@askexenow/exe-os 0.9.113 → 0.9.114

package/dist/bin/exe-launch-agent.js

@@ -3414,7 +3414,7 @@ var init_database = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync7, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path6 from "path";
@@ -3449,12 +3449,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+    if (exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -3604,15 +3606,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync7(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -5941,6 +5953,20 @@ var init_runtime_table = __esm({
 });
 
 // src/lib/agent-config.ts
+var agent_config_exports = {};
+__export(agent_config_exports, {
+  AGENT_CONFIG_PATH: () => AGENT_CONFIG_PATH,
+  DEFAULT_MODELS: () => DEFAULT_MODELS,
+  KNOWN_RUNTIMES: () => KNOWN_RUNTIMES,
+  RUNTIME_LABELS: () => RUNTIME_LABELS,
+  clearAgentRuntime: () => clearAgentRuntime,
+  getAgentRuntime: () => getAgentRuntime,
+  loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
+  saveAgentConfig: () => saveAgentConfig,
+  setAgentMcps: () => setAgentMcps,
+  setAgentRuntime: () => setAgentRuntime
+});
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, existsSync as existsSync10 } from "fs";
 import path9 from "path";
 function loadAgentConfig() {
@@ -5951,6 +5977,12 @@ function loadAgentConfig() {
     return {};
   }
 }
+function saveAgentConfig(config) {
+  const dir = path9.dirname(AGENT_CONFIG_PATH);
+  ensurePrivateDirSync(dir);
+  writeFileSync4(AGENT_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  enforcePrivateFileSync(AGENT_CONFIG_PATH);
+}
 function getAgentRuntime(agentId) {
   const config = loadAgentConfig();
   const entry = config[agentId];
@@ -5959,7 +5991,54 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
-var AGENT_CONFIG_PATH, DEFAULT_MODELS;
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
+function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
+  const knownModels = KNOWN_RUNTIMES[runtime];
+  if (!knownModels) {
+    return {
+      ok: false,
+      error: `Unknown runtime "${runtime}". Valid: ${Object.keys(KNOWN_RUNTIMES).join(", ")}`
+    };
+  }
+  if (!knownModels.includes(model)) {
+    return {
+      ok: false,
+      error: `Unknown model "${model}" for runtime "${runtime}". Valid: ${knownModels.join(", ")}`
+    };
+  }
+  const config = loadAgentConfig();
+  const existing = config[agentId];
+  const entry = { runtime, model };
+  if (reasoning_effort) entry.reasoning_effort = reasoning_effort;
+  if (mcps !== void 0) {
+    entry.mcps = mcps.includes("exe-os") ? mcps : ["exe-os", ...mcps];
+  } else if (existing?.mcps) {
+    entry.mcps = existing.mcps;
+  }
+  config[agentId] = entry;
+  saveAgentConfig(config);
+  return { ok: true };
+}
+function setAgentMcps(agentId, mcps) {
+  const config = loadAgentConfig();
+  const existing = config[agentId] ?? getAgentRuntime(agentId);
+  existing.mcps = mcps.includes("exe-os") ? mcps : ["exe-os", ...mcps];
+  config[agentId] = existing;
+  saveAgentConfig(config);
+  return { ok: true };
+}
+function clearAgentRuntime(agentId) {
+  const config = loadAgentConfig();
+  delete config[agentId];
+  saveAgentConfig(config);
+}
+var AGENT_CONFIG_PATH, KNOWN_RUNTIMES, RUNTIME_LABELS, DEFAULT_MODELS;
 var init_agent_config = __esm({
   "src/lib/agent-config.ts"() {
     "use strict";
@@ -5967,6 +6046,16 @@ var init_agent_config = __esm({
     init_runtime_table();
     init_secure_files();
     AGENT_CONFIG_PATH = path9.join(EXE_AI_DIR, "agent-config.json");
+    KNOWN_RUNTIMES = {
+      claude: ["claude-opus-4.6", "claude-opus-4", "claude-sonnet-4.6", "claude-sonnet-4", "claude-haiku-4.5"],
+      codex: ["gpt-5.4", "gpt-5.5", "gpt-5.3-codex-spark", "o3", "o4-mini"],
+      opencode: ["anthropic/claude-sonnet-4-6", "openai/gpt-5.4", "google/gemini-2.5-pro", "deepseek/deepseek-r3", "minimax/minimax-m2.5"]
+    };
+    RUNTIME_LABELS = {
+      claude: "Claude Code (Anthropic)",
+      codex: "Codex (OpenAI)",
+      opencode: "OpenCode (open source)"
+    };
     DEFAULT_MODELS = {
       claude: "claude-opus-4.6",
       codex: RUNTIME_TABLE.codex?.defaultModel ?? "gpt-5.4",
@@ -7028,11 +7117,8 @@ async function main() {
   if (provider === DEFAULT_PROVIDER) {
     const rtConfig = getAgentRuntime(memoryAgent);
     if (rtConfig.runtime === "claude" && rtConfig.model) {
-      let ccModel = rtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
-      process.env.ANTHROPIC_MODEL = ccModel;
+      const { normalizeCcModelName: normalizeCcModelName2 } = await Promise.resolve().then(() => (init_agent_config(), agent_config_exports));
+      process.env.ANTHROPIC_MODEL = normalizeCcModelName2(rtConfig.model);
     }
   }
   const child = spawnSync(plan.command, plan.args, { stdio: "inherit" });

package/dist/bin/exe-new-employee.js

@@ -187,6 +187,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -215,6 +216,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -1458,7 +1466,7 @@ function readOrCreateDaemonToken(homeDir = os7.homedir()) {
 function buildMcpHttpHeaders(homeDir = os7.homedir(), opts = {}) {
   const agentId = opts.useShellPlaceholders ? "${AGENT_ID:-exe}" : opts.agentId ?? DEFAULT_MCP_HTTP_AGENT_ID;
   const agentRole = opts.useShellPlaceholders ? "${AGENT_ROLE:-COO}" : opts.agentRole ?? DEFAULT_MCP_HTTP_AGENT_ROLE;
-  const sessionName = opts.useShellPlaceholders ? "$(tmux display-message -p '#{session_name}' 2>/dev/null || echo '')" : process.env.EXE_SESSION_NAME ?? "";
+  const sessionName = opts.useShellPlaceholders ? "" : process.env.EXE_SESSION_NAME ?? "";
   const headers = {
     Authorization: `Bearer ${readOrCreateDaemonToken(homeDir)}`,
     "X-Agent-Id": agentId,

package/dist/bin/exe-pending-messages.js

@@ -3814,7 +3814,7 @@ var init_task_scope = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync13, statSync as statSync3 } from "fs";
 import { execSync as execSync5 } from "child_process";
 import path13 from "path";
@@ -3849,12 +3849,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os10.userInfo().uid === "number" ? os10.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os10.userInfo().uid === "number" ? os10.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path13.resolve(keyPath).startsWith(path13.resolve(exeOsDir) + path13.sep));
+    if (exeOsDir && path13.resolve(keyPath).startsWith(path13.resolve(exeOsDir) + path13.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -4004,15 +4006,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync13(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();

package/dist/bin/exe-pending-notifications.js

@@ -3880,7 +3880,7 @@ var init_notifications = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync14, statSync as statSync3 } from "fs";
 import { execSync as execSync5 } from "child_process";
 import path14 from "path";
@@ -3915,12 +3915,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os11.userInfo().uid === "number" ? os11.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os11.userInfo().uid === "number" ? os11.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path14.resolve(keyPath).startsWith(path14.resolve(exeOsDir) + path14.sep));
+    if (exeOsDir && path14.resolve(keyPath).startsWith(path14.resolve(exeOsDir) + path14.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -4070,15 +4072,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync14(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();

package/dist/bin/exe-pending-reviews.js

@@ -3974,7 +3974,7 @@ var init_tasks_review = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync15, statSync as statSync3 } from "fs";
 import { execSync as execSync5 } from "child_process";
 import path15 from "path";
@@ -4009,12 +4009,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os11.userInfo().uid === "number" ? os11.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os11.userInfo().uid === "number" ? os11.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path15.resolve(keyPath).startsWith(path15.resolve(exeOsDir) + path15.sep));
+    if (exeOsDir && path15.resolve(keyPath).startsWith(path15.resolve(exeOsDir) + path15.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -4164,15 +4166,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync15(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();

package/dist/bin/exe-rename.js

@@ -3546,7 +3546,7 @@ ${p.content}`).join("\n\n");
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync7, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path6 from "path";
@@ -3581,12 +3581,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+    if (exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -3736,15 +3738,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync7(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();

package/dist/bin/exe-review.js

@@ -3330,7 +3330,7 @@ var init_database = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync7, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path6 from "path";
@@ -3365,12 +3365,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+    if (exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -3520,15 +3522,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync7(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();

package/dist/bin/exe-search.js

@@ -3315,7 +3315,7 @@ var init_database = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync7, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path6 from "path";
@@ -3350,12 +3350,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+    if (exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -3505,15 +3507,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync7(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();