@askexenow/exe-os 0.9.113 → 0.9.114

package/dist/bin/cli.js

@@ -368,6 +368,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -396,6 +397,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -896,7 +904,7 @@ function readOrCreateDaemonToken(homeDir = os5.homedir()) {
 function buildMcpHttpHeaders(homeDir = os5.homedir(), opts = {}) {
   const agentId = opts.useShellPlaceholders ? "${AGENT_ID:-exe}" : opts.agentId ?? DEFAULT_MCP_HTTP_AGENT_ID;
   const agentRole = opts.useShellPlaceholders ? "${AGENT_ROLE:-COO}" : opts.agentRole ?? DEFAULT_MCP_HTTP_AGENT_ROLE;
-  const sessionName = opts.useShellPlaceholders ? "$(tmux display-message -p '#{session_name}' 2>/dev/null || echo '')" : process.env.EXE_SESSION_NAME ?? "";
+  const sessionName = opts.useShellPlaceholders ? "" : process.env.EXE_SESSION_NAME ?? "";
   const headers = {
     Authorization: `Bearer ${readOrCreateDaemonToken(homeDir)}`,
     "X-Agent-Id": agentId,
@@ -2555,7 +2563,7 @@ __export(keychain_exports, {
   importMnemonic: () => importMnemonic,
   setMasterKey: () => setMasterKey
 });
-import { readFile as readFile4, writeFile as writeFile4, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile4, writeFile as writeFile4, unlink, mkdir as mkdir4, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync10, statSync } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path9 from "path";
@@ -2590,12 +2598,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os8.userInfo().uid === "number" ? os8.userInfo().uid : -1;
     const st = statSync(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os8.userInfo().uid === "number" ? os8.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path9.resolve(keyPath).startsWith(path9.resolve(exeOsDir) + path9.sep));
+    if (exeOsDir && path9.resolve(keyPath).startsWith(path9.resolve(exeOsDir) + path9.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -2745,15 +2755,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir4(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile4(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync10(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile4(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile4(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -6999,6 +7019,7 @@ __export(cloud_sync_exports, {
   markCloudReuploadRequired: () => markCloudReuploadRequired,
   mergeConfig: () => mergeConfig,
   mergeRosterFromRemote: () => mergeRosterFromRemote,
+  migrateEndpoint: () => migrateEndpoint,
   pushToPostgres: () => pushToPostgres,
   recordRosterDeletion: () => recordRosterDeletion
 });
@@ -7169,6 +7190,15 @@ async function fetchWithRetry(url, init) {
   }
   throw lastError;
 }
+function migrateEndpoint(endpoint) {
+  if (endpoint === "https://askexe.com/cloud" || endpoint === "https://askexe.com/cloud/") {
+    process.stderr.write(
+      "[cloud-sync] Auto-migrating endpoint from askexe.com/cloud to cloud.askexe.com (bypasses Cloudflare WAF for datacenter IPs)\n"
+    );
+    return "https://cloud.askexe.com";
+  }
+  return endpoint;
+}
 function assertSecureEndpoint(endpoint) {
   if (endpoint.startsWith("https://")) return;
   if (endpoint.startsWith("http://")) {
@@ -7306,6 +7336,7 @@ async function markCloudReuploadRequired(client = getClient()) {
   await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1')");
 }
 async function cloudSync(config) {
+  config = { ...config, endpoint: migrateEndpoint(config.endpoint) };
   if (!isSyncCryptoInitialized()) {
     try {
       const { getMasterKey: getMasterKey2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));
@@ -17135,10 +17166,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }
@@ -20483,6 +20512,24 @@ async function runSetupWizard(opts = {}) {
     log("");
     log("=== exe-os Setup ===");
     log("");
+    if (process.platform === "darwin") {
+      const currentShell = process.env.SHELL ?? "";
+      if (currentShell.includes("bash")) {
+        log("  \u26A0 Your default shell is bash.");
+        log("  macOS uses zsh by default since Catalina (2019).");
+        log("  exe-os works with bash, but switching to zsh is recommended:");
+        log("    chsh -s /bin/zsh");
+        log("  Then restart your terminal.");
+        log("");
+        const cont = await ask3(rl, "  Continue with bash? (y/n, default: y): ");
+        if (cont.toLowerCase() === "n") {
+          log("  Run `chsh -s /bin/zsh`, restart your terminal, then run setup again.");
+          rl.close();
+          return;
+        }
+        log("");
+      }
+    }
     log("What are you setting up?");
     log("");
     log("  [1] First device / brand new Exe OS memory");
@@ -21155,7 +21202,7 @@ var init_setup_wizard = __esm({
 });
 
 // src/lib/update-backup.ts
-import { copyFile, readFile as readFile6, readdir as readdir3, writeFile as writeFile7, rm as rm2, mkdir as mkdir7, cp } from "fs/promises";
+import { copyFile as copyFile2, readFile as readFile6, readdir as readdir3, writeFile as writeFile7, rm as rm2, mkdir as mkdir7, cp } from "fs/promises";
 import { existsSync as existsSync36 } from "fs";
 import path42 from "path";
 import os20 from "os";
@@ -21191,7 +21238,7 @@ async function createUpdateBackup(currentVersion, dataDir2, homeDir = os20.homed
     if (!existsSync36(src)) continue;
     const dest = path42.join(backupDir, target.name);
     if (target.type === "file") {
-      await copyFile(src, dest);
+      await copyFile2(src, dest);
     } else {
       await cp(src, dest, { recursive: true });
     }
@@ -21202,7 +21249,7 @@ async function createUpdateBackup(currentVersion, dataDir2, homeDir = os20.homed
     if (entry.isFile() && entry.name.endsWith(".db") && entry.name !== BACKUP_DIR_NAME) {
       const src = path42.join(dir, entry.name);
       const dest = path42.join(backupDir, entry.name);
-      await copyFile(src, dest);
+      await copyFile2(src, dest);
       backedUpFiles.push(entry.name);
     }
   }
@@ -21211,7 +21258,7 @@ async function createUpdateBackup(currentVersion, dataDir2, homeDir = os20.homed
   for (const target of externalBackupTargets(homeDir)) {
     if (!existsSync36(target.path)) continue;
     await mkdir7(externalDir, { recursive: true });
-    await copyFile(target.path, path42.join(externalDir, target.name));
+    await copyFile2(target.path, path42.join(externalDir, target.name));
     externalFiles.push(target);
   }
   const manifest = {
@@ -21246,14 +21293,14 @@ async function restoreFromBackup(dataDir2) {
     if (stat2.isDirectory()) {
       await cp(src, dest, { recursive: true, force: true });
     } else {
-      await copyFile(src, dest);
+      await copyFile2(src, dest);
     }
   }
   for (const external of manifest.externalFiles ?? []) {
     const src = path42.join(backupDir, "external", external.name);
     if (!existsSync36(src)) continue;
     await mkdir7(path42.dirname(external.path), { recursive: true });
-    await copyFile(src, external.path);
+    await copyFile2(src, external.path);
   }
   return manifest;
 }
@@ -32121,6 +32168,33 @@ var init_dangerous_patterns = __esm({
         regex: /\bkill\s+-9\b/,
         severity: "warning",
         reason: "Force kill signal"
+      },
+      // MCP bypass — agents must use MCP tools, never access the DB directly.
+      // These patterns catch attempts to work around a disconnected MCP server.
+      {
+        regex: /\bsqlite3\b.*\bmemories\.db\b/,
+        severity: "critical",
+        reason: "Direct SQLite access bypasses MCP contract boundary \u2014 use MCP tools"
+      },
+      {
+        regex: /\bsqlite3\b.*\.exe-os\b/,
+        severity: "critical",
+        reason: "Direct SQLite access to exe-os database \u2014 use MCP tools"
+      },
+      {
+        regex: /\bnode\s+-e\b.*\b(better-sqlite3|libsql|sqlite3)\b/,
+        severity: "critical",
+        reason: "Inline Node.js script accessing SQLite directly \u2014 use MCP tools"
+      },
+      {
+        regex: /\brequire\s*\(\s*['"].*memories\.db['"]\s*\)/,
+        severity: "critical",
+        reason: "Direct require of memories database \u2014 use MCP tools"
+      },
+      {
+        regex: /\bcat\b.*\bmemories\.db\b/,
+        severity: "warning",
+        reason: "Reading raw database file \u2014 encrypted data, use MCP tools instead"
       }
     ];
   }

package/dist/bin/exe-agent.js

@@ -1861,6 +1861,33 @@ var DANGEROUS_PATTERNS = [
     regex: /\bkill\s+-9\b/,
     severity: "warning",
     reason: "Force kill signal"
+  },
+  // MCP bypass — agents must use MCP tools, never access the DB directly.
+  // These patterns catch attempts to work around a disconnected MCP server.
+  {
+    regex: /\bsqlite3\b.*\bmemories\.db\b/,
+    severity: "critical",
+    reason: "Direct SQLite access bypasses MCP contract boundary \u2014 use MCP tools"
+  },
+  {
+    regex: /\bsqlite3\b.*\.exe-os\b/,
+    severity: "critical",
+    reason: "Direct SQLite access to exe-os database \u2014 use MCP tools"
+  },
+  {
+    regex: /\bnode\s+-e\b.*\b(better-sqlite3|libsql|sqlite3)\b/,
+    severity: "critical",
+    reason: "Inline Node.js script accessing SQLite directly \u2014 use MCP tools"
+  },
+  {
+    regex: /\brequire\s*\(\s*['"].*memories\.db['"]\s*\)/,
+    severity: "critical",
+    reason: "Direct require of memories database \u2014 use MCP tools"
+  },
+  {
+    regex: /\bcat\b.*\bmemories\.db\b/,
+    severity: "warning",
+    reason: "Reading raw database file \u2014 encrypted data, use MCP tools instead"
   }
 ];
 function checkDangerousPatterns(command) {

package/dist/bin/exe-assign.js

@@ -4681,7 +4681,7 @@ init_memory();
 init_database();
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync7, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path6 from "path";
@@ -4720,12 +4720,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+    if (exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -4876,15 +4878,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync7(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();

package/dist/bin/exe-boot.js

@@ -368,6 +368,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -396,6 +397,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -4060,7 +4068,7 @@ __export(keychain_exports, {
   importMnemonic: () => importMnemonic,
   setMasterKey: () => setMasterKey
 });
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync8, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path7 from "path";
@@ -4095,12 +4103,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep));
+    if (exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -4250,15 +4260,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync8(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -9401,10 +9421,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }
@@ -10151,6 +10169,7 @@ __export(cloud_sync_exports, {
   markCloudReuploadRequired: () => markCloudReuploadRequired,
   mergeConfig: () => mergeConfig,
   mergeRosterFromRemote: () => mergeRosterFromRemote,
+  migrateEndpoint: () => migrateEndpoint,
   pushToPostgres: () => pushToPostgres,
   recordRosterDeletion: () => recordRosterDeletion
 });
@@ -10321,6 +10340,15 @@ async function fetchWithRetry(url, init) {
   }
   throw lastError;
 }
+function migrateEndpoint(endpoint) {
+  if (endpoint === "https://askexe.com/cloud" || endpoint === "https://askexe.com/cloud/") {
+    process.stderr.write(
+      "[cloud-sync] Auto-migrating endpoint from askexe.com/cloud to cloud.askexe.com (bypasses Cloudflare WAF for datacenter IPs)\n"
+    );
+    return "https://cloud.askexe.com";
+  }
+  return endpoint;
+}
 function assertSecureEndpoint(endpoint) {
   if (endpoint.startsWith("https://")) return;
   if (endpoint.startsWith("http://")) {
@@ -10458,6 +10486,7 @@ async function markCloudReuploadRequired(client = getClient()) {
   await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1')");
 }
 async function cloudSync(config) {
+  config = { ...config, endpoint: migrateEndpoint(config.endpoint) };
   if (!isSyncCryptoInitialized()) {
     try {
       const { getMasterKey: getMasterKey2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));

package/dist/bin/exe-call.js

@@ -1263,6 +1263,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -1291,6 +1292,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {

package/dist/bin/exe-cloud.js

@@ -25,7 +25,7 @@ __export(keychain_exports, {
   importMnemonic: () => importMnemonic,
   setMasterKey: () => setMasterKey
 });
-import { readFile, writeFile, unlink, mkdir, chmod } from "fs/promises";
+import { readFile, writeFile, unlink, mkdir, chmod, rename, copyFile } from "fs/promises";
 import { existsSync, statSync } from "fs";
 import { execSync } from "child_process";
 import path from "path";
@@ -60,12 +60,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os.userInfo().uid === "number" ? os.userInfo().uid : -1;
     const st = statSync(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os.userInfo().uid === "number" ? os.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path.resolve(keyPath).startsWith(path.resolve(exeOsDir) + path.sep));
+    if (exeOsDir && path.resolve(keyPath).startsWith(path.resolve(exeOsDir) + path.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -215,15 +217,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile(keyPath, encrypted + "\n", "utf-8");
-    await chmod(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile(tmpPath, content, "utf-8");
+    await chmod(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile(keyPath, b64 + "\n", "utf-8");
-  await chmod(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -4761,6 +4773,7 @@ __export(cloud_sync_exports, {
   markCloudReuploadRequired: () => markCloudReuploadRequired,
   mergeConfig: () => mergeConfig,
   mergeRosterFromRemote: () => mergeRosterFromRemote,
+  migrateEndpoint: () => migrateEndpoint,
   pushToPostgres: () => pushToPostgres,
   recordRosterDeletion: () => recordRosterDeletion
 });
@@ -4931,6 +4944,15 @@ async function fetchWithRetry(url, init) {
   }
   throw lastError;
 }
+function migrateEndpoint(endpoint) {
+  if (endpoint === "https://askexe.com/cloud" || endpoint === "https://askexe.com/cloud/") {
+    process.stderr.write(
+      "[cloud-sync] Auto-migrating endpoint from askexe.com/cloud to cloud.askexe.com (bypasses Cloudflare WAF for datacenter IPs)\n"
+    );
+    return "https://cloud.askexe.com";
+  }
+  return endpoint;
+}
 function assertSecureEndpoint(endpoint) {
   if (endpoint.startsWith("https://")) return;
   if (endpoint.startsWith("http://")) {
@@ -5068,6 +5090,7 @@ async function markCloudReuploadRequired(client = getClient()) {
   await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1')");
 }
 async function cloudSync(config) {
+  config = { ...config, endpoint: migrateEndpoint(config.endpoint) };
   if (!isSyncCryptoInitialized()) {
     try {
       const { getMasterKey: getMasterKey2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));