@askexenow/exe-os 0.9.154 → 0.9.156

package/deploy/compose/.env.example

@@ -1,6 +1,6 @@
 # exe-os VPS stack — example environment variables
-# Copy to .env before deployment and replace every CHANGEME_* value.
-# Values under # SET_MANUALLY must be provided by the operator.
+# Run `exe-os stack-init` or `node deploy/compose/generate-env.js` to auto-generate
+# all secrets. Or copy to .env and replace CHANGEME_* values manually.
 
 # --- Data Layer ---
 POSTGRES_USER=exe
@@ -13,67 +13,53 @@ CLICKHOUSE_PASSWORD=CHANGEME_CLICKHOUSE_PASSWORD
 
 REDIS_PASSWORD=CHANGEME_REDIS_PASSWORD
 
+# --- GoTrue (shared auth) ---
+GOTRUE_JWT_SECRET=CHANGEME_GOTRUE_JWT_SECRET
+GOTRUE_SITE_URL=https://crm.askexe.com
+GOTRUE_EXTERNAL_URL=https://auth.askexe.com
+GOTRUE_DISABLE_SIGNUP=false
+GOTRUE_MAILER_AUTOCONFIRM=true
+
 # --- CRM ---
-CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.2
-CRM_SERVER_URL=https://CHANGEME_DOMAIN
+CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.3
+CRM_SERVER_URL=https://crm.askexe.com
 CRM_APP_SECRET=CHANGEME_CRM_APP_SECRET
+EXE_CRM_ADMIN_TOKEN=CHANGEME_EXE_CRM_ADMIN_TOKEN
 CRM_HOST_PORT=3000
 
 # --- Wiki ---
-WIKI_IMAGE_TAG=ghcr.io/askexe/exe-wiki:v0.9.2
+WIKI_IMAGE_TAG=ghcr.io/askexe/exe-wiki:v0.9.4
 WIKI_DB_SCHEMA=wiki
 WIKI_VECTOR_DB=postgres
 WIKI_AUTH_TOKEN=CHANGEME_WIKI_AUTH_TOKEN
+EXE_WIKI_ADMIN_TOKEN=CHANGEME_EXE_WIKI_ADMIN_TOKEN
 WIKI_JWT_SECRET=CHANGEME_WIKI_JWT_SECRET
 WIKI_SIG_KEY=CHANGEME_WIKI_SIG_KEY
 WIKI_SIG_SALT=CHANGEME_WIKI_SIG_SALT
 WIKI_HOST_PORT=3001
 
-# --- exe-os ---
-EXE_OS_IMAGE_TAG=ghcr.io/askexe/exe-os:v0.9.2
+# --- exe-os (daemon) ---
+EXE_OS_IMAGE_TAG=ghcr.io/askexe/exe-os:v0.9.154
 EXED_MCP_TOKEN=CHANGEME_EXED_MCP_TOKEN
 EXED_DEVICE_ID=vps-default
-# VPS-only: enables cloud/local SQLite -> exe-db Postgres projection.
-# Keep false on laptops/dev boxes.
 EXE_CLOUD_SYNC_TO_POSTGRES=true
+EXE_LICENSE_KEY=CHANGEME_EXE_LICENSE_KEY
 
 # --- Gateway ---
-GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.2
+GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.3
 EXE_GATEWAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_AUTH_TOKEN
 EXE_GATEWAY_WS_RELAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_WS_RELAY_AUTH_TOKEN
 EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN=CHANGEME_EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN
-# SET_MANUALLY
-WHATSAPP_ACCESS_TOKEN=CHANGEME_WHATSAPP_ACCESS_TOKEN
 API_ROUTER_URL=https://gateway.askexe.com
-API_ROUTER_KEY=CHANGEME_API_ROUTER_KEY
-# BYOK: to use your own API keys instead of the Exe API Router,
-# set BYOK_ENABLED=true and provide ANTHROPIC_API_KEY below.
-# BYOK_ENABLED=false
-# ANTHROPIC_API_KEY=CHANGEME_ANTHROPIC_API_KEY
 GATEWAY_HTTP_HOST_PORT=3100
 GATEWAY_WS_HOST_PORT=3101
 
-# --- Monitoring agent (standard for managed customer VPSs) ---
-MONITOR_AGENT_IMAGE_TAG=ghcr.io/askexe/exe-monitor-agent:v0.9.2
+# --- Monitoring ---
+MONITOR_HUB_IMAGE_TAG=ghcr.io/askexe/exe-monitor-hub:v0.9.4
+MONITOR_AGENT_IMAGE_TAG=ghcr.io/askexe/exe-monitor-agent:v0.9.4
+EXE_MONITOR_ADMIN_TOKEN=CHANGEME_EXE_MONITOR_ADMIN_TOKEN
 MONITOR_HUB_URL=https://monitor.askexe.com
-# Values copied from monitor.askexe.com when adding a new system.
-MONITOR_AGENT_TOKEN=CHANGEME_MONITOR_AGENT_TOKEN_FROM_MONITOR_HUB
-MONITOR_AGENT_KEY=CHANGEME_MONITOR_AGENT_PUBLIC_KEY_FROM_MONITOR_HUB
+MONITOR_AGENT_TOKEN=CHANGEME_MONITOR_AGENT_TOKEN
+MONITOR_AGENT_KEY=CHANGEME_MONITOR_AGENT_KEY
 MONITOR_AGENT_LISTEN=:45876
-
-# --- AskExe central monitoring hub auth (AskExe-owned infra only) ---
-# Customer VPSs normally run only MONITOR_AGENT_* above. These hub values are
-# for monitor.askexe.com on exe-db-jkt.
-MONITOR_HUB_PUBLIC_URL=https://monitor.askexe.com
-MONITOR_HUB_SOURCE_DIR=/opt/exe-monitor
-MONITOR_HUB_HOST_PORT=8090
-MONITOR_HUB_DATA_DIR=/opt/exe-monitor-data
-MONITOR_TRUSTED_AUTH_HEADER=X-AskExe-User-Email
-# Keep false during bootstrap; flip true after the GoTrue auth proxy is live.
-MONITOR_DISABLE_PASSWORD_AUTH=false
-MONITOR_USER_CREATION=true
-MONITOR_SHARE_ALL_SYSTEMS=false
-
-# --- License ---
-# injected by deploy_client
-EXE_LICENSE_KEY=CHANGEME_EXE_LICENSE_KEY
+MONITOR_HUB_PORT=8090

package/deploy/compose/backup.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Automated backup for exe-os stack — runs daily via cron or systemd timer.
+# Backs up: postgres (all databases), gateway auth state, wiki storage.
+set -euo pipefail
+
+BACKUP_DIR="${BACKUP_DIR:-/opt/exe-backups}"
+RETENTION_DAYS="${BACKUP_RETENTION_DAYS:-7}"
+DATE=$(date +%Y%m%d-%H%M%S)
+COMPOSE_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+mkdir -p "$BACKUP_DIR"
+
+echo "[backup] Starting exe-os stack backup ($DATE)"
+
+# 1. Postgres dump (all databases)
+echo "[backup] Dumping postgres..."
+docker exec exe-db pg_dumpall -U exe > "$BACKUP_DIR/postgres-$DATE.sql" 2>/dev/null
+gzip "$BACKUP_DIR/postgres-$DATE.sql"
+echo "[backup] Postgres: $(du -h "$BACKUP_DIR/postgres-$DATE.sql.gz" | cut -f1)"
+
+# 2. Gateway auth state (Baileys creds)
+echo "[backup] Backing up gateway auth state..."
+docker cp exe-gateway:/data/. "$BACKUP_DIR/gateway-$DATE/" 2>/dev/null || echo "[backup] Gateway backup skipped (not running)"
+tar -czf "$BACKUP_DIR/gateway-$DATE.tar.gz" -C "$BACKUP_DIR" "gateway-$DATE" 2>/dev/null && rm -rf "$BACKUP_DIR/gateway-$DATE"
+
+# 3. Wiki storage (uploaded docs)
+echo "[backup] Backing up wiki storage..."
+docker cp exe-wiki:/app/server/storage/. "$BACKUP_DIR/wiki-$DATE/" 2>/dev/null || echo "[backup] Wiki backup skipped"
+tar -czf "$BACKUP_DIR/wiki-$DATE.tar.gz" -C "$BACKUP_DIR" "wiki-$DATE" 2>/dev/null && rm -rf "$BACKUP_DIR/wiki-$DATE"
+
+# 4. Retention — delete backups older than N days
+echo "[backup] Cleaning backups older than $RETENTION_DAYS days..."
+find "$BACKUP_DIR" -name "*.gz" -mtime "+$RETENTION_DAYS" -delete 2>/dev/null
+find "$BACKUP_DIR" -name "*.sql" -mtime "+$RETENTION_DAYS" -delete 2>/dev/null
+
+echo "[backup] Done. Backups at $BACKUP_DIR:"
+ls -lh "$BACKUP_DIR"/*.gz 2>/dev/null | tail -5

package/deploy/compose/branding.json

@@ -0,0 +1,20 @@
+{
+  "name": "Exe OS",
+  "logo": null,
+  "colors": {
+    "primary": "#F5D76E",
+    "background": "#0F0E1A",
+    "surface": "rgba(245, 215, 110, 0.08)",
+    "text": "#f8f5ea",
+    "muted": "rgba(248, 245, 234, 0.72)"
+  },
+  "fonts": {
+    "heading": "Epilogue",
+    "body": "Manrope",
+    "mono": "Space Grotesk"
+  },
+  "support": {
+    "email": "support@askexe.com",
+    "url": "https://askexe.com"
+  }
+}

package/deploy/compose/cloudflared/config.yml.example

@@ -0,0 +1,29 @@
+# Cloudflare Tunnel config — routes *.askexe.com to local services.
+# Copy to config.yml and replace TUNNEL_ID with your tunnel UUID.
+# Create tunnel: cloudflared tunnel create <name>
+# Then copy credentials JSON to this directory.
+
+tunnel: CHANGEME_TUNNEL_ID
+credentials-file: /etc/cloudflared/CHANGEME_TUNNEL_ID.json
+
+ingress:
+  # CRM
+  - hostname: crm.CHANGEME_DOMAIN
+    service: http://exe-crm:3000
+  # Wiki
+  - hostname: wiki.CHANGEME_DOMAIN
+    service: http://exe-wiki:3001
+  # Gateway (WhatsApp, webhooks, pairing)
+  - hostname: gateway.CHANGEME_DOMAIN
+    service: http://exe-gateway:3100
+  # Monitor
+  - hostname: monitor.CHANGEME_DOMAIN
+    service: http://exe-monitor-hub:8090
+  # Auth (GoTrue)
+  - hostname: auth.CHANGEME_DOMAIN
+    service: http://gotrue:9999
+  # exe-os daemon (MCP)
+  - hostname: api.CHANGEME_DOMAIN
+    service: http://exe-os:8765
+  # Catch-all
+  - service: http_status:404

package/deploy/compose/docker-compose.yml

@@ -36,6 +36,7 @@ services:
       PGDATA: /var/lib/postgresql/data/pgdata
     volumes:
       - postgres_data:/var/lib/postgresql/data
+      - ./init-db.sql:/docker-entrypoint-initdb.d/01-init.sql:ro
     networks:
       backend:
         ipv4_address: 10.42.0.10
@@ -104,6 +105,71 @@ services:
       driver: json-file
       options: { max-size: "10m", max-file: "3" }
 
+  gotrue:
+    image: supabase/gotrue:v2.172.1@sha256:b0dd7aa28dd1f9a8bd31f136c8b912661f701d9b863171e5843cb08f18f49de4
+    container_name: gotrue
+    restart: unless-stopped
+    depends_on:
+      exe-db:
+        condition: service_healthy
+    env_file:
+      - path: .env
+        required: false
+    environment:
+      GOTRUE_DB_DRIVER: postgres
+      GOTRUE_DB_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?sslmode=disable&search_path=auth
+      GOTRUE_SITE_URL: ${GOTRUE_SITE_URL:-https://crm.askexe.com}
+      GOTRUE_URI_ALLOW_LIST: ${GOTRUE_URI_ALLOW_LIST:-}
+      GOTRUE_JWT_SECRET: ${GOTRUE_JWT_SECRET:?GOTRUE_JWT_SECRET is required}
+      GOTRUE_JWT_EXP: ${GOTRUE_JWT_EXP:-3600}
+      GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
+      API_EXTERNAL_URL: ${GOTRUE_EXTERNAL_URL:-https://auth.askexe.com}
+      GOTRUE_DISABLE_SIGNUP: ${GOTRUE_DISABLE_SIGNUP:-false}
+      GOTRUE_MAILER_AUTOCONFIRM: ${GOTRUE_MAILER_AUTOCONFIRM:-true}
+      GOTRUE_SMTP_HOST: ${SMTP_HOST:-}
+      GOTRUE_SMTP_PORT: ${SMTP_PORT:-587}
+      GOTRUE_SMTP_USER: ${SMTP_USER:-}
+      GOTRUE_SMTP_PASS: ${SMTP_PASS:-}
+      GOTRUE_SMTP_ADMIN_EMAIL: ${SMTP_FROM:-noreply@askexe.com}
+    ports:
+      - "127.0.0.1:${GOTRUE_HOST_PORT:-9999}:9999"
+    networks:
+      backend:
+        ipv4_address: 10.42.0.13
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:9999/health"]
+      interval: 15s
+      timeout: 5s
+      start_period: 10s
+      retries: 5
+    logging:
+      driver: json-file
+      options: { max-size: "10m", max-file: "3" }
+
+  exe-monitor-hub:
+    image: ${MONITOR_HUB_IMAGE_TAG:-ghcr.io/askexe/exe-monitor-hub:v0.9.4}
+    container_name: exe-monitor-hub
+    restart: unless-stopped
+    environment:
+      EXE_MONITOR_ADMIN_TOKEN: ${EXE_MONITOR_ADMIN_TOKEN:-}
+      GOTRUE_URL: http://gotrue:9999
+    ports:
+      - "127.0.0.1:${MONITOR_HUB_PORT:-8090}:8090"
+    volumes:
+      - monitor_hub_data:/app/pb_data
+    networks:
+      backend:
+        ipv4_address: 10.42.0.14
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8090/api/health"]
+      interval: 30s
+      timeout: 5s
+      start_period: 15s
+      retries: 5
+    logging:
+      driver: json-file
+      options: { max-size: "10m", max-file: "3" }
+
   # ------------------------------------------------------------------
   # Apps
   # ------------------------------------------------------------------
@@ -112,9 +178,14 @@ services:
     image: ${CRM_IMAGE_TAG:-ghcr.io/askexe/exe-crm:v0.9.2}
     container_name: exe-crm
     restart: unless-stopped
+    # Auto-migrate on boot: run database init before starting the app.
+    # Twenty CRM won't create tables automatically — this ensures they exist.
+    command: ["sh", "-c", "yarn database:init:prod 2>/dev/null || true && node dist/src/main"]
     depends_on:
       exe-db:
         condition: service_healthy
+      gotrue:
+        condition: service_healthy
       clickhouse:
         condition: service_healthy
       redis:
@@ -128,6 +199,8 @@ services:
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
       SERVER_URL: ${CRM_SERVER_URL:-https://crm.askexe.com}
       APP_SECRET: ${CRM_APP_SECRET:?CRM_APP_SECRET is required}
+      EXE_CRM_ADMIN_TOKEN: ${EXE_CRM_ADMIN_TOKEN:-}
+      GOTRUE_URL: http://gotrue:9999
       PG_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}
       REDIS_URL: redis://:${REDIS_PASSWORD:?REDIS_PASSWORD is required}@redis:6379
       CLICKHOUSE_URL: http://${CLICKHOUSE_USER:-exe}:${CLICKHOUSE_PASSWORD:?CLICKHOUSE_PASSWORD is required}@clickhouse:8123/${CLICKHOUSE_DB:-default}
@@ -198,9 +271,13 @@ services:
     image: ${WIKI_IMAGE_TAG:-ghcr.io/askexe/exe-wiki:v0.9.2}
     container_name: exe-wiki
     restart: unless-stopped
+    # Wiki uses Prisma — runs migrate on boot via built-in entrypoint.
+    # If tables don't exist, Prisma creates them automatically.
     depends_on:
       exe-db:
         condition: service_healthy
+      gotrue:
+        condition: service_healthy
     env_file:
       - path: .env
         required: false
@@ -211,6 +288,8 @@ services:
       STORAGE_DIR: /app/server/storage
       DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?schema=${WIKI_DB_SCHEMA:-wiki}
       AUTH_TOKEN: ${WIKI_AUTH_TOKEN:?WIKI_AUTH_TOKEN is required}
+      EXE_WIKI_ADMIN_TOKEN: ${EXE_WIKI_ADMIN_TOKEN:-}
+      GOTRUE_URL: http://gotrue:9999
       JWT_SECRET: ${WIKI_JWT_SECRET:?WIKI_JWT_SECRET is required}
       SIG_KEY: ${WIKI_SIG_KEY:?WIKI_SIG_KEY is required}
       SIG_SALT: ${WIKI_SIG_SALT:?WIKI_SIG_SALT is required}
@@ -290,6 +369,7 @@ services:
       EXE_GATEWAY_PORT: "3100"
       EXE_GATEWAY_HOST: "127.0.0.1"
       EXE_GATEWAY_AUTH_TOKEN: ${EXE_GATEWAY_AUTH_TOKEN:?EXE_GATEWAY_AUTH_TOKEN is required}
+      GOTRUE_URL: http://gotrue:9999
       EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN: ${EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN:?EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN is required}
       EXE_GATEWAY_WS_RELAY_ENABLED: "true"
       EXE_GATEWAY_WS_RELAY_HOST: "127.0.0.1"
@@ -351,6 +431,32 @@ services:
       driver: json-file
       options: { max-size: "10m", max-file: "3" }
 
+  # ------------------------------------------------------------------
+  # Infrastructure — Cloudflare Tunnel (replaces nginx + SSL certs)
+  # ------------------------------------------------------------------
+
+  cloudflared:
+    image: cloudflare/cloudflared:latest
+    container_name: cloudflared
+    restart: unless-stopped
+    command: tunnel --config /etc/cloudflared/config.yml run
+    volumes:
+      - ${CLOUDFLARED_CONFIG_DIR:-./cloudflared}:/etc/cloudflared:ro
+    networks:
+      backend:
+        ipv4_address: 10.42.0.31
+      frontend:
+        ipv4_address: 10.43.0.31
+    healthcheck:
+      test: ["CMD", "cloudflared", "tunnel", "info", "--output", "json"]
+      interval: 30s
+      timeout: 5s
+      start_period: 15s
+      retries: 5
+    logging:
+      driver: json-file
+      options: { max-size: "10m", max-file: "3" }
+
 # ------------------------------------------------------------------
 # Volumes
 # ------------------------------------------------------------------
@@ -373,6 +479,8 @@ volumes:
     driver: local
   monitor_agent_data:
     driver: local
+  monitor_hub_data:
+    driver: local
 
 # ------------------------------------------------------------------
 # Networks

package/deploy/compose/gateway.json

@@ -1 +1,11 @@
-{}
+{
+  "port": 3100,
+  "host": "0.0.0.0",
+  "readOnly": false,
+  "adapters": {
+    "whatsapp": {
+      "enabled": false,
+      "accounts": []
+    }
+  }
+}

package/deploy/compose/generate-env.ts

@@ -5,11 +5,11 @@ const REGISTRY = "ghcr.io/askexe";
 // own package semver internally, but customer deployments use the tested stack
 // image alias so one stack manifest can pin the whole release. exe-os/exed is
 // the exception because the runtime package version is the orchestrator release.
-const STACK_IMAGE_TAG = "v0.9.2";
-const EXED_RELEASE_TAG = "v0.9.2";
+const STACK_IMAGE_TAG = "v0.9.4";
+const EXED_RELEASE_TAG = "v0.9.154";
 
 const POSTGRES_USER = "exe";
-const POSTGRES_DB = "default";
+const POSTGRES_DB = "exedb";
 const CLICKHOUSE_DB = "default";
 const CLICKHOUSE_USER = "exe";
 export const CRM_IMAGE_TAG = `${REGISTRY}/exe-crm:${STACK_IMAGE_TAG}`;
@@ -21,6 +21,7 @@ const WIKI_HOST_PORT = "3001";
 export const EXE_OS_IMAGE_TAG = `${REGISTRY}/exe-os:${EXED_RELEASE_TAG}`;
 export const GATEWAY_IMAGE_TAG = `${REGISTRY}/exe-gateway:${STACK_IMAGE_TAG}`;
 export const MONITOR_AGENT_IMAGE_TAG = `${REGISTRY}/exe-monitor-agent:${STACK_IMAGE_TAG}`;
+export const MONITOR_HUB_IMAGE_TAG = `${REGISTRY}/exe-monitor-hub:${STACK_IMAGE_TAG}`;
 const GATEWAY_HTTP_HOST_PORT = "3100";
 const GATEWAY_WS_HOST_PORT = "3101";
 const RANDOM_SECRET_16 = 16;
@@ -56,10 +57,18 @@ export function generateEnv(options: GenerateEnvOptions): string {
     "",
     `REDIS_PASSWORD=${randomSecret(RANDOM_SECRET_32)}`,
     "",
+    "# --- GoTrue (shared auth) ---",
+    `GOTRUE_JWT_SECRET=${randomSecret(RANDOM_SECRET_48)}`,
+    `GOTRUE_SITE_URL=https://crm.${normalizedDomain}`,
+    `GOTRUE_EXTERNAL_URL=https://auth.${normalizedDomain}`,
+    "GOTRUE_DISABLE_SIGNUP=false",
+    "GOTRUE_MAILER_AUTOCONFIRM=true",
+    "",
     "# --- CRM ---",
     `CRM_IMAGE_TAG=${CRM_IMAGE_TAG}`,
     `CRM_SERVER_URL=https://${normalizedDomain}`,
     `CRM_APP_SECRET=${randomSecret(RANDOM_SECRET_48)}`,
+    `EXE_CRM_ADMIN_TOKEN=${randomSecret(RANDOM_SECRET_48)}`,
     `CRM_HOST_PORT=${CRM_HOST_PORT}`,
     "",
     "# --- Wiki ---",
@@ -67,6 +76,7 @@ export function generateEnv(options: GenerateEnvOptions): string {
     `WIKI_DB_SCHEMA=${WIKI_DB_SCHEMA}`,
     `WIKI_VECTOR_DB=${WIKI_VECTOR_DB}`,
     `WIKI_AUTH_TOKEN=${randomSecret(RANDOM_SECRET_48)}`,
+    `EXE_WIKI_ADMIN_TOKEN=${randomSecret(RANDOM_SECRET_48)}`,
     `WIKI_JWT_SECRET=${randomSecret(RANDOM_SECRET_48)}`,
     `WIKI_SIG_KEY=${randomSecret(RANDOM_SECRET_48)}`,
     `WIKI_SIG_SALT=${randomSecret(RANDOM_SECRET_16)}`,
@@ -95,12 +105,15 @@ export function generateEnv(options: GenerateEnvOptions): string {
     `GATEWAY_HTTP_HOST_PORT=${GATEWAY_HTTP_HOST_PORT}`,
     `GATEWAY_WS_HOST_PORT=${GATEWAY_WS_HOST_PORT}`,
     "",
-    "# --- Monitoring agent (standard for managed customer VPSs) ---",
+    "# --- Monitoring ---",
+    `MONITOR_HUB_IMAGE_TAG=${MONITOR_HUB_IMAGE_TAG}`,
     `MONITOR_AGENT_IMAGE_TAG=${MONITOR_AGENT_IMAGE_TAG}`,
+    `EXE_MONITOR_ADMIN_TOKEN=${randomSecret(RANDOM_SECRET_48)}`,
     `MONITOR_HUB_URL=${DEFAULT_MONITOR_HUB_URL}`,
     "MONITOR_AGENT_TOKEN=CHANGEME_MONITOR_AGENT_TOKEN_FROM_MONITOR_HUB",
     "MONITOR_AGENT_KEY=CHANGEME_MONITOR_AGENT_PUBLIC_KEY_FROM_MONITOR_HUB",
     `MONITOR_AGENT_LISTEN=${DEFAULT_MONITOR_AGENT_LISTEN}`,
+    "MONITOR_HUB_PORT=8090",
     "",
     "# --- License ---",
     LICENSE_KEY_COMMENT,
@@ -129,6 +142,7 @@ export function generateExampleEnv(): string {
     `CRM_IMAGE_TAG=${CRM_IMAGE_TAG}`,
     "CRM_SERVER_URL=https://CHANGEME_DOMAIN",
     "CRM_APP_SECRET=CHANGEME_CRM_APP_SECRET",
+    "EXE_CRM_ADMIN_TOKEN=CHANGEME_EXE_CRM_ADMIN_TOKEN",
     `CRM_HOST_PORT=${CRM_HOST_PORT}`,
     "",
     "# --- Wiki ---",

package/deploy/compose/init-db.sql

@@ -0,0 +1,55 @@
+-- exe-os database initialization — runs on first boot.
+-- Creates the exe superuser, schemas, and extensions.
+-- Idempotent: safe to run multiple times.
+
+-- Ensure exe user exists with superuser
+DO $$ BEGIN
+  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'exe') THEN
+    CREATE ROLE exe WITH LOGIN SUPERUSER PASSWORD current_setting('app.postgres_password', true);
+  ELSE
+    ALTER ROLE exe SUPERUSER;
+  END IF;
+END $$;
+
+-- Create extensions
+CREATE EXTENSION IF NOT EXISTS vector;
+CREATE EXTENSION IF NOT EXISTS pgcrypto;
+
+-- Create all schemas
+CREATE SCHEMA IF NOT EXISTS raw;
+CREATE SCHEMA IF NOT EXISTS graph;
+CREATE SCHEMA IF NOT EXISTS gateway;
+CREATE SCHEMA IF NOT EXISTS wiki;
+CREATE SCHEMA IF NOT EXISTS crm;
+CREATE SCHEMA IF NOT EXISTS auth;
+
+-- Grant exe full access to all schemas
+DO $$ DECLARE s text; BEGIN
+  FOR s IN SELECT schema_name FROM information_schema.schemata
+           WHERE schema_name NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
+  LOOP
+    EXECUTE 'GRANT ALL ON SCHEMA ' || quote_ident(s) || ' TO exe';
+    EXECUTE 'GRANT ALL ON ALL TABLES IN SCHEMA ' || quote_ident(s) || ' TO exe';
+    EXECUTE 'GRANT ALL ON ALL SEQUENCES IN SCHEMA ' || quote_ident(s) || ' TO exe';
+    EXECUTE 'ALTER DEFAULT PRIVILEGES IN SCHEMA ' || quote_ident(s) || ' GRANT ALL ON TABLES TO exe';
+    EXECUTE 'ALTER DEFAULT PRIVILEGES IN SCHEMA ' || quote_ident(s) || ' GRANT ALL ON SEQUENCES TO exe';
+  END LOOP;
+END $$;
+
+-- Create raw.raw_events landing pad
+CREATE TABLE IF NOT EXISTS raw.raw_events (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  source TEXT NOT NULL,
+  source_id TEXT,
+  event_type TEXT NOT NULL,
+  payload JSONB NOT NULL,
+  metadata JSONB,
+  timestamp TIMESTAMPTZ DEFAULT now(),
+  created_at TIMESTAMPTZ DEFAULT now(),
+  processed_at TIMESTAMPTZ,
+  error TEXT,
+  projections JSONB DEFAULT '{}'::jsonb
+);
+
+CREATE INDEX IF NOT EXISTS idx_raw_events_unprocessed ON raw.raw_events (created_at) WHERE processed_at IS NULL;
+CREATE UNIQUE INDEX IF NOT EXISTS uq_raw_events_dedup ON raw.raw_events (source, source_id, event_type);

package/deploy/compose/setup.sh

@@ -0,0 +1,166 @@
+#!/usr/bin/env bash
+# exe-os stack first-time setup — run once on a fresh VPS.
+# Usage: ./setup.sh --client <name> --domain <domain> [--license <key>]
+set -euo pipefail
+
+RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'
+info() { echo -e "${GREEN}[setup]${NC} $1"; }
+warn() { echo -e "${YELLOW}[setup]${NC} $1"; }
+err() { echo -e "${RED}[setup]${NC} $1" >&2; }
+
+# Parse args
+CLIENT="" DOMAIN="" LICENSE=""
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --client) CLIENT="$2"; shift 2;;
+    --domain) DOMAIN="$2"; shift 2;;
+    --license) LICENSE="$2"; shift 2;;
+    *) err "Unknown arg: $1"; exit 1;;
+  esac
+done
+[[ -z "$CLIENT" || -z "$DOMAIN" ]] && { err "Usage: ./setup.sh --client <name> --domain <domain>"; exit 1; }
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+cd "$SCRIPT_DIR"
+
+# Step 1: Docker + GHCR auth
+info "Step 1: Docker registry authentication"
+if ! docker info >/dev/null 2>&1; then
+  err "Docker is not running. Install Docker first: https://docs.docker.com/engine/install/"
+  exit 1
+fi
+
+if [[ -f .ghcr-token ]]; then
+  info "Logging into GHCR with stored token..."
+  cat .ghcr-token | docker login ghcr.io -u exe-os-pull --password-stdin 2>/dev/null || true
+elif [[ -n "${GHCR_TOKEN:-}" ]]; then
+  info "Logging into GHCR with GHCR_TOKEN env var..."
+  echo "$GHCR_TOKEN" | docker login ghcr.io -u exe-os-pull --password-stdin 2>/dev/null || true
+else
+  warn "No GHCR token found. Set GHCR_TOKEN env var or create .ghcr-token file."
+  warn "Images must be pullable — public or pre-authed."
+fi
+
+# Step 2: Generate .env
+info "Step 2: Generating .env file"
+if [[ -f .env ]]; then
+  warn ".env already exists — skipping generation. Delete .env to regenerate."
+else
+  if command -v node >/dev/null 2>&1; then
+    node -e "
+      const { generateEnv } = require('../../dist/deploy/compose/generate-env.js');
+      console.log(generateEnv({ clientName: '$CLIENT', domain: '$DOMAIN', licenseKey: '${LICENSE:-}' || undefined }));
+    " > .env 2>/dev/null || {
+      # Fallback: generate inline
+      info "Generating secrets inline..."
+      gen() { openssl rand -hex "$1"; }
+      cat > .env << ENVEOF
+POSTGRES_USER=exe
+POSTGRES_PASSWORD=$(gen 32)
+POSTGRES_DB=exedb
+CLICKHOUSE_DB=default
+CLICKHOUSE_USER=exe
+CLICKHOUSE_PASSWORD=$(gen 32)
+REDIS_PASSWORD=$(gen 32)
+GOTRUE_JWT_SECRET=$(gen 48)
+GOTRUE_SITE_URL=https://crm.${DOMAIN}
+GOTRUE_EXTERNAL_URL=https://auth.${DOMAIN}
+GOTRUE_DISABLE_SIGNUP=false
+GOTRUE_MAILER_AUTOCONFIRM=true
+CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.3
+CRM_SERVER_URL=https://crm.${DOMAIN}
+CRM_APP_SECRET=$(gen 48)
+EXE_CRM_ADMIN_TOKEN=$(gen 48)
+CRM_HOST_PORT=3000
+WIKI_IMAGE_TAG=ghcr.io/askexe/exe-wiki:v0.9.4
+WIKI_DB_SCHEMA=wiki
+WIKI_VECTOR_DB=postgres
+WIKI_AUTH_TOKEN=$(gen 48)
+EXE_WIKI_ADMIN_TOKEN=$(gen 48)
+WIKI_JWT_SECRET=$(gen 48)
+WIKI_SIG_KEY=$(gen 48)
+WIKI_SIG_SALT=$(gen 16)
+WIKI_HOST_PORT=3001
+EXE_OS_IMAGE_TAG=ghcr.io/askexe/exe-os:v0.9.155
+EXED_MCP_TOKEN=$(gen 48)
+EXED_DEVICE_ID=vps-${CLIENT}
+EXE_CLOUD_SYNC_TO_POSTGRES=true
+EXE_LICENSE_KEY=${LICENSE:-CHANGEME_EXE_LICENSE_KEY}
+GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.3
+EXE_GATEWAY_AUTH_TOKEN=$(gen 48)
+EXE_GATEWAY_WS_RELAY_AUTH_TOKEN=$(gen 48)
+EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN=$(gen 32)
+API_ROUTER_URL=https://gateway.${DOMAIN}
+GATEWAY_HTTP_HOST_PORT=3100
+GATEWAY_WS_HOST_PORT=3101
+MONITOR_HUB_IMAGE_TAG=ghcr.io/askexe/exe-monitor-hub:v0.9.4
+MONITOR_AGENT_IMAGE_TAG=ghcr.io/askexe/exe-monitor-agent:v0.9.4
+EXE_MONITOR_ADMIN_TOKEN=$(gen 48)
+MONITOR_HUB_URL=https://monitor.${DOMAIN}
+MONITOR_AGENT_TOKEN=CHANGEME_MONITOR_AGENT_TOKEN
+MONITOR_AGENT_KEY=CHANGEME_MONITOR_AGENT_KEY
+MONITOR_AGENT_LISTEN=:45876
+MONITOR_HUB_PORT=8090
+ENVEOF
+    }
+  fi
+  info ".env generated with auto-generated secrets"
+fi
+
+# Step 3: Cloudflared tunnel config
+info "Step 3: Cloudflare Tunnel setup"
+if [[ ! -f cloudflared/config.yml ]]; then
+  if [[ -f cloudflared/config.yml.example ]]; then
+    warn "Copy cloudflared/config.yml.example → cloudflared/config.yml"
+    warn "Then set TUNNEL_ID and DOMAIN in the config."
+    warn "Create tunnel: cloudflared tunnel create exe-${CLIENT}"
+  fi
+else
+  info "Cloudflared config exists."
+fi
+
+# Step 4: Pull images
+info "Step 4: Pulling Docker images..."
+docker compose pull 2>&1 || { err "Image pull failed — check GHCR authentication"; exit 1; }
+
+# Step 5: Start stack
+info "Step 5: Starting stack..."
+docker compose up -d 2>&1
+
+# Step 6: Wait for health
+info "Step 6: Waiting for services to be healthy..."
+sleep 10
+HEALTHY=0
+for i in $(seq 1 30); do
+  COUNT=$(docker ps --filter "health=healthy" --format '{{.Names}}' | wc -l | tr -d ' ')
+  TOTAL=$(docker ps --format '{{.Names}}' | wc -l | tr -d ' ')
+  echo -ne "\r  $COUNT/$TOTAL healthy (attempt $i/30)..."
+  if [[ "$COUNT" -ge "$TOTAL" ]]; then HEALTHY=1; break; fi
+  sleep 5
+done
+echo ""
+[[ "$HEALTHY" -eq 1 ]] && info "All services healthy!" || warn "Some services not healthy yet — check docker ps"
+
+# Step 7: Verify
+info "Step 7: Verification"
+docker ps --format 'table {{.Names}}\t{{.Status}}'
+echo ""
+info "Stack deployed! Next steps:"
+echo "  1. Configure Cloudflare tunnel (if not done)"
+echo "  2. Open https://crm.${DOMAIN} to create admin account"
+echo "  3. Open https://wiki.${DOMAIN} to set up wiki"
+echo "  4. Configure WhatsApp: edit gateway.json, restart gateway, pair at https://gateway.${DOMAIN}/pair/<name>"
+echo "  5. Verify: curl https://crm.${DOMAIN}/healthz && curl https://wiki.${DOMAIN}/api/ping"
+
+# Step 8: Firewall — ensure outbound HTTPS is open
+info "Step 8: Checking network connectivity..."
+if curl -s --max-time 5 https://ghcr.io >/dev/null 2>&1; then
+  info "Outbound HTTPS working (GHCR reachable)"
+else
+  warn "Cannot reach ghcr.io — check firewall/network. Docker pulls will fail."
+fi
+if curl -s --max-time 5 https://api.cloudflare.com >/dev/null 2>&1; then
+  info "Cloudflare reachable"
+else
+  warn "Cannot reach Cloudflare — tunnel won't work."
+fi