `ALTER TABLE behaviors ADD COLUMN ${col}`, args: [] });
+    } catch (e) {
+      logCatchDebug("migration", e);
+    }
+  }
   try {
     await client.execute({
       sql: `ALTER TABLE tasks ADD COLUMN blocked_by TEXT`,
@@ -5222,7 +5229,7 @@ var init_platform_procedures = __esm({
         title: "MCP tool dispatch \u2014 all tools use action parameter",
         domain: "tool-use",
         priority: "p0",
-        content: 'exe-os MCP tools come in two surfaces depending on EXE_MCP_TOOL_SURFACE config. Consolidated (19 tools): action-based dispatch \u2014 memory(action="recall"), task(action="create"), etc. Legacy (108 tools): one tool per operation \u2014 recall_my_memory, create_task, etc. Both surfaces have identical functionality. Use whichever tool names are available in your session. If you see domain tools (memory, task, config, etc.), use the action parameter. If you see specific tools (recall_my_memory, create_task, etc.), call them directly.'
+        content: 'exe-os MCP tools use consolidated action-based dispatch by default (19 tools). Call domain tools with an action parameter: memory(action="recall"), task(action="create"), config(action="list_employees"), etc. Legacy mode (108 separate tools like recall_my_memory, create_task) is still available via EXE_MCP_TOOL_SURFACE=legacy but will be removed in a future version. If you see specific tool names, call them directly \u2014 both surfaces are identical. Consolidated is the default and recommended surface.'
       },
       {
         title: "MCP tools \u2014 memory, decision, and search",
@@ -8048,6 +8055,23 @@ var init_intercom_queue = __esm({
 });
 
 // src/lib/license.ts
+var license_exports = {};
+__export(license_exports, {
+  LICENSE_PUBLIC_KEY_PEM: () => LICENSE_PUBLIC_KEY_PEM,
+  PLAN_LIMITS: () => PLAN_LIMITS,
+  assertVpsLicense: () => assertVpsLicense,
+  checkLicense: () => checkLicense,
+  getCachedLicense: () => getCachedLicense,
+  isFeatureAllowed: () => isFeatureAllowed,
+  loadDeviceId: () => loadDeviceId,
+  loadLicense: () => loadLicense,
+  mirrorLicenseKey: () => mirrorLicenseKey,
+  readCachedLicenseToken: () => readCachedLicenseToken,
+  saveLicense: () => saveLicense,
+  startLicenseRevalidation: () => startLicenseRevalidation,
+  stopLicenseRevalidation: () => stopLicenseRevalidation,
+  validateLicense: () => validateLicense
+});
 import { readFileSync as readFileSync9, writeFileSync as writeFileSync6, existsSync as existsSync12, mkdirSync as mkdirSync7 } from "fs";
 import { randomUUID as randomUUID11 } from "crypto";
 import { createRequire as createRequire2 } from "module";
@@ -8055,7 +8079,411 @@ import { pathToFileURL as pathToFileURL2 } from "url";
 import os9 from "os";
 import path12 from "path";
 import { jwtVerify, importSPKI } from "jose";
-var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, PLAN_LIMITS;
+async function fetchRetry(url, init) {
+  try {
+    return await fetch(url, init);
+  } catch {
+    await new Promise((r) => setTimeout(r, RETRY_DELAY_MS));
+    return fetch(url, { ...init, signal: AbortSignal.timeout(1e4) });
+  }
+}
+function loadDeviceId() {
+  const deviceJsonPath = path12.join(EXE_AI_DIR, "device.json");
+  try {
+    if (existsSync12(deviceJsonPath)) {
+      const data = JSON.parse(readFileSync9(deviceJsonPath, "utf8"));
+      if (data.deviceId) return data.deviceId;
+    }
+  } catch {
+  }
+  try {
+    if (existsSync12(DEVICE_ID_PATH)) {
+      const id2 = readFileSync9(DEVICE_ID_PATH, "utf8").trim();
+      if (id2) return id2;
+    }
+  } catch {
+  }
+  const id = randomUUID11();
+  mkdirSync7(EXE_AI_DIR, { recursive: true });
+  writeFileSync6(DEVICE_ID_PATH, id, "utf8");
+  return id;
+}
+function loadLicense() {
+  try {
+    if (!existsSync12(LICENSE_PATH)) return null;
+    return readFileSync9(LICENSE_PATH, "utf8").trim();
+  } catch {
+    return null;
+  }
+}
+function saveLicense(apiKey) {
+  mkdirSync7(EXE_AI_DIR, { recursive: true });
+  writeFileSync6(LICENSE_PATH, apiKey.trim(), { encoding: "utf8", mode: 384 });
+}
+async function verifyLicenseJwt(token) {
+  try {
+    const key = await importSPKI(LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG);
+    const { payload } = await jwtVerify(token, key, {
+      algorithms: [LICENSE_JWT_ALG]
+    });
+    const plan = payload.plan ?? "free";
+    const email = payload.sub ?? "";
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan,
+      email,
+      expiresAt: payload.exp ? new Date(payload.exp * 1e3).toISOString() : null,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function getCachedLicense() {
+  try {
+    if (!existsSync12(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync9(CACHE_PATH, "utf8"));
+    if (!raw.token || typeof raw.token !== "string") return null;
+    return await verifyLicenseJwt(raw.token);
+  } catch {
+    return null;
+  }
+}
+function readCachedLicenseToken() {
+  try {
+    if (!existsSync12(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync9(CACHE_PATH, "utf8"));
+    return typeof raw.token === "string" ? raw.token : null;
+  } catch {
+    return null;
+  }
+}
+function getRawCachedPlan() {
+  try {
+    const token = readCachedLicenseToken();
+    if (!token) return null;
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+    const plan = payload.plan ?? "free";
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    process.stderr.write(
+      `[license] WARN: using unverified cached plan (API unreachable, JWT expired). Plan: ${plan}
+`
+    );
+    return {
+      valid: true,
+      plan,
+      email: payload.sub ?? "",
+      expiresAt: payload.exp ? new Date(payload.exp * 1e3).toISOString() : null,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+function cacheResponse(token) {
+  try {
+    writeFileSync6(CACHE_PATH, JSON.stringify({ token }), "utf8");
+  } catch {
+  }
+}
+function loadPrismaForLicense() {
+  if (_prismaFailed) return null;
+  const dbUrl = process.env.DATABASE_URL;
+  if (!dbUrl) {
+    const exeDbRoot = process.env.EXE_DB_ROOT ?? path12.join(os9.homedir(), "exe-db");
+    if (!existsSync12(path12.join(exeDbRoot, "package.json"))) {
+      _prismaFailed = true;
+      return null;
+    }
+  }
+  if (!_prismaPromise) {
+    _prismaPromise = (async () => {
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const mod2 = await import(pathToFileURL2(explicitPath).href);
+        const Ctor2 = mod2.PrismaClient ?? mod2.default?.PrismaClient;
+        if (!Ctor2) throw new Error(`No PrismaClient at ${explicitPath}`);
+        return new Ctor2();
+      }
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path12.join(os9.homedir(), "exe-db");
+      const req = createRequire2(path12.join(exeDbRoot, "package.json"));
+      const entry = req.resolve("@prisma/client");
+      const mod = await import(pathToFileURL2(entry).href);
+      const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+      if (!Ctor) throw new Error(`No PrismaClient in ${entry}`);
+      return new Ctor();
+    })().catch((err) => {
+      _prismaFailed = true;
+      _prismaPromise = null;
+      throw err;
+    });
+  }
+  return _prismaPromise;
+}
+async function validateViaPostgres(apiKey) {
+  const loader = loadPrismaForLicense();
+  if (!loader) return null;
+  try {
+    const prisma = await loader;
+    const rows = await prisma.$queryRawUnsafe(
+      `SELECT plan, email, status, device_limit, employee_limit, memory_limit, expires_at
+       FROM billing.licenses WHERE key = $1 LIMIT 1`,
+      apiKey
+    );
+    if (!rows || rows.length === 0) return null;
+    const row = rows[0];
+    if (row.status !== "active") return null;
+    if (row.expires_at && new Date(row.expires_at) < /* @__PURE__ */ new Date()) return null;
+    const plan = row.plan;
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan,
+      email: row.email,
+      expiresAt: row.expires_at ? new Date(row.expires_at).toISOString() : null,
+      deviceLimit: row.device_limit ?? limits.devices,
+      employeeLimit: row.employee_limit ?? limits.employees,
+      memoryLimit: row.memory_limit ?? limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateViaCFWorker(apiKey, deviceId) {
+  try {
+    const res = await fetchRetry(`${API_BASE}/auth/activate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ apiKey, deviceId }),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!res.ok) return null;
+    const data = await res.json();
+    if (data.error === "device_limit_exceeded") return null;
+    if (!data.valid) return null;
+    if (data.token) {
+      cacheResponse(data.token);
+      const verified = await verifyLicenseJwt(data.token);
+      if (verified) return verified;
+    }
+    const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: data.valid,
+      plan: data.plan,
+      email: data.email,
+      expiresAt: data.expiresAt,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateLicense(apiKey, deviceId) {
+  const did = deviceId ?? loadDeviceId();
+  const pgResult = await validateViaPostgres(apiKey);
+  if (pgResult) {
+    try {
+      writeFileSync6(CACHE_PATH, JSON.stringify({ pgLicense: pgResult, ts: Date.now() }), "utf8");
+    } catch {
+    }
+    return pgResult;
+  }
+  const cfResult = await validateViaCFWorker(apiKey, did);
+  if (cfResult) return cfResult;
+  const cached = await getCachedLicense();
+  if (cached) return cached;
+  try {
+    if (existsSync12(CACHE_PATH)) {
+      const raw = JSON.parse(readFileSync9(CACHE_PATH, "utf8"));
+      if (raw.pgLicense && raw.ts && Date.now() - raw.ts < 7 * 24 * 60 * 60 * 1e3) {
+        return raw.pgLicense;
+      }
+    }
+  } catch {
+  }
+  const rawFallback = getRawCachedPlan();
+  if (rawFallback) return rawFallback;
+  return { ...FREE_LICENSE, valid: false };
+}
+function getCacheAgeMs() {
+  try {
+    const { statSync: statSync5 } = __require("fs");
+    const s = statSync5(CACHE_PATH);
+    return Date.now() - s.mtimeMs;
+  } catch {
+    return Infinity;
+  }
+}
+async function checkLicense() {
+  let key = loadLicense();
+  if (!key) {
+    try {
+      const configPath = path12.join(EXE_AI_DIR, "config.json");
+      if (existsSync12(configPath)) {
+        const raw = JSON.parse(readFileSync9(configPath, "utf8"));
+        const cloud = raw.cloud;
+        if (cloud?.apiKey) {
+          key = cloud.apiKey;
+          saveLicense(key);
+        }
+      }
+    } catch {
+    }
+  }
+  if (!key) return FREE_LICENSE;
+  const cached = await getCachedLicense();
+  if (cached && getCacheAgeMs() < CACHE_MAX_AGE_MS) return cached;
+  const deviceId = loadDeviceId();
+  return validateLicense(key, deviceId);
+}
+function isFeatureAllowed(license, feature) {
+  switch (feature) {
+    case "cloud_sync":
+    case "external_agents":
+    case "wiki":
+      return license.plan !== "free";
+    case "unlimited_employees":
+      return license.plan === "team" || license.plan === "agency" || license.plan === "enterprise";
+  }
+}
+function mirrorLicenseKey(apiKey) {
+  const trimmed = apiKey.trim();
+  if (!trimmed) return;
+  saveLicense(trimmed);
+}
+async function assertVpsLicense(opts) {
+  const env = opts?.env ?? process.env;
+  const inProduction = env.NODE_ENV === "production";
+  if (!opts?.force && !inProduction) {
+    return { ...FREE_LICENSE, plan: "free" };
+  }
+  const envKey = env.EXE_LICENSE_KEY?.trim();
+  if (envKey) {
+    saveLicense(envKey);
+  }
+  const apiKey = envKey ?? loadLicense();
+  if (!apiKey) {
+    throw new Error(
+      "License required: set EXE_LICENSE_KEY env var with your exe_sk_* key. Purchase at https://askexe.com. This VPS image refuses to boot without a valid license."
+    );
+  }
+  const deviceId = loadDeviceId();
+  let backendResponse = null;
+  let explicitRejection = false;
+  let transientFailure = false;
+  try {
+    const res = await fetchRetry(`${API_BASE}/auth/activate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ apiKey, deviceId }),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (res.ok) {
+      backendResponse = await res.json();
+      if (!backendResponse.valid) explicitRejection = true;
+    } else if (res.status === 401 || res.status === 403) {
+      explicitRejection = true;
+    } else {
+      transientFailure = true;
+    }
+  } catch {
+    transientFailure = true;
+  }
+  if (backendResponse?.valid) {
+    if (backendResponse.token) {
+      cacheResponse(backendResponse.token);
+      const verified = await verifyLicenseJwt(backendResponse.token);
+      if (verified) return verified;
+    }
+    const limits = PLAN_LIMITS[backendResponse.plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan: backendResponse.plan,
+      email: backendResponse.email,
+      expiresAt: backendResponse.expiresAt,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  }
+  if (explicitRejection) {
+    throw new Error(
+      `License invalid or expired. Renew at https://askexe.com, then restart. Backend rejected key ending in ...${apiKey.slice(-4)}.`
+    );
+  }
+  if (!transientFailure) {
+    throw new Error(
+      "License validation failed: unknown backend state. Restore network connectivity to https://askexe.com/cloud and retry."
+    );
+  }
+  const fresh = await getCachedLicense();
+  if (fresh && fresh.valid) return fresh;
+  const graceDays = opts?.offlineGraceDays ?? 7;
+  const graceMs = graceDays * 24 * 60 * 60 * 1e3;
+  try {
+    const token = readCachedLicenseToken();
+    if (token) {
+      const payloadB64 = token.split(".")[1];
+      if (payloadB64) {
+        const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+        const expMs = (payload.exp ?? 0) * 1e3;
+        if (Date.now() < expMs + graceMs) {
+          const key = await importSPKI(LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG);
+          const { payload: verified } = await jwtVerify(token, key, {
+            algorithms: [LICENSE_JWT_ALG],
+            clockTolerance: graceDays * 24 * 60 * 60
+          });
+          const plan = verified.plan ?? "free";
+          const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+          return {
+            valid: true,
+            plan,
+            email: verified.sub ?? "",
+            expiresAt: verified.exp ? new Date(verified.exp * 1e3).toISOString() : null,
+            deviceLimit: limits.devices,
+            employeeLimit: limits.employees,
+            memoryLimit: limits.memories
+          };
+        }
+      }
+    }
+  } catch {
+  }
+  throw new Error(
+    `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://askexe.com/cloud and retry. This VPS image refuses to boot after the offline grace window.`
+  );
+}
+function startLicenseRevalidation(intervalMs = 36e5) {
+  if (_revalTimer) return;
+  _revalTimer = setInterval(async () => {
+    try {
+      const license = await checkLicense();
+      if (!license.valid) {
+        process.stderr.write("[exe-os] License expired or invalid \u2014 features may be restricted\n");
+      }
+    } catch {
+    }
+  }, intervalMs);
+  if (_revalTimer && typeof _revalTimer === "object" && "unref" in _revalTimer) {
+    _revalTimer.unref();
+  }
+}
+function stopLicenseRevalidation() {
+  if (_revalTimer) {
+    clearInterval(_revalTimer);
+    _revalTimer = null;
+  }
+}
+var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, _prismaPromise, _prismaFailed, CACHE_MAX_AGE_MS, _revalTimer;
 var init_license = __esm({
   "src/lib/license.ts"() {
     "use strict";
@@ -8064,6 +8492,12 @@ var init_license = __esm({
     CACHE_PATH = path12.join(EXE_AI_DIR, "license-cache.json");
     DEVICE_ID_PATH = path12.join(EXE_AI_DIR, "device-id");
     API_BASE = process.env.EXE_CLOUD_ENDPOINT ?? "https://askexe.com/cloud";
+    RETRY_DELAY_MS = 500;
+    LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
+4uj+UqeKCcvtgNHKmOK278HJaJcANe9xAeji8AFYu27q3WtzCi04pHudow==
+-----END PUBLIC KEY-----`;
+    LICENSE_JWT_ALG = "ES256";
     PLAN_LIMITS = {
       free: { devices: 1, employees: 1, memories: 5e3 },
       pro: { devices: 3, employees: 5, memories: 1e5 },
@@ -8071,6 +8505,19 @@ var init_license = __esm({
       agency: { devices: 50, employees: 100, memories: 1e7 },
       enterprise: { devices: -1, employees: -1, memories: -1 }
     };
+    FREE_LICENSE = {
+      valid: true,
+      plan: "free",
+      email: "",
+      expiresAt: null,
+      deviceLimit: 1,
+      employeeLimit: 1,
+      memoryLimit: 5e3
+    };
+    _prismaPromise = null;
+    _prismaFailed = false;
+    CACHE_MAX_AGE_MS = 36e5;
+    _revalTimer = null;
   }
 });
 
@@ -9549,10 +9996,18 @@ async function storeBehavior(opts) {
     vector = new Float32Array(vec);
   } catch {
   }
+  let createdByDevice = null;
+  try {
+    const { loadDeviceId: loadDeviceId2 } = await Promise.resolve().then(() => (init_license(), license_exports));
+    createdByDevice = loadDeviceId2() ?? null;
+  } catch {
+  }
+  const createdByAgent = process.env.AGENT_ID ?? null;
+  const sourceSessionId = process.env.CLAUDE_SESSION_ID ?? process.env.SESSION_ID ?? null;
   await client.execute({
-    sql: `INSERT INTO behaviors (id, agent_id, project_name, domain, priority, content, active, created_at, updated_at, vector)
-          VALUES (?, ?, ?, ?, ?, ?, 1, ?, ?, ?)`,
-    args: [id, opts.agentId, opts.projectName ?? null, opts.domain ?? null, opts.priority ?? "p1", opts.content, now, now, vector ? vector.buffer : null]
+    sql: `INSERT INTO behaviors (id, agent_id, project_name, domain, priority, content, active, created_at, updated_at, vector, created_by_agent, created_by_device, source_session_id)
+          VALUES (?, ?, ?, ?, ?, ?, 1, ?, ?, ?, ?, ?, ?)`,
+    args: [id, opts.agentId, opts.projectName ?? null, opts.domain ?? null, opts.priority ?? "p1", opts.content, now, now, vector ? vector.buffer : null, createdByAgent, createdByDevice, sourceSessionId]
   });
   return id;
 }