npm - @askexenow/exe-os - Versions diffs - 0.9.218 → 0.9.220 - Mend

@askexenow/exe-os 0.9.218 → 0.9.220

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (237) hide show

package/deploy/compose/.env.customer.example CHANGED Viewed

@@ -13,6 +13,14 @@ CLICKHOUSE_PASSWORD=CHANGEME_CLICKHOUSE_PASSWORD
 REDIS_PASSWORD=CHANGEME_REDIS_PASSWORD
+# --- GoTrue (shared auth) ---
+GOTRUE_JWT_SECRET=CHANGEME_GOTRUE_JWT_SECRET
+GOTRUE_API_PORT=9999
+GOTRUE_SITE_URL=https://crm.CHANGEME_DOMAIN
+GOTRUE_EXTERNAL_URL=https://auth.CHANGEME_DOMAIN
+GOTRUE_DISABLE_SIGNUP=false
+GOTRUE_MAILER_AUTOCONFIRM=true
 # --- CRM ---
 CRM_IMAGE_TAG=update.askexe.com/askexe/exe-crm:v0.9.3
 CRM_SERVER_URL=https://CHANGEME_DOMAIN
@@ -33,6 +41,8 @@ WIKI_HOST_PORT=3001
 EXE_OS_IMAGE_TAG=update.askexe.com/askexe/exe-os:v0.9.9
 EXED_MCP_TOKEN=CHANGEME_EXED_MCP_TOKEN
 EXED_DEVICE_ID=hygo-vps
+EXE_MCP_HOST_BIND=0.0.0.0
+EXE_MCP_HOST_PORT=48739
 # VPS-only: enables cloud/local SQLite -> exe-db Postgres projection.
 # Keep false on laptops/dev boxes.
 EXE_CLOUD_SYNC_TO_POSTGRES=true
@@ -55,8 +65,8 @@ GATEWAY_WS_HOST_PORT=3101
 # --- Monitoring agent (standard for managed customer VPSs) ---
 MONITOR_AGENT_IMAGE_TAG=update.askexe.com/askexe/exe-monitor-agent:v0.9.3
-MONITOR_HUB_URL=https://monitor.askexe.com
-# Required: values copied from monitor.askexe.com when adding the Hygo/customer system.
+MONITOR_HUB_URL=http://exe-monitor-hub:8090
+# Required: values copied from the local exe-monitor-hub when adding the Hygo/customer system.
 MONITOR_AGENT_TOKEN=CHANGEME_MONITOR_AGENT_TOKEN_FROM_MONITOR_HUB
 MONITOR_AGENT_KEY=CHANGEME_MONITOR_AGENT_PUBLIC_KEY_FROM_MONITOR_HUB
 MONITOR_AGENT_LISTEN=:45876

package/deploy/compose/.env.example CHANGED Viewed

@@ -1,6 +1,6 @@
 # exe-os VPS stack — example environment variables
-# Run `exe-os stack-init` or `node deploy/compose/generate-env.js` to auto-generate
-# all secrets. Or copy to .env and replace CHANGEME_* values manually.
+# Copy to .env before deployment and replace every CHANGEME_* value.
+# Values under # SET_MANUALLY must be provided by the operator.
 # --- Data Layer ---
 POSTGRES_USER=exe
@@ -15,14 +15,15 @@ REDIS_PASSWORD=CHANGEME_REDIS_PASSWORD
 # --- GoTrue (shared auth) ---
 GOTRUE_JWT_SECRET=CHANGEME_GOTRUE_JWT_SECRET
-GOTRUE_SITE_URL=https://crm.askexe.com
-GOTRUE_EXTERNAL_URL=https://auth.askexe.com
+GOTRUE_API_PORT=9999
+GOTRUE_SITE_URL=https://crm.CHANGEME_DOMAIN
+GOTRUE_EXTERNAL_URL=https://auth.CHANGEME_DOMAIN
 GOTRUE_DISABLE_SIGNUP=false
 GOTRUE_MAILER_AUTOCONFIRM=true
 # --- CRM ---
-CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.3
-CRM_SERVER_URL=https://crm.askexe.com
+CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.4
+CRM_SERVER_URL=https://CHANGEME_DOMAIN
 CRM_APP_SECRET=CHANGEME_CRM_APP_SECRET
 EXE_CRM_ADMIN_TOKEN=CHANGEME_EXE_CRM_ADMIN_TOKEN
 CRM_HOST_PORT=3000
@@ -38,28 +39,53 @@ WIKI_SIG_KEY=CHANGEME_WIKI_SIG_KEY
 WIKI_SIG_SALT=CHANGEME_WIKI_SIG_SALT
 WIKI_HOST_PORT=3001
-# --- exe-os (daemon) ---
+# --- exe-os ---
 EXE_OS_IMAGE_TAG=ghcr.io/askexe/exe-os:v0.9.154
 EXED_MCP_TOKEN=CHANGEME_EXED_MCP_TOKEN
 EXED_DEVICE_ID=vps-default
+EXE_MCP_HOST_BIND=0.0.0.0
+EXE_MCP_HOST_PORT=48739
+# VPS-only: enables cloud/local SQLite -> exe-db Postgres projection.
+# Keep false on laptops/dev boxes.
 EXE_CLOUD_SYNC_TO_POSTGRES=true
-EXE_LICENSE_KEY=CHANGEME_EXE_LICENSE_KEY
 # --- Gateway ---
-GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.3
+GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.4
 EXE_GATEWAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_AUTH_TOKEN
 EXE_GATEWAY_WS_RELAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_WS_RELAY_AUTH_TOKEN
 EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN=CHANGEME_EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN
+# SET_MANUALLY
+WHATSAPP_ACCESS_TOKEN=CHANGEME_WHATSAPP_ACCESS_TOKEN
 API_ROUTER_URL=https://gateway.askexe.com
+API_ROUTER_KEY=CHANGEME_API_ROUTER_KEY
+# BYOK: to use your own API keys instead of the Exe API Router,
+# set BYOK_ENABLED=true and provide ANTHROPIC_API_KEY below.
+# BYOK_ENABLED=false
+# ANTHROPIC_API_KEY=CHANGEME_ANTHROPIC_API_KEY
 GATEWAY_HTTP_HOST_PORT=3100
 GATEWAY_WS_HOST_PORT=3101
-# --- Monitoring ---
-MONITOR_HUB_IMAGE_TAG=ghcr.io/askexe/exe-monitor-hub:v0.9.4
+# --- Monitoring agent (standard for managed customer VPSs) ---
 MONITOR_AGENT_IMAGE_TAG=ghcr.io/askexe/exe-monitor-agent:v0.9.4
-EXE_MONITOR_ADMIN_TOKEN=CHANGEME_EXE_MONITOR_ADMIN_TOKEN
-MONITOR_HUB_URL=https://monitor.askexe.com
-MONITOR_AGENT_TOKEN=CHANGEME_MONITOR_AGENT_TOKEN
-MONITOR_AGENT_KEY=CHANGEME_MONITOR_AGENT_KEY
+MONITOR_HUB_URL=http://exe-monitor-hub:8090
+# Values copied from monitor.askexe.com when adding a new system.
+MONITOR_AGENT_TOKEN=CHANGEME_MONITOR_AGENT_TOKEN_FROM_MONITOR_HUB
+MONITOR_AGENT_KEY=CHANGEME_MONITOR_AGENT_PUBLIC_KEY_FROM_MONITOR_HUB
 MONITOR_AGENT_LISTEN=:45876
-MONITOR_HUB_PORT=8090
+# --- AskExe central monitoring hub auth (AskExe-owned infra only) ---
+# Customer VPSs normally run only MONITOR_AGENT_* above. These hub values are
+# for monitor.askexe.com on exe-db-jkt.
+MONITOR_HUB_PUBLIC_URL=https://monitor.askexe.com
+MONITOR_HUB_SOURCE_DIR=/opt/exe-monitor
+MONITOR_HUB_HOST_PORT=8090
+MONITOR_HUB_DATA_DIR=/opt/exe-monitor-data
+MONITOR_TRUSTED_AUTH_HEADER=X-AskExe-User-Email
+# Keep false during bootstrap; flip true after the GoTrue auth proxy is live.
+MONITOR_DISABLE_PASSWORD_AUTH=false
+MONITOR_USER_CREATION=true
+MONITOR_SHARE_ALL_SYSTEMS=false
+# --- License ---
+# injected by deploy_client
+EXE_LICENSE_KEY=CHANGEME_EXE_LICENSE_KEY

package/deploy/compose/PROTECTED_FILES.md CHANGED Viewed

@@ -8,6 +8,7 @@ and log a migration notice, not replace the existing one.
 - `.env` — all secrets, tokens, passwords (PATCHED, never replaced)
 - `gateway.json` — WhatsApp adapter config, account names
 - `branding.json` — customer brand colors, fonts, logo
+- `clickhouse-config.xml` — ClickHouse memory/log guardrails
 - `cloudflared/config.yml` — tunnel ID, credentials, ingress routes
 - `cloudflared/*.json` — tunnel credential files

package/deploy/compose/README.md CHANGED Viewed

@@ -65,7 +65,7 @@ stray `DATABASE_URL`; both the explicit gate and the DB URL are required.
 ## Volumes
 `postgres_data`, `clickhouse_data`, `clickhouse_logs`, `redis_data`,
-`crm_data`, `wiki_data`, `exed_data`, `gateway_data` — local driver, persisted
+`crm_data`, `wiki_data`, `exe_os_data`, `gateway_data` — local driver, persisted
 under `/var/lib/docker/volumes/exe-os_*`. Backups (Lane G, Wave 2) snapshot
 these.

package/deploy/compose/backup.sh CHANGED Viewed

@@ -39,11 +39,12 @@ echo "[backup] Dumping postgres..."
 docker exec exe-db pg_dumpall -U exe > "$ARCHIVE/postgres.sql" 2>/dev/null || echo "[backup] Postgres dump failed"
 gzip "$ARCHIVE/postgres.sql" 2>/dev/null || true
-# 2. Customer config files (.env, gateway.json, branding.json, cloudflared)
+# 2. Customer config files (.env, gateway.json, branding.json, clickhouse-config.xml, cloudflared)
 echo "[backup] Backing up config files..."
 cp "$SCRIPT_DIR/.env" "$ARCHIVE/env.bak" 2>/dev/null || true
 cp "$SCRIPT_DIR/gateway.json" "$ARCHIVE/gateway.json" 2>/dev/null || true
 cp "$SCRIPT_DIR/branding.json" "$ARCHIVE/branding.json" 2>/dev/null || true
+cp "$SCRIPT_DIR/clickhouse-config.xml" "$ARCHIVE/clickhouse-config.xml" 2>/dev/null || true
 cp -r "$SCRIPT_DIR/cloudflared" "$ARCHIVE/cloudflared" 2>/dev/null || true
 # 3. Gateway auth state (Baileys creds — critical for WhatsApp connection)
@@ -112,6 +113,7 @@ if $DOWNLOAD_MODE; then
   echo "  cp env.bak /opt/exe-stack/.env"
   echo "  cp gateway.json /opt/exe-stack/"
   echo "  cp branding.json /opt/exe-stack/"
+  echo "  cp clickhouse-config.xml /opt/exe-stack/"
   echo "  cp -r cloudflared/ /opt/exe-stack/"
   echo "  cat postgres.sql.gz | gunzip | docker exec -i exe-db psql -U exe"
   echo "  docker compose up -d"

package/deploy/compose/clickhouse-config.xml ADDED Viewed

@@ -0,0 +1,18 @@
+<clickhouse>
+  <!--
+    Customer VPS guardrails.
+    ClickHouse writes its own logs under /var/log/clickhouse-server in addition
+    to Docker json-file logs. Keep both bounded so a quiet stack cannot grow
+    multi-GB logs with zero application queries.
+  -->
+  <logger>
+    <level>warning</level>
+    <size>10000000</size>
+    <count>3</count>
+  </logger>
+  <!-- Keep ClickHouse from consuming the whole VPS on small 24/7 deployments. -->
+  <max_server_memory_usage>1073741824</max_server_memory_usage>
+  <mark_cache_size>134217728</mark_cache_size>
+  <uncompressed_cache_size>67108864</uncompressed_cache_size>
+</clickhouse>

package/deploy/compose/docker-compose.yml CHANGED Viewed

@@ -65,6 +65,14 @@ services:
     volumes:
       - clickhouse_data:/var/lib/clickhouse
       - clickhouse_logs:/var/log/clickhouse-server
+      - ./clickhouse-config.xml:/etc/clickhouse-server/config.d/exe-os-limits.xml:ro
+    # ClickHouse calls get_mempolicy()/mbind() during startup; SYS_NICE removes
+    # the noisy "Operation not permitted" loop without granting broad privileges.
+    cap_add:
+      - SYS_NICE
+    # Guardrail for small customer VPSs. Query-level limits live in
+    # clickhouse-config.xml; mem_limit is the container-level backstop.
+    mem_limit: ${CLICKHOUSE_MEM_LIMIT:-1g}
     ulimits:
       nofile:
         soft: 262144
@@ -116,6 +124,7 @@ services:
       - path: .env
         required: false
     environment:
+      GOTRUE_API_PORT: ${GOTRUE_API_PORT:-9999}
       GOTRUE_DB_DRIVER: postgres
       GOTRUE_DB_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?sslmode=disable&search_path=auth
       GOTRUE_SITE_URL: ${GOTRUE_SITE_URL:-https://crm.askexe.com}
@@ -180,7 +189,7 @@ services:
     restart: unless-stopped
     # Auto-migrate on boot: run database init before starting the app.
     # Twenty CRM won't create tables automatically — this ensures they exist.
-    command: ["sh", "-c", "yarn database:init:prod 2>/dev/null || true && node dist/src/main"]
+    command: ["sh", "-c", "yarn database:init:prod 2>/dev/null || true && node dist/main"]
     depends_on:
       exe-db:
         condition: service_healthy
@@ -201,7 +210,7 @@ services:
       APP_SECRET: ${CRM_APP_SECRET:?CRM_APP_SECRET is required}
       EXE_CRM_ADMIN_TOKEN: ${EXE_CRM_ADMIN_TOKEN:-}
       GOTRUE_URL: http://gotrue:9999
-      PG_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}
+      PG_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?sslmode=disable
       REDIS_URL: redis://:${REDIS_PASSWORD:?REDIS_PASSWORD is required}@redis:6379
       CLICKHOUSE_URL: http://${CLICKHOUSE_USER:-exe}:${CLICKHOUSE_PASSWORD:?CLICKHOUSE_PASSWORD is required}@clickhouse:8123/${CLICKHOUSE_DB:-default}
       STORAGE_TYPE: local
@@ -249,7 +258,7 @@ services:
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
       SERVER_URL: ${CRM_SERVER_URL:-https://crm.askexe.com}
       APP_SECRET: ${CRM_APP_SECRET:?CRM_APP_SECRET is required}
-      PG_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}
+      PG_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?sslmode=disable
       REDIS_URL: redis://:${REDIS_PASSWORD:?REDIS_PASSWORD is required}@redis:6379
       CLICKHOUSE_URL: http://${CLICKHOUSE_USER:-exe}:${CLICKHOUSE_PASSWORD:?CLICKHOUSE_PASSWORD is required}@clickhouse:8123/${CLICKHOUSE_DB:-default}
       STORAGE_TYPE: local
@@ -263,6 +272,12 @@ services:
     networks:
       backend:
         ipv4_address: 10.42.0.24
+    healthcheck:
+      test: ["CMD-SHELL", "tr '\\0' ' ' < /proc/1/cmdline | grep -q 'worker:prod'"]
+      interval: 30s
+      timeout: 5s
+      start_period: 30s
+      retries: 5
     logging:
       driver: json-file
       options: { max-size: "10m", max-file: "3" }
@@ -286,7 +301,7 @@ services:
       SERVER_PORT: "3001"
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
       STORAGE_DIR: /app/server/storage
-      DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?schema=${WIKI_DB_SCHEMA:-wiki}
+      DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?schema=${WIKI_DB_SCHEMA:-wiki}&sslmode=disable
       AUTH_TOKEN: ${WIKI_AUTH_TOKEN:?WIKI_AUTH_TOKEN is required}
       EXE_WIKI_ADMIN_TOKEN: ${EXE_WIKI_ADMIN_TOKEN:-}
       GOTRUE_URL: http://gotrue:9999
@@ -325,19 +340,25 @@ services:
     environment:
       NODE_ENV: production
       EXED_PORT: "8765"
-      EXED_HOST: "127.0.0.1"
+      EXED_HOST: "0.0.0.0"
       EXED_MCP_TOKEN: ${EXED_MCP_TOKEN:?EXED_MCP_TOKEN is required}
+      EXE_DAEMON_TOKEN: ${EXED_MCP_TOKEN:?EXED_MCP_TOKEN is required}
+      EXE_MCP_HOST: "0.0.0.0"
+      EXE_MCP_ALLOW_REMOTE: "1"
+      EXE_MCP_PORT: "48739"
       EXED_DEVICE_ID: ${EXED_DEVICE_ID:-vps-default}
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
-      DATABASE_URL: ${EXED_DATABASE_URL:-postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}}
+      DATABASE_URL: ${EXED_DATABASE_URL:-postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?sslmode=disable}
       EXE_CLOUD_SYNC_TO_POSTGRES: ${EXE_CLOUD_SYNC_TO_POSTGRES:-true}
+      EXE_OS_DISABLE_NATIVE_KEYCHAIN: "1"
       EXE_RSS_WARN_MB: ${EXE_RSS_WARN_MB:-6144}
       EXE_RSS_RESTART_MB: ${EXE_RSS_RESTART_MB:-8192}
       EXE_OS_DIR: /home/exed/.exe-os
     volumes:
       - exe_os_data:/home/exed/.exe-os
     ports:
-      - "127.0.0.1:${EXED_HOST_PORT:-8765}:8765"
+      - "${EXED_HEALTH_HOST_BIND:-127.0.0.1}:${EXED_HOST_PORT:-8765}:8765"
+      - "${EXE_MCP_HOST_BIND:-0.0.0.0}:${EXE_MCP_HOST_PORT:-48739}:48739"
     networks:
       backend:
         ipv4_address: 10.42.0.22
@@ -368,7 +389,7 @@ services:
       NODE_ENV: production
       EXE_GATEWAY_HOME: /data
       EXE_GATEWAY_CONFIG: /data/gateway.json
-      DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}
+      DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?sslmode=disable
       EXE_GATEWAY_PORT: "3100"
       EXE_GATEWAY_HOST: "0.0.0.0"
       EXE_GATEWAY_AUTH_TOKEN: ${EXE_GATEWAY_AUTH_TOKEN:?EXE_GATEWAY_AUTH_TOKEN is required}
@@ -381,7 +402,9 @@ services:
       WHATSAPP_ACCESS_TOKEN: ${WHATSAPP_ACCESS_TOKEN:-}
       API_ROUTER_URL: ${API_ROUTER_URL:-https://gateway.askexe.com}
       API_ROUTER_KEY: ${API_ROUTER_KEY:-}
-      EXED_MCP_URL: http://exe-os:8765/mcp
+      EXED_MCP_URL: http://exe-os:48739/mcp
+      EXED_MCP_TOKEN: ${EXED_MCP_TOKEN:?EXED_MCP_TOKEN is required}
+      EXE_DAEMON_TOKEN: ${EXED_MCP_TOKEN:?EXED_MCP_TOKEN is required}
       BYOK_ENABLED: ${BYOK_ENABLED:-false}
       ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-}
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
@@ -412,7 +435,7 @@ services:
     container_name: exe-monitor-agent
     restart: unless-stopped
     environment:
-      HUB_URL: ${MONITOR_HUB_URL:-https://monitor.askexe.com}
+      HUB_URL: ${MONITOR_HUB_URL:-http://exe-monitor-hub:8090}
       TOKEN: ${MONITOR_AGENT_TOKEN:?MONITOR_AGENT_TOKEN is required — create Hygo system in monitor.askexe.com}
       KEY: ${MONITOR_AGENT_KEY:?MONITOR_AGENT_KEY is required — copy public key from monitor.askexe.com}
       LISTEN: ${MONITOR_AGENT_LISTEN:-:45876}
@@ -443,6 +466,7 @@ services:
   exe-update:
     image: ${EXE_OS_IMAGE_TAG:-${EXED_IMAGE_TAG:-ghcr.io/askexe/exe-os:v0.9.157}}
     container_name: exe-update
+    profiles: ["askexe-control-plane"]
     restart: unless-stopped
     entrypoint: ["node", "/app/dist/bin/registry-proxy.js"]
     env_file:
@@ -452,9 +476,9 @@ services:
       EXE_REGISTRY_PROXY_PORT: "${EXE_REGISTRY_PROXY_PORT:-3200}"
       EXE_REGISTRY_PROXY_HOST: "${EXE_REGISTRY_PROXY_HOST:-0.0.0.0}"
       EXE_REGISTRY_PROXY_UPSTREAM: "${EXE_REGISTRY_PROXY_UPSTREAM:-https://ghcr.io}"
-      EXE_REGISTRY_PROXY_UPSTREAM_USERNAME: "${EXE_REGISTRY_PROXY_UPSTREAM_USERNAME}"
-      EXE_REGISTRY_PROXY_UPSTREAM_TOKEN: "${EXE_REGISTRY_PROXY_UPSTREAM_TOKEN}"
-      EXE_REGISTRY_PROXY_PULL_TOKENS: "${EXE_REGISTRY_PROXY_PULL_TOKENS}"
+      EXE_REGISTRY_PROXY_UPSTREAM_USERNAME: "${EXE_REGISTRY_PROXY_UPSTREAM_USERNAME:-}"
+      EXE_REGISTRY_PROXY_UPSTREAM_TOKEN: "${EXE_REGISTRY_PROXY_UPSTREAM_TOKEN:-}"
+      EXE_REGISTRY_PROXY_PULL_TOKENS: "${EXE_REGISTRY_PROXY_PULL_TOKENS:-}"
       EXE_REGISTRY_PROXY_ALLOWED_NAMESPACE: "${EXE_REGISTRY_PROXY_ALLOWED_NAMESPACE:-askexe}"
     ports:
       - "127.0.0.1:${EXE_UPDATE_HOST_PORT:-3200}:${EXE_REGISTRY_PROXY_PORT:-3200}"

package/deploy/compose/gateway.json CHANGED Viewed

@@ -1,11 +1,21 @@
 {
   "port": 3100,
   "host": "0.0.0.0",
+  "authToken": "${EXE_GATEWAY_AUTH_TOKEN}",
+  "whatsappVerifyToken": "${EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN}",
   "readOnly": false,
   "adapters": {
     "whatsapp": {
-      "enabled": false,
-      "accounts": []
+      "enabled": true,
+      "credentials": {
+        "authDir": "/app/auth_info/default"
+      },
+      "accounts": [
+        {
+          "name": "default",
+          "authDir": "/app/auth_info/default"
+        }
+      ]
     }
   }
 }

package/deploy/compose/generate-env.ts CHANGED Viewed

@@ -31,8 +31,10 @@ const LICENSE_KEY_COMMENT = "# injected by deploy_client";
 const MANUAL_VALUE_COMMENT = "# SET_MANUALLY";
 const EXAMPLE_LICENSE_KEY = "CHANGEME_EXE_LICENSE_KEY";
 const DEFAULT_API_ROUTER_URL = "https://gateway.askexe.com";
-const DEFAULT_MONITOR_HUB_URL = "https://monitor.askexe.com";
+const DEFAULT_MONITOR_HUB_URL = "http://exe-monitor-hub:8090";
 const DEFAULT_MONITOR_AGENT_LISTEN = ":45876";
+const DEFAULT_EXE_MCP_HOST_BIND = "0.0.0.0";
+const DEFAULT_EXE_MCP_HOST_PORT = "48739";
 export interface GenerateEnvOptions {
   clientName: string;
@@ -59,6 +61,7 @@ export function generateEnv(options: GenerateEnvOptions): string {
     "",
     "# --- GoTrue (shared auth) ---",
     `GOTRUE_JWT_SECRET=${randomSecret(RANDOM_SECRET_48)}`,
+    "GOTRUE_API_PORT=9999",
     `GOTRUE_SITE_URL=https://crm.${normalizedDomain}`,
     `GOTRUE_EXTERNAL_URL=https://auth.${normalizedDomain}`,
     "GOTRUE_DISABLE_SIGNUP=false",
@@ -86,6 +89,8 @@ export function generateEnv(options: GenerateEnvOptions): string {
     `EXE_OS_IMAGE_TAG=${EXE_OS_IMAGE_TAG}`,
     `EXED_MCP_TOKEN=${randomSecret(RANDOM_SECRET_48)}`,
     `EXED_DEVICE_ID=vps-${normalizedClientName}`,
+    `EXE_MCP_HOST_BIND=${DEFAULT_EXE_MCP_HOST_BIND}`,
+    `EXE_MCP_HOST_PORT=${DEFAULT_EXE_MCP_HOST_PORT}`,
     "# VPS-only: enables cloud/local SQLite -> exe-db Postgres projection.",
     "EXE_CLOUD_SYNC_TO_POSTGRES=true",
     "",
@@ -138,6 +143,14 @@ export function generateExampleEnv(): string {
     "",
     "REDIS_PASSWORD=CHANGEME_REDIS_PASSWORD",
     "",
+    "# --- GoTrue (shared auth) ---",
+    "GOTRUE_JWT_SECRET=CHANGEME_GOTRUE_JWT_SECRET",
+    "GOTRUE_API_PORT=9999",
+    "GOTRUE_SITE_URL=https://crm.CHANGEME_DOMAIN",
+    "GOTRUE_EXTERNAL_URL=https://auth.CHANGEME_DOMAIN",
+    "GOTRUE_DISABLE_SIGNUP=false",
+    "GOTRUE_MAILER_AUTOCONFIRM=true",
+    "",
     "# --- CRM ---",
     `CRM_IMAGE_TAG=${CRM_IMAGE_TAG}`,
     "CRM_SERVER_URL=https://CHANGEME_DOMAIN",
@@ -150,6 +163,7 @@ export function generateExampleEnv(): string {
     `WIKI_DB_SCHEMA=${WIKI_DB_SCHEMA}`,
     `WIKI_VECTOR_DB=${WIKI_VECTOR_DB}`,
     "WIKI_AUTH_TOKEN=CHANGEME_WIKI_AUTH_TOKEN",
+    "EXE_WIKI_ADMIN_TOKEN=CHANGEME_EXE_WIKI_ADMIN_TOKEN",
     "WIKI_JWT_SECRET=CHANGEME_WIKI_JWT_SECRET",
     "WIKI_SIG_KEY=CHANGEME_WIKI_SIG_KEY",
     "WIKI_SIG_SALT=CHANGEME_WIKI_SIG_SALT",
@@ -159,6 +173,8 @@ export function generateExampleEnv(): string {
     `EXE_OS_IMAGE_TAG=${EXE_OS_IMAGE_TAG}`,
     "EXED_MCP_TOKEN=CHANGEME_EXED_MCP_TOKEN",
     "EXED_DEVICE_ID=vps-default",
+    `EXE_MCP_HOST_BIND=${DEFAULT_EXE_MCP_HOST_BIND}`,
+    `EXE_MCP_HOST_PORT=${DEFAULT_EXE_MCP_HOST_PORT}`,
     "# VPS-only: enables cloud/local SQLite -> exe-db Postgres projection.",
     "# Keep false on laptops/dev boxes.",
     "EXE_CLOUD_SYNC_TO_POSTGRES=true",

package/deploy/compose/init-db.sql CHANGED Viewed

@@ -15,6 +15,18 @@ DO $$ BEGIN
   END IF;
 END $$;
+-- GoTrue upstream migrations grant privileges to role "postgres" even when
+-- this stack's configured superuser is POSTGRES_USER=exe. Existing customer
+-- volumes do not get docker-entrypoint init scripts re-run, so stack-update
+-- applies this file idempotently before restarting GoTrue.
+DO $$ BEGIN
+  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'postgres') THEN
+    CREATE ROLE postgres WITH SUPERUSER;
+  ELSE
+    ALTER ROLE postgres SUPERUSER;
+  END IF;
+END $$;
 -- Create extensions
 CREATE EXTENSION IF NOT EXISTS vector;
 CREATE EXTENSION IF NOT EXISTS pgcrypto;

package/deploy/compose/restore.sh CHANGED Viewed

@@ -36,6 +36,7 @@ info "Restoring config files..."
 [[ -f "$BACKUP_DIR/env.bak" ]] && cp "$BACKUP_DIR/env.bak" "$SCRIPT_DIR/.env" && info ".env restored"
 [[ -f "$BACKUP_DIR/gateway.json" ]] && cp "$BACKUP_DIR/gateway.json" "$SCRIPT_DIR/gateway.json" && info "gateway.json restored"
 [[ -f "$BACKUP_DIR/branding.json" ]] && cp "$BACKUP_DIR/branding.json" "$SCRIPT_DIR/branding.json" && info "branding.json restored"
+[[ -f "$BACKUP_DIR/clickhouse-config.xml" ]] && cp "$BACKUP_DIR/clickhouse-config.xml" "$SCRIPT_DIR/clickhouse-config.xml" && info "clickhouse-config.xml restored"
 [[ -d "$BACKUP_DIR/cloudflared" ]] && cp -r "$BACKUP_DIR/cloudflared" "$SCRIPT_DIR/" && info "cloudflared config restored"
 # 2. Restore postgres

package/deploy/compose/setup.sh CHANGED Viewed

@@ -88,6 +88,8 @@ WIKI_HOST_PORT=3001
 EXE_OS_IMAGE_TAG=ghcr.io/askexe/exe-os:v0.9.155
 EXED_MCP_TOKEN=$(gen 48)
 EXED_DEVICE_ID=vps-${CLIENT}
+EXE_MCP_HOST_BIND=0.0.0.0
+EXE_MCP_HOST_PORT=48739
 EXE_CLOUD_SYNC_TO_POSTGRES=true
 EXE_LICENSE_KEY=${LICENSE:-CHANGEME_EXE_LICENSE_KEY}
 GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.3
@@ -100,7 +102,7 @@ GATEWAY_WS_HOST_PORT=3101
 MONITOR_HUB_IMAGE_TAG=ghcr.io/askexe/exe-monitor-hub:v0.9.4
 MONITOR_AGENT_IMAGE_TAG=ghcr.io/askexe/exe-monitor-agent:v0.9.4
 EXE_MONITOR_ADMIN_TOKEN=$(gen 48)
-MONITOR_HUB_URL=https://monitor.${DOMAIN}
+MONITOR_HUB_URL=http://exe-monitor-hub:8090
 MONITOR_AGENT_TOKEN=CHANGEME_MONITOR_AGENT_TOKEN
 MONITOR_AGENT_KEY=CHANGEME_MONITOR_AGENT_KEY
 MONITOR_AGENT_LISTEN=:45876

package/deploy/compose/uptime-check.sh ADDED Viewed

@@ -0,0 +1,143 @@
+#!/usr/bin/env bash
+# exe-os uptime check — runs every 5 min via cron.
+# Checks: CRM, Gateway, WhatsApp state, Postgres.
+# Writes JSONL to /opt/exe-stack/uptime.jsonl.
+# Logs ALERT to stderr (captured by cron/syslog) on any failure.
+#
+# Install:
+#   chmod +x /opt/exe-stack/uptime-check.sh
+#   echo "*/5 * * * * /opt/exe-stack/uptime-check.sh 2>&1 | logger -t exe-uptime" | crontab -
+#
+# Or add to existing crontab:
+#   crontab -l | { cat; echo "*/5 * * * * /opt/exe-stack/uptime-check.sh 2>&1 | logger -t exe-uptime"; } | crontab -
+set -uo pipefail
+# --- Config ---
+OUTFILE="${EXE_UPTIME_LOG:-/opt/exe-stack/uptime.jsonl}"
+TIMEOUT=5
+MAX_SIZE_MB=50
+# Ensure output directory exists
+mkdir -p "$(dirname "$OUTFILE")"
+# --- Helpers ---
+ts() { date -u +"%Y-%m-%dT%H:%M:%SZ"; }
+check_http() {
+  local name="$1" url="$2"
+  local code
+  code=$(curl -sk -o /dev/null -w "%{http_code}" --max-time "$TIMEOUT" "$url" 2>/dev/null || echo "000")
+  if [[ "$code" == "200" ]]; then
+    echo "ok"
+  else
+    echo "fail:$code"
+  fi
+}
+check_postgres() {
+  local result
+  result=$(docker exec exe-db psql -U "${POSTGRES_USER:-exe}" -d "${POSTGRES_DB:-exedb}" \
+    -tAc "SELECT 1" 2>/dev/null | tr -d '[:space:]')
+  if [[ "$result" == "1" ]]; then
+    echo "ok"
+  else
+    echo "fail"
+  fi
+}
+check_whatsapp() {
+  # WhatsApp state is exposed through the gateway health endpoint.
+  # The /health endpoint returns JSON with a whatsapp.state field.
+  # If the gateway doesn't expose WhatsApp state directly, fall back
+  # to checking recent gateway logs for connection state.
+  local health_body state
+  # Try gateway health endpoint first (preferred)
+  health_body=$(curl -sk --max-time "$TIMEOUT" "http://127.0.0.1:3100/health" 2>/dev/null || echo "")
+  if [[ -n "$health_body" ]]; then
+    # Try to extract whatsapp state from JSON response
+    state=$(echo "$health_body" | grep -oP '"whatsapp"\s*:\s*\{[^}]*"state"\s*:\s*"([^"]*)"' | grep -oP '"state"\s*:\s*"\K[^"]*' 2>/dev/null || echo "")
+    # Fallback: simpler grep for state field anywhere in response
+    if [[ -z "$state" ]]; then
+      state=$(echo "$health_body" | grep -oP '"state"\s*:\s*"\K[^"]*' 2>/dev/null || echo "")
+    fi
+    if [[ "$state" == "open" || "$state" == "connected" ]]; then
+      echo "ok:$state"
+      return
+    elif [[ -n "$state" ]]; then
+      echo "fail:$state"
+      return
+    fi
+  fi
+  # Fallback: check gateway container logs for recent WhatsApp state
+  local log_state
+  log_state=$(docker logs exe-gateway --tail 50 2>&1 | \
+    grep -iP '(whatsapp|baileys|wa).*(state|status|connect)' | \
+    tail -1 2>/dev/null || echo "")
+  if echo "$log_state" | grep -qi "open\|connected\|ready"; then
+    echo "ok:log-inferred"
+  elif [[ -n "$log_state" ]]; then
+    echo "fail:log-inferred"
+  else
+    echo "unknown"
+  fi
+}
+# --- Run checks ---
+NOW=$(ts)
+crm_status=$(check_http "CRM" "http://127.0.0.1:3000/healthz")
+gateway_status=$(check_http "Gateway" "http://127.0.0.1:3100/health")
+whatsapp_status=$(check_whatsapp)
+postgres_status=$(check_postgres)
+# --- Determine overall health ---
+overall="ok"
+alerts=""
+if [[ "$crm_status" != "ok" ]]; then
+  overall="degraded"
+  alerts="${alerts}CRM($crm_status) "
+fi
+if [[ "$gateway_status" != "ok" ]]; then
+  overall="degraded"
+  alerts="${alerts}Gateway($gateway_status) "
+fi
+if [[ "$whatsapp_status" != ok* ]]; then
+  overall="degraded"
+  alerts="${alerts}WhatsApp($whatsapp_status) "
+fi
+if [[ "$postgres_status" != "ok" ]]; then
+  overall="critical"
+  alerts="${alerts}Postgres($postgres_status) "
+fi
+# --- Write JSONL ---
+# Single-line JSON — no jq dependency required
+ENTRY="{\"ts\":\"${NOW}\",\"overall\":\"${overall}\",\"crm\":\"${crm_status}\",\"gateway\":\"${gateway_status}\",\"whatsapp\":\"${whatsapp_status}\",\"postgres\":\"${postgres_status}\"}"
+echo "$ENTRY" >> "$OUTFILE"
+# --- Log ALERT on failure ---
+if [[ "$overall" != "ok" ]]; then
+  echo "ALERT [${NOW}] exe-os uptime: ${overall} — ${alerts}" >&2
+fi
+# --- Rotate if too large ---
+FILE_SIZE_KB=$(du -k "$OUTFILE" 2>/dev/null | cut -f1 || echo "0")
+MAX_SIZE_KB=$((MAX_SIZE_MB * 1024))
+if [[ "$FILE_SIZE_KB" -gt "$MAX_SIZE_KB" ]]; then
+  # Keep last 10000 lines, archive the rest
+  ARCHIVE="${OUTFILE}.$(date +%Y%m%d%H%M%S).gz"
+  head -n -10000 "$OUTFILE" | gzip > "$ARCHIVE"
+  tail -n 10000 "$OUTFILE" > "${OUTFILE}.tmp"
+  mv "${OUTFILE}.tmp" "$OUTFILE"
+  echo "ROTATE [${NOW}] Archived to ${ARCHIVE}" >&2
+fi

package/dist/{active-agent-R7QDYADX.js → active-agent-JYQI3DAH.js} RENAMED Viewed

@@ -6,10 +6,10 @@ import {
   getAllActiveAgents,
   resolveActiveAgentFromTmuxSession,
   writeActiveAgent
-} from "./chunk-S4I3UITZ.js";
+} from "./chunk-EFDIUJWC.js";
 import "./chunk-CVYC6DUW.js";
 import "./chunk-GJV3WDWM.js";
-import "./chunk-4GXXYDNU.js";
+import "./chunk-A77WVNU2.js";
 import "./chunk-OSYUNKBM.js";
 import "./chunk-FXU7JOXK.js";
 import "./chunk-WXW3XGWX.js";

package/dist/{active-agent-4XH2Q6KJ.js → active-agent-YNZ7YA74.js} RENAMED Viewed

@@ -5,10 +5,10 @@ import {
   getAllActiveAgents,
   resolveActiveAgentFromTmuxSession,
   writeActiveAgent
-} from "./chunk-S4I3UITZ.js";
+} from "./chunk-EFDIUJWC.js";
 import "./chunk-CVYC6DUW.js";
 import "./chunk-GJV3WDWM.js";
-import "./chunk-4GXXYDNU.js";
+import "./chunk-A77WVNU2.js";
 import "./chunk-OSYUNKBM.js";
 import "./chunk-FXU7JOXK.js";
 import "./chunk-WXW3XGWX.js";

package/dist/{agentic-ontology-CHAWPTEY.js → agentic-ontology-6JMLSYYU.js} RENAMED Viewed

@@ -9,7 +9,7 @@ import {
   insertOntologyForMemory,
   ontologyPayload,
   stableId
-} from "./chunk-54JMB5UI.js";
+} from "./chunk-I7K6NY34.js";
 import "./chunk-MLKGABMK.js";
 export {
   clean,