@askexenow/exe-os 0.9.113 → 0.9.114

package/dist/bin/intercom-check.js

@@ -423,6 +423,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -451,6 +452,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -3742,7 +3750,7 @@ var init_database = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync8, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path7 from "path";
@@ -3777,12 +3785,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep));
+    if (exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -3932,15 +3942,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync8(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -9946,10 +9966,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }

package/dist/bin/scan-tasks.js

@@ -672,6 +672,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -700,6 +701,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -7794,10 +7802,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }
@@ -7962,7 +7968,7 @@ var init_task_scope = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync17, statSync as statSync3 } from "fs";
 import { execSync as execSync8 } from "child_process";
 import path19 from "path";
@@ -7997,12 +8003,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os12.userInfo().uid === "number" ? os12.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os12.userInfo().uid === "number" ? os12.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path19.resolve(keyPath).startsWith(path19.resolve(exeOsDir) + path19.sep));
+    if (exeOsDir && path19.resolve(keyPath).startsWith(path19.resolve(exeOsDir) + path19.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -8152,15 +8160,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir4(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile5(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile5(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync17(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile5(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();

package/dist/bin/setup.js

@@ -330,7 +330,7 @@ __export(keychain_exports, {
   importMnemonic: () => importMnemonic,
   setMasterKey: () => setMasterKey
 });
-import { readFile as readFile2, writeFile as writeFile2, unlink, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile2, writeFile as writeFile2, unlink, mkdir as mkdir2, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync3, statSync } from "fs";
 import { execSync } from "child_process";
 import path2 from "path";
@@ -365,12 +365,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os2.userInfo().uid === "number" ? os2.userInfo().uid : -1;
     const st = statSync(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os2.userInfo().uid === "number" ? os2.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path2.resolve(keyPath).startsWith(path2.resolve(exeOsDir) + path2.sep));
+    if (exeOsDir && path2.resolve(keyPath).startsWith(path2.resolve(exeOsDir) + path2.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -520,15 +522,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir2(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile2(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync3(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile2(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile2(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -1963,6 +1975,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -1991,6 +2004,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -5151,6 +5171,7 @@ __export(cloud_sync_exports, {
   markCloudReuploadRequired: () => markCloudReuploadRequired,
   mergeConfig: () => mergeConfig,
   mergeRosterFromRemote: () => mergeRosterFromRemote,
+  migrateEndpoint: () => migrateEndpoint,
   pushToPostgres: () => pushToPostgres,
   recordRosterDeletion: () => recordRosterDeletion
 });
@@ -5321,6 +5342,15 @@ async function fetchWithRetry(url, init) {
   }
   throw lastError;
 }
+function migrateEndpoint(endpoint) {
+  if (endpoint === "https://askexe.com/cloud" || endpoint === "https://askexe.com/cloud/") {
+    process.stderr.write(
+      "[cloud-sync] Auto-migrating endpoint from askexe.com/cloud to cloud.askexe.com (bypasses Cloudflare WAF for datacenter IPs)\n"
+    );
+    return "https://cloud.askexe.com";
+  }
+  return endpoint;
+}
 function assertSecureEndpoint(endpoint) {
   if (endpoint.startsWith("https://")) return;
   if (endpoint.startsWith("http://")) {
@@ -5458,6 +5488,7 @@ async function markCloudReuploadRequired(client = getClient()) {
   await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1')");
 }
 async function cloudSync(config) {
+  config = { ...config, endpoint: migrateEndpoint(config.endpoint) };
   if (!isSyncCryptoInitialized()) {
     try {
       const { getMasterKey: getMasterKey2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));
@@ -8796,6 +8827,24 @@ async function runSetupWizard(opts = {}) {
     log("");
     log("=== exe-os Setup ===");
     log("");
+    if (process.platform === "darwin") {
+      const currentShell = process.env.SHELL ?? "";
+      if (currentShell.includes("bash")) {
+        log("  \u26A0 Your default shell is bash.");
+        log("  macOS uses zsh by default since Catalina (2019).");
+        log("  exe-os works with bash, but switching to zsh is recommended:");
+        log("    chsh -s /bin/zsh");
+        log("  Then restart your terminal.");
+        log("");
+        const cont = await ask(rl, "  Continue with bash? (y/n, default: y): ");
+        if (cont.toLowerCase() === "n") {
+          log("  Run `chsh -s /bin/zsh`, restart your terminal, then run setup again.");
+          rl.close();
+          return;
+        }
+        log("");
+      }
+    }
     log("What are you setting up?");
     log("");
     log("  [1] First device / brand new Exe OS memory");

package/dist/bin/shard-migrate.js

@@ -4385,7 +4385,7 @@ init_memory();
 init_database();
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync7, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path6 from "path";
@@ -4424,12 +4424,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+    if (exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -4580,15 +4582,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync7(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();

package/dist/gateway/index.js

@@ -733,6 +733,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -761,6 +762,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -4054,7 +4062,7 @@ var init_embedder = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync8, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path7 from "path";
@@ -4089,12 +4097,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep));
+    if (exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -4244,15 +4254,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync8(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -11636,10 +11656,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }

package/dist/hooks/bug-report-worker.js

@@ -422,6 +422,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -450,6 +451,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -3741,7 +3749,7 @@ var init_database = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync8, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path7 from "path";
@@ -3776,12 +3784,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep));
+    if (exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -3931,15 +3941,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync8(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -8632,10 +8652,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }

package/dist/hooks/codex-stop-task-finalizer.js

@@ -367,6 +367,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -395,6 +396,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -3741,7 +3749,7 @@ var init_database = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync8, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path7 from "path";
@@ -3776,12 +3784,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep));
+    if (exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -3931,15 +3941,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync8(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();