@askexenow/exe-os 0.9.113 → 0.9.114

package/dist/index.js

@@ -367,6 +367,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -395,6 +396,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -7869,10 +7877,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }
@@ -8004,7 +8010,7 @@ var init_tmux_routing = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync17, statSync as statSync3 } from "fs";
 import { execSync as execSync9 } from "child_process";
 import path20 from "path";
@@ -8039,12 +8045,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os13.userInfo().uid === "number" ? os13.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os13.userInfo().uid === "number" ? os13.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path20.resolve(keyPath).startsWith(path20.resolve(exeOsDir) + path20.sep));
+    if (exeOsDir && path20.resolve(keyPath).startsWith(path20.resolve(exeOsDir) + path20.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -8194,15 +8202,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir4(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile5(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync17(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile5(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile5(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -13555,6 +13573,33 @@ var DANGEROUS_PATTERNS = [
     regex: /\bkill\s+-9\b/,
     severity: "warning",
     reason: "Force kill signal"
+  },
+  // MCP bypass — agents must use MCP tools, never access the DB directly.
+  // These patterns catch attempts to work around a disconnected MCP server.
+  {
+    regex: /\bsqlite3\b.*\bmemories\.db\b/,
+    severity: "critical",
+    reason: "Direct SQLite access bypasses MCP contract boundary \u2014 use MCP tools"
+  },
+  {
+    regex: /\bsqlite3\b.*\.exe-os\b/,
+    severity: "critical",
+    reason: "Direct SQLite access to exe-os database \u2014 use MCP tools"
+  },
+  {
+    regex: /\bnode\s+-e\b.*\b(better-sqlite3|libsql|sqlite3)\b/,
+    severity: "critical",
+    reason: "Inline Node.js script accessing SQLite directly \u2014 use MCP tools"
+  },
+  {
+    regex: /\brequire\s*\(\s*['"].*memories\.db['"]\s*\)/,
+    severity: "critical",
+    reason: "Direct require of memories database \u2014 use MCP tools"
+  },
+  {
+    regex: /\bcat\b.*\bmemories\.db\b/,
+    severity: "warning",
+    reason: "Reading raw database file \u2014 encrypted data, use MCP tools instead"
   }
 ];
 function checkDangerousPatterns(command) {

package/dist/lib/agent-config.js

@@ -175,6 +175,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -223,6 +230,7 @@ export {
   clearAgentRuntime,
   getAgentRuntime,
   loadAgentConfig,
+  normalizeCcModelName,
   saveAgentConfig,
   setAgentMcps,
   setAgentRuntime

package/dist/lib/cloud-sync.js

@@ -3289,7 +3289,7 @@ __export(keychain_exports, {
   importMnemonic: () => importMnemonic,
   setMasterKey: () => setMasterKey
 });
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync9, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path8 from "path";
@@ -3324,12 +3324,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os6.userInfo().uid === "number" ? os6.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os6.userInfo().uid === "number" ? os6.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path8.resolve(keyPath).startsWith(path8.resolve(exeOsDir) + path8.sep));
+    if (exeOsDir && path8.resolve(keyPath).startsWith(path8.resolve(exeOsDir) + path8.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -3479,15 +3481,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync9(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -4156,6 +4168,15 @@ async function fetchWithRetry(url, init) {
   }
   throw lastError;
 }
+function migrateEndpoint(endpoint) {
+  if (endpoint === "https://askexe.com/cloud" || endpoint === "https://askexe.com/cloud/") {
+    process.stderr.write(
+      "[cloud-sync] Auto-migrating endpoint from askexe.com/cloud to cloud.askexe.com (bypasses Cloudflare WAF for datacenter IPs)\n"
+    );
+    return "https://cloud.askexe.com";
+  }
+  return endpoint;
+}
 function assertSecureEndpoint(endpoint) {
   if (endpoint.startsWith("https://")) return;
   if (endpoint.startsWith("http://")) {
@@ -4294,6 +4315,7 @@ async function markCloudReuploadRequired(client = getClient()) {
   await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1')");
 }
 async function cloudSync(config) {
+  config = { ...config, endpoint: migrateEndpoint(config.endpoint) };
   if (!isSyncCryptoInitialized()) {
     try {
       const { getMasterKey: getMasterKey2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));
@@ -5404,6 +5426,7 @@ export {
   markCloudReuploadRequired,
   mergeConfig,
   mergeRosterFromRemote,
+  migrateEndpoint,
   pushToPostgres,
   recordRosterDeletion
 };

package/dist/lib/consolidation.js

@@ -183,6 +183,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -211,6 +212,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -581,7 +589,7 @@ init_memory();
 init_database();
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync6, statSync as statSync2 } from "fs";
 import { execSync as execSync2 } from "child_process";
 import path5 from "path";

package/dist/lib/employees.js

@@ -169,6 +169,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -197,6 +198,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {

package/dist/lib/exe-daemon.js

@@ -567,6 +567,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -595,6 +596,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -5510,7 +5518,7 @@ __export(keychain_exports, {
   importMnemonic: () => importMnemonic,
   setMasterKey: () => setMasterKey
 });
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync12, statSync as statSync5 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path11 from "path";
@@ -5545,12 +5553,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os6.userInfo().uid === "number" ? os6.userInfo().uid : -1;
     const st = statSync5(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os6.userInfo().uid === "number" ? os6.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path11.resolve(keyPath).startsWith(path11.resolve(exeOsDir) + path11.sep));
+    if (exeOsDir && path11.resolve(keyPath).startsWith(path11.resolve(exeOsDir) + path11.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -5700,15 +5710,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result3 = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync12(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result3;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -13968,10 +13988,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }
@@ -22316,6 +22334,7 @@ __export(daemon_orchestration_exports, {
   REVIEW_NUDGE_COOLDOWN_MS: () => REVIEW_NUDGE_COOLDOWN_MS,
   SESSION_CONTEXT_THRESHOLD_PCT: () => SESSION_CONTEXT_THRESHOLD_PCT,
   SESSION_TTL_HOURS: () => SESSION_TTL_HOURS,
+  STUCK_TASK_GRACE_MS: () => STUCK_TASK_GRACE_MS,
   _resetAutoWakeState: () => _resetAutoWakeState,
   checkSessionTTL: () => checkSessionTTL,
   classifyTtlKillReason: () => classifyTtlKillReason,
@@ -22325,12 +22344,14 @@ __export(daemon_orchestration_exports, {
   createOrphanReaperRealDeps: () => createOrphanReaperRealDeps,
   createReviewNudgeRealDeps: () => createReviewNudgeRealDeps,
   createSessionTTLRealDeps: () => createSessionTTLRealDeps,
+  createStuckTaskRealDeps: () => createStuckTaskRealDeps,
   loadNudgeState: () => loadNudgeState,
   pollIdleEmployees: () => pollIdleEmployees,
   pollIdleKill: () => pollIdleKill,
   pollOrphanedTasks: () => pollOrphanedTasks,
   pollReviewNudge: () => pollReviewNudge,
   reapOrphanedMcpProcesses: () => reapOrphanedMcpProcesses,
+  releaseStuckTasks: () => releaseStuckTasks,
   saveNudgeState: () => saveNudgeState,
   shouldAutoWake: () => shouldAutoWake,
   shouldKillIdleSession: () => shouldKillIdleSession,
@@ -22818,6 +22839,86 @@ async function pollOrphanedTasks(deps, nowMs = Date.now()) {
   }
   return woken;
 }
+async function releaseStuckTasks(deps, nowMs = Date.now()) {
+  let liveSessions;
+  try {
+    liveSessions = deps.listTmuxSessions();
+  } catch {
+    return [];
+  }
+  const liveAgents = /* @__PURE__ */ new Set();
+  for (const session of liveSessions) {
+    const agent = deps.parseAgentFromSession(session);
+    if (agent) liveAgents.add(agent);
+  }
+  for (const session of liveSessions) {
+    if (isExeSession(session)) liveAgents.add(session);
+  }
+  let tasks;
+  try {
+    tasks = await deps.queryInProgressTasks();
+  } catch {
+    return [];
+  }
+  const released = [];
+  for (const t of tasks) {
+    if (liveAgents.has(t.agentId)) continue;
+    const updatedMs = new Date(t.updatedAt).getTime();
+    if (isNaN(updatedMs) || nowMs - updatedMs < STUCK_TASK_GRACE_MS) continue;
+    const ageMinutes = Math.round((nowMs - updatedMs) / 6e4);
+    const reason = `[auto-release] Agent "${t.agentId}" session is dead and task has been in_progress for ${ageMinutes}m with no update. Marked blocked for triage.`;
+    try {
+      await deps.markTaskBlocked(t.taskId, reason);
+      released.push(t.taskId);
+      process.stderr.write(
+        `[stuck-release] Task ${t.taskId} (${t.agentId}) \u2014 in_progress for ${ageMinutes}m, agent dead \u2192 blocked
+`
+      );
+    } catch (err) {
+      process.stderr.write(
+        `[stuck-release] Failed to release ${t.taskId}: ${err instanceof Error ? err.message : String(err)}
+`
+      );
+    }
+  }
+  return released;
+}
+function createStuckTaskRealDeps(getClient2) {
+  return {
+    listTmuxSessions: () => {
+      const { listTmuxSessions: listTmuxSessions2 } = (init_tmux_status(), __toCommonJS(tmux_status_exports));
+      return listTmuxSessions2();
+    },
+    queryInProgressTasks: async () => {
+      const client = getClient2();
+      const result3 = await client.execute({
+        sql: `SELECT id, assigned_to, session_scope, updated_at FROM tasks
+              WHERE status = 'in_progress'
+              ORDER BY updated_at ASC`,
+        args: []
+      });
+      return result3.rows.map((r) => ({
+        taskId: String(r.id),
+        agentId: String(r.assigned_to),
+        sessionScope: r.session_scope ? String(r.session_scope) : null,
+        updatedAt: String(r.updated_at)
+      }));
+    },
+    markTaskBlocked: async (taskId, reason) => {
+      const client = getClient2();
+      await client.execute({
+        sql: `UPDATE tasks SET status = 'blocked', result = ?, updated_at = ? WHERE id = ?`,
+        args: [reason, (/* @__PURE__ */ new Date()).toISOString(), taskId]
+      });
+    },
+    parseAgentFromSession: (sessionName) => {
+      const { baseAgentName: baseAgentName2 } = (init_employees(), __toCommonJS(employees_exports));
+      if (!sessionName.includes("-")) return null;
+      const agentPart = sessionName.split("-")[0];
+      return baseAgentName2(agentPart);
+    }
+  };
+}
 function createAutoWakeRealDeps(getClient2, projectDir) {
   return {
     listTmuxSessions: () => {
@@ -22910,7 +23011,7 @@ function createOrphanReaperRealDeps() {
     selfPid: process.pid
   };
 }
-var IDLE_NUDGE_DEDUP_MS, SESSION_TTL_HOURS, SESSION_CONTEXT_THRESHOLD_PCT, IDLE_KILL_INTERCOM_ACK_WINDOW_MS, REVIEW_NUDGE_COOLDOWN_MS, NUDGE_STATE_PATH, AUTO_WAKE_COOLDOWN_MS, AUTO_WAKE_MAX_RETRIES, _autoWakeLastSpawn, _autoWakeTaskRetries, ORPHAN_SIGKILL_DELAY_MS, ORPHAN_PATTERNS;
+var IDLE_NUDGE_DEDUP_MS, SESSION_TTL_HOURS, SESSION_CONTEXT_THRESHOLD_PCT, IDLE_KILL_INTERCOM_ACK_WINDOW_MS, REVIEW_NUDGE_COOLDOWN_MS, NUDGE_STATE_PATH, AUTO_WAKE_COOLDOWN_MS, AUTO_WAKE_MAX_RETRIES, _autoWakeLastSpawn, _autoWakeTaskRetries, STUCK_TASK_GRACE_MS, ORPHAN_SIGKILL_DELAY_MS, ORPHAN_PATTERNS;
 var init_daemon_orchestration = __esm({
   "src/lib/daemon-orchestration.ts"() {
     "use strict";
@@ -22927,6 +23028,7 @@ var init_daemon_orchestration = __esm({
     AUTO_WAKE_MAX_RETRIES = 3;
     _autoWakeLastSpawn = /* @__PURE__ */ new Map();
     _autoWakeTaskRetries = /* @__PURE__ */ new Map();
+    STUCK_TASK_GRACE_MS = 30 * 60 * 1e3;
     ORPHAN_SIGKILL_DELAY_MS = 5e3;
     ORPHAN_PATTERNS = [
       "exe-os/dist/mcp/server.js",
@@ -25089,6 +25191,7 @@ __export(cloud_sync_exports, {
   markCloudReuploadRequired: () => markCloudReuploadRequired,
   mergeConfig: () => mergeConfig,
   mergeRosterFromRemote: () => mergeRosterFromRemote,
+  migrateEndpoint: () => migrateEndpoint,
   pushToPostgres: () => pushToPostgres,
   recordRosterDeletion: () => recordRosterDeletion
 });
@@ -25259,6 +25362,15 @@ async function fetchWithRetry(url, init) {
   }
   throw lastError;
 }
+function migrateEndpoint(endpoint2) {
+  if (endpoint2 === "https://askexe.com/cloud" || endpoint2 === "https://askexe.com/cloud/") {
+    process.stderr.write(
+      "[cloud-sync] Auto-migrating endpoint from askexe.com/cloud to cloud.askexe.com (bypasses Cloudflare WAF for datacenter IPs)\n"
+    );
+    return "https://cloud.askexe.com";
+  }
+  return endpoint2;
+}
 function assertSecureEndpoint(endpoint2) {
   if (endpoint2.startsWith("https://")) return;
   if (endpoint2.startsWith("http://")) {
@@ -25396,6 +25508,7 @@ async function markCloudReuploadRequired(client = getClient()) {
   await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1')");
 }
 async function cloudSync(config2) {
+  config2 = { ...config2, endpoint: migrateEndpoint(config2.endpoint) };
   if (!isSyncCryptoInitialized()) {
     try {
       const { getMasterKey: getMasterKey2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));
@@ -37163,7 +37276,25 @@ async function startMcpHttpServer() {
       }
       const agentId = req.headers["x-agent-id"] || "default";
       const agentRole = req.headers["x-agent-role"] || "employee";
-      const sessionHint = req.headers["x-exe-session"] || "";
+      let sessionHint = req.headers["x-exe-session"] || "";
+      if (sessionHint.includes("$(") || sessionHint.includes("#{") || sessionHint.includes("tmux")) {
+        sessionHint = "";
+      }
+      if (!sessionHint) {
+        try {
+          const { getTransport: getTransport2 } = (init_transport(), __toCommonJS(transport_exports));
+          const transport2 = getTransport2();
+          const liveSessions = transport2.listSessions();
+          const agentSessions = liveSessions.filter((s) => s.startsWith(agentId + "-"));
+          if (agentSessions.length === 1) {
+            sessionHint = agentSessions[0];
+          } else {
+            const roots = liveSessions.filter((s) => !s.includes("-") && /^[a-z]+\d*$/.test(s));
+            if (roots.length === 1) sessionHint = roots[0];
+          }
+        } catch {
+        }
+      }
       const runtime = inferMcpRuntime({
         runtimeHeader: req.headers["x-agent-runtime"] || req.headers["x-runtime"],
         userAgent: req.headers["user-agent"],
@@ -37871,6 +38002,31 @@ function startAutoWake() {
   process.stderr.write(`[exed] Auto-wake started (every ${AUTO_WAKE_INTERVAL_MS / 1e3}s)
 `);
 }
+var STUCK_TASK_CHECK_INTERVAL_MS = 5 * 60 * 1e3;
+function startStuckTaskRelease() {
+  const tick = async () => {
+    fired("stuck_task_release");
+    if (!await ensureStoreForPolling()) return;
+    try {
+      const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+      const { releaseStuckTasks: releaseStuckTasks2, createStuckTaskRealDeps: createStuckTaskRealDeps2 } = await Promise.resolve().then(() => (init_daemon_orchestration(), daemon_orchestration_exports));
+      const deps = createStuckTaskRealDeps2(getClient2);
+      const released = await releaseStuckTasks2(deps);
+      if (released.length > 0) {
+        acted("stuck_task_release");
+        process.stderr.write(`[exed] Stuck-release: ${released.length} task(s) moved to blocked
+`);
+      }
+    } catch (err) {
+      process.stderr.write(`[exed] Stuck-release error: ${err instanceof Error ? err.message : String(err)}
+`);
+    }
+  };
+  const timer = setInterval(() => void tick(), STUCK_TASK_CHECK_INTERVAL_MS);
+  timer.unref();
+  process.stderr.write(`[exed] Stuck-task release started (every ${STUCK_TASK_CHECK_INTERVAL_MS / 1e3}s)
+`);
+}
 var TOTAL_MEM_GB = os24.totalmem() / 1024 ** 3;
 var RSS_WARN_BYTES = Number(process.env.EXE_RSS_WARN_MB) * 1024 * 1024 || (TOTAL_MEM_GB >= 64 ? 6 * 1024 ** 3 : TOTAL_MEM_GB >= 32 ? 4 * 1024 ** 3 : TOTAL_MEM_GB >= 16 ? 2.5 * 1024 ** 3 : 1.5 * 1024 ** 3);
 var RSS_RESTART_BYTES = Number(process.env.EXE_RSS_RESTART_MB) * 1024 * 1024 || (TOTAL_MEM_GB >= 64 ? 8 * 1024 ** 3 : TOTAL_MEM_GB >= 32 ? 6 * 1024 ** 3 : TOTAL_MEM_GB >= 16 ? 4 * 1024 ** 3 : 3 * 1024 ** 3);
@@ -38211,6 +38367,7 @@ try {
   startOrphanReaper();
   startAgentStats();
   startAutoWake();
+  startStuckTaskRelease();
   startGraphExtraction();
   startMemoryQueueDrain();
   startIntercomQueueDrain();

package/dist/lib/hybrid-search.js

@@ -3314,7 +3314,7 @@ var init_database = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync7, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path6 from "path";
@@ -3349,12 +3349,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+    if (exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -3504,15 +3506,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync7(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();