@askexenow/exe-os 0.9.142 → 0.9.143

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askexenow/exe-os",
-  "version": "0.9.142",
+  "version": "0.9.143",
   "description": "AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",

package/release-notes.json

@@ -1,6 +1,109 @@
 {
-  "current": "0.9.142",
+  "current": "0.9.143",
   "notes": {
+    "0.9.143": {
+      "version": "0.9.143",
+      "date": "2026-05-26",
+      "features": [
+        "close_task auto-merges PR + pulls main + builds + prunes + respawns",
+        "auto-respawn Tom after close_task if more tasks queued",
+        "message WAL fallback — messages survive daemon downtime",
+        "entity type hierarchy — subtypes with rollup queries (PG-2)",
+        "temporal validity windows for graph queries (PG-3)",
+        "backup restore CLI + restoreBackup function",
+        "ESLint setup + dependency hygiene + any type reduction",
+        "config(action=\"hire\") MCP tool — COO can hire employees directly",
+        "GM (General Manager) role template + hiring guidance",
+        "merge gate warning in close_task — catches unmerged PRs",
+        "behavior hygiene — platform procedure + COO identity + company procedure",
+        "MCP auto-reconnect to daemon — survives deploy restarts transparently",
+        "event-driven notifications — stop polling managers, let task state drive everything",
+        "MCP disconnect tracker + daemon observability",
+        "MCP lifecycle logging to file — FULL transparency on every disconnect",
+        "automatic P0 bug fixing — daemon auto-dispatch + GitHub Actions fallback",
+        "enforce worktrees for engineer sessions — prevent direct main commits",
+        "multi-device coordination — routing, handoff, device status",
+        "hook tamper protection — SHA-256 manifest + verification before spawn",
+        "governed collaborative memory — visibility tags + write governance",
+        "cache-sharing protocol — pub/sub memory bus for inter-agent sharing",
+        "multi-modal memory — media attachments on memories",
+        "comprehensive \"last 20%\" integration tests + audit_trail read path",
+        "wire memory poisoning defense into writeMemory() pipeline",
+        "memory poisoning defense — trust levels, anomaly detection, quarantine"
+      ],
+      "fixes": [
+        "prune old worktree on close_task before respawning fresh",
+        "exe-launch-agent resolves multi-instance names — tom2/tom3 no longer rejected",
+        "worktree isolation for all runtimes + token budget enforcement + atomic memory versioning",
+        "cross-device sync dedup — cooldown key prevents duplicate pushes",
+        "merge gate checks branch name not git author — was silently passing",
+        "resume_employee uses autoInstance — spawns tom2/tom3 for parallel",
+        "security hardening — fail-closed behavior auth gates",
+        "send_message intercom uses force:true — bypass 5-min debounce",
+        "global session cap 10→50 — match MCP session cap",
+        "/exe-call ALWAYS fires + tmux send-keys blocked for ALL agents",
+        "SIGTERM graceful shutdown — remove process.exit(0) from initMetrics",
+        "stale task escalation — surface alive-but-stalled agents to COO",
+        "cloud sync upsert + entity type hierarchy + temporal validity + file_copy security",
+        "daemon memory leak + duplicate watchdog + HTTP body limit + WAL flush",
+        "heap pressure alarm was false positive — compared heapUsed/heapTotal instead of heapUsed/heapLimit",
+        "strengthen scoped SQL audit — cover UPDATE/INSERT, expand exemptions",
+        "hard block tmux send-keys for non-coordinator agents",
+        "MCP disconnect procedure — explicitly block tmux send-keys workaround",
+        "file_copy MCP tool — path boundary enforcement + symlink traversal block",
+        "cloud sync task pull uses ON CONFLICT upsert with updated_at guard",
+        "multi-instance Tom dispatch — create_task fans out to tom2, tom3",
+        "atomic writes for agent-config.json, roster (orchestration + rename)",
+        "atomic JSON writes + config.json corruption recovery",
+        "boot poll timeout no longer fails dispatch — session exists, task pending",
+        "master key clobber guard + COO naming in user-facing strings"
+      ],
+      "security": [
+        "fix shell injection, SSRF, socket leaks, backup validation",
+        "bump v0.9.139 — 2 CRITICAL security fixes, 14 bug fixes, 6 features, customer config preservation",
+        "fix 2 CRITICAL + 1 HIGH from post-fix audit",
+        "validate X-Agent-Role against roster — prevent privilege escalation",
+        "release: stack v0.9.8 — security hardening + Hygo bug fixes",
+        "add webhook HMAC-SHA256 validation + disable query param auth in prod",
+        "pin GitHub Actions to SHAs, update jose to 6.2.3",
+        "harden support intake against abuse and data leakage",
+        "bump to v0.9.22 — Codex MCP parity + customer bug fixes + security audit remediation",
+        "audit: pre-hygo exe-gateway security report",
+        "add SECURITY.md — trust document for pre-install security evaluation",
+        "fix 4 pricing tier bypass vulnerabilities (audit F1-F4)"
+      ],
+      "other": [
+        "publish v0.9.142",
+        "publish v0.9.141",
+        "ops: journalctl rotation + certbot expiry alerting",
+        "revert: daemon heap back to 33% of RAM — no artificial cap",
+        "v0.9.140 publish + heap cap 4GB (was 33% unbounded)",
+        "PG-1 cross-repo entity federation design document",
+        "add lint step + automated npm publish workflow",
+        "audit: scoped SQL + package budget + TUI vendored + TODO classification",
+        "add full readiness audit evidence",
+        "roadmap: Cross-Repo Ontology — Palantir-level graph (PG-1 through PG-10)",
+        "capture mcp restart self-healing roadmap",
+        "Enforce chain of command task review parity",
+        "document raw SQL fallback in orchestrator auto-approve path",
+        "Finalize orchestration rollout fixes",
+        "Scope device governance task queries",
+        "bump v0.9.138 — 7 critical bug fixes, 10 features, 16 commits",
+        "bump v0.9.137 — Memanto typed schema, push notifications, lazy consolidation",
+        "bump v0.9.136 — daemon OOM fix, process monitor, auto-notify reviewer",
+        "bump v0.9.135 — code debt cleanup, 28 new tests, full observability",
+        "Codex MCP regression tests (18) + DB singleton integration tests (10)",
+        "release notes for v0.9.134",
+        "benchmark score entry for f95b862",
+        "add GitHub Actions CI pipeline — build + test on push",
+        "gitignore GitHub workflows — add via web UI instead",
+        "remove ci.yml — GitHub token lacks workflow scope, will add via web UI"
+      ],
+      "migration_notes": [
+        "If daemon goes down, agents will now fail instead of silently",
+        "exe-daemon.ts kills old embed.pid process and cleans up"
+      ]
+    },
     "0.9.142": {
       "version": "0.9.142",
       "date": "2026-05-26",
@@ -412,105 +515,6 @@
         "If daemon goes down, agents will now fail instead of silently",
         "exe-daemon.ts kills old embed.pid process and cleans up"
       ]
-    },
-    "0.9.138": {
-      "version": "0.9.138",
-      "date": "2026-05-21",
-      "features": [
-        "unified webhook pipe — config-driven field mapping + HMAC",
-        "WHAT'S NEW section in boot brief + bundle release-notes.json in npm",
-        "setup wizard runtime/model chooser (Step 5c)",
-        "cloud sync for schedules, trajectories, consolidations, identity",
-        "DWL-1 branding.json config system + DWL-4 CLI command",
-        "wire unified-query.ts into raw-data, CRM, and company-brain MCP tools",
-        "GR-1 semantic entity disambiguation via embedding similarity",
-        "per-agent MCP scoping — wire agent-config mcps into spawn path",
-        "Letta core/archival memory split — core_memory table + MCP actions",
-        "COO auto-restart — daemon detects dead coordinator session and relaunches",
-        "RecMem lazy consolidation — skip clusters < 3 memories",
-        "Memanto typed semantic schema — 13 memory types with kind-aware retrieval",
-        "push notifications — Telegram + email on task completion and daemon crash",
-        "auto-notify reviewer on task completion + file_copy MCP tool",
-        "daemon process monitor — CPU tracking, orphan detection, high-CPU alerting",
-        "Hygo integration — workflow engine, Asana connector, wiki ACL, GoTrue auth, unified query",
-        "routing audit log + daemon health log — full observability for session routing and daemon lifecycle",
-        "proxy unified cloud routes through api router",
-        "add typed apiWatchdog config for daemon API auto-recovery",
-        "wire reflection layer into production — schema, search, daemon",
-        "wire memory cards + reflection into BEAM benchmark harness",
-        "standalone harnesses for MemBench, REALTALK, MemoryArena",
-        "standalone benchmark harnesses for LongMemEval, LoCoMo, BEAM",
-        "multi-product support for bug reports and feature requests",
-        "memory reflection layer + sandboxed BEAM benchmark harness"
-      ],
-      "fixes": [
-        "intercom-check now surfaces reviewer tasks — not just assigned_to",
-        "consolidation truncation + task state machine + cascade race",
-        "session cleanup side effects + global agent cap + queue overflow log",
-        "cloud sync preserves local enrichment — COALESCE on conflict",
-        "cross-device task isolation — device_id filter on stuck-task + backfill",
-        "session-scoped idle nudge — prevent cross-session agent nudging",
-        "daemon OOM crash — cloud-sync exponential backoff + circuit breaker + heap monitoring",
-        "replace hardcoded agent name→role map with dynamic roster lookup",
-        "add logging to 45 silent catches — tasks.ts, cloud-sync.ts, exe-daemon.ts",
-        "test regressions — backward-compat exports, test fixture schema, config defaults",
-        "upgrade commit discipline to p0 — one track = one commit, never batch",
-        "use consolidated mcp boot prompt",
-        "auto-start agents after spawn — no more idle prompt",
-        "move atomic swap from build to deploy — builds never disrupt daemon",
-        "disable MCP session TTL — sessions live forever until daemon restart",
-        "complete DB safety suite — auto-restore, write drain, pre-restart backup",
-        "WAL checkpoint on shutdown + integrity check on startup",
-        "warn when caller session unknown in create_task — helps diagnose scope bugs",
-        "route all employee spawns through exe-launch-agent for session-aware MCP",
-        "4 customer audit bugs — honest feature status, auto-approve disabled, visibility TODO",
-        "archive consolidated source memories — stop search inflation",
-        "wire Ebbinghaus strength into vector search + type definition",
-        "v0.9.133 — session routing, Codex MCP compat, 12 bug fixes from customer audit",
-        "bind api router analytics dataset in wrangler",
-        "daemon watchdog uses typed config, wire startup call, fix tsc warnings"
-      ],
-      "security": [
-        "release: stack v0.9.8 — security hardening + Hygo bug fixes",
-        "add webhook HMAC-SHA256 validation + disable query param auth in prod",
-        "pin GitHub Actions to SHAs, update jose to 6.2.3",
-        "harden support intake against abuse and data leakage",
-        "bump to v0.9.22 — Codex MCP parity + customer bug fixes + security audit remediation",
-        "audit: pre-hygo exe-gateway security report",
-        "add SECURITY.md — trust document for pre-install security evaluation",
-        "fix 4 pricing tier bypass vulnerabilities (audit F1-F4)"
-      ],
-      "other": [
-        "bump v0.9.138 — 7 critical bug fixes, 10 features, 16 commits",
-        "bump v0.9.137 — Memanto typed schema, push notifications, lazy consolidation",
-        "bump v0.9.136 — daemon OOM fix, process monitor, auto-notify reviewer",
-        "bump v0.9.135 — code debt cleanup, 28 new tests, full observability",
-        "Codex MCP regression tests (18) + DB singleton integration tests (10)",
-        "release notes for v0.9.134",
-        "benchmark score entry for f95b862",
-        "add GitHub Actions CI pipeline — build + test on push",
-        "gitignore GitHub workflows — add via web UI instead",
-        "remove ci.yml — GitHub token lacks workflow scope, will add via web UI",
-        "gitignore — add dist-next, db.sqlite, .wrangler; remove temp scripts",
-        "accumulated fixes — hooks, adapters, config, cloud-sync, rate-limiter, CI pipeline",
-        "stack manifest v0.9.9 — session routing, DB safety, Codex MCP, 20 fixes",
-        "protect api router cloud migration routes",
-        "Proxy cloud sync routes through api router",
-        "bump v0.9.132",
-        "bump v0.9.131 — lean MCP for agents, session isolation gate, card/reflection pipeline",
-        "bump v0.9.130 — hard session isolation gate",
-        "bump v0.9.129",
-        "bump v0.9.128 — shared DB module fix",
-        "bump v0.9.127 — DB init before MCP session tools",
-        "bump v0.9.126 — revert to port 48739",
-        "bump v0.9.125",
-        "bump v0.9.120 — fixed MCP port 48700 with auto-recovery",
-        "bump v0.9.123 — multi-product support for bug/feature reports"
-      ],
-      "migration_notes": [
-        "If daemon goes down, agents will now fail instead of silently",
-        "exe-daemon.ts kills old embed.pid process and cleans up"
-      ]
     }
   }
 }