@askexenow/exe-os 0.9.243 → 0.9.244

package/deploy/compose/cloudflared/config.yml.example

@@ -38,7 +38,12 @@ ingress:
   # Gateway (WhatsApp, webhooks, pairing)
   - hostname: gateway.CHANGEME_DOMAIN
     service: http://exe-gateway:3100
-  # Monitor
+  # Monitor — /_/ admin panel blocked; only the API and UI are exposed publicly.
+  # The PocketBase superadmin UI must be accessed via SSH tunnel:
+  #   ssh -L 8090:127.0.0.1:8090 <vps> then open http://localhost:8090/_/
+  - hostname: monitor.CHANGEME_DOMAIN
+    path: /_/*
+    service: http_status:404
   - hostname: monitor.CHANGEME_DOMAIN
     service: http://exe-monitor-hub:8090
   # Auth (GoTrue)

package/dist/bin/registry-proxy.js

@@ -2,7 +2,7 @@
 import {
   registryProxyOptionsFromEnv,
   runRegistryProxy
-} from "../chunk-SVXDCELZ.js";
+} from "../chunk-SHN5O73O.js";
 import {
   isMainModule
 } from "../chunk-6Y4B3QF6.js";

package/dist/bin/stack-update.js

@@ -10,7 +10,7 @@ import {
   loadStackManifest,
   patchEnv,
   runStackUpdate
-} from "../chunk-ITZVPCBQ.js";
+} from "../chunk-BYCNUKII.js";
 import {
   runVerifyStack
 } from "../chunk-IRHNV4GY.js";
@@ -20,7 +20,7 @@ import {
 import {
   logResult,
   runHealthGate
-} from "../chunk-UIRWDGMB.js";
+} from "../chunk-TD5CADZ5.js";
 import "../chunk-MOZ2YQ54.js";
 import "../chunk-VXIMSRTO.js";
 import "../chunk-LYH5HE24.js";
@@ -562,8 +562,32 @@ function printHostReport(report) {
   if (report.envRemainingPlaceholders.length > 0) console.log(`  Remaining placeholders: ${report.envRemainingPlaceholders.join(", ")}`);
   console.log("");
 }
+function readKeyFromEnvFile(envFile, key) {
+  try {
+    const raw = readFileSync2(envFile, "utf8");
+    for (const line of raw.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith("#") || !trimmed) continue;
+      const idx = trimmed.indexOf("=");
+      if (idx <= 0) continue;
+      if (trimmed.slice(0, idx).trim() === key) {
+        const value = trimmed.slice(idx + 1).trim();
+        return value && !/CHANGEME/.test(value) ? value : void 0;
+      }
+    }
+  } catch {
+  }
+  return void 0;
+}
 async function main(args = process.argv.slice(2)) {
   const opts = parseArgs(args);
+  if (!opts.licenseKey && existsSync2(opts.envFile)) {
+    const stackLicense = readKeyFromEnvFile(opts.envFile, "EXE_LICENSE_KEY");
+    if (stackLicense) {
+      opts.licenseKey = stackLicense;
+      if (!opts.manifestAuthToken) opts.manifestAuthToken = stackLicense;
+    }
+  }
   let usingPackagedCheckTemplates = false;
   if (opts.check && !opts.noBootstrap && !existsForCli(opts.composeFile) && !existsForCli(opts.envFile)) {
     const packageRoot = path2.resolve(new URL("../..", import.meta.url).pathname);

package/dist/bin/vps-health-gate.js

@@ -8,7 +8,7 @@ import {
   logResult,
   main,
   runHealthGate
-} from "../chunk-UIRWDGMB.js";
+} from "../chunk-TD5CADZ5.js";
 import "../chunk-MLKGABMK.js";
 export {
   checkCRM,

package/dist/{chunk-ITZVPCBQ.js → chunk-BYCNUKII.js}

@@ -711,6 +711,20 @@ async function runStackUpdate(options) {
         }
       }
     }
+    if (!creds) {
+      const sampleImage = Object.values(plan.release.services)[0]?.image ?? "";
+      if (sampleImage.startsWith("update.askexe.com")) {
+        const stackEnvPullTokensRaw = process.env.EXE_REGISTRY_PROXY_PULL_TOKENS || (existsSync(options.envFile) ? (() => {
+          const envMap = parseEnv(readFileSync(options.envFile, "utf8"));
+          return envMap.get("EXE_REGISTRY_PROXY_PULL_TOKENS") ?? "";
+        })() : "");
+        const firstPullToken = stackEnvPullTokensRaw.split(/[\n,]/).map((s) => s.trim()).find(Boolean);
+        if (firstPullToken) {
+          creds = { registry: "update.askexe.com", username: "token", password: firstPullToken };
+          console.log("[stack-update] Using EXE_REGISTRY_PROXY_PULL_TOKENS for update.askexe.com registry auth.");
+        }
+      }
+    }
     if (!creds) {
       const sampleImage = Object.values(plan.release.services)[0]?.image ?? "";
       if (sampleImage.startsWith("update.askexe.com")) {

package/dist/{chunk-SVXDCELZ.js → chunk-SHN5O73O.js}

@@ -14,19 +14,39 @@ function registryProxyOptionsFromEnv(env = process.env) {
     upstreamUsername: env.EXE_REGISTRY_PROXY_UPSTREAM_USERNAME || env.GHCR_USERNAME || "askexe",
     upstreamToken,
     pullTokens,
-    allowedNamespace: env.EXE_REGISTRY_PROXY_ALLOWED_NAMESPACE || "askexe"
+    allowedNamespace: env.EXE_REGISTRY_PROXY_ALLOWED_NAMESPACE || "askexe",
+    licenseValidatorUrl: env.EXE_REGISTRY_PROXY_LICENSE_VALIDATOR_URL || ""
   };
 }
 function assertRegistryProxyConfig(options) {
   if (!options.upstreamToken) throw new Error("EXE_REGISTRY_PROXY_UPSTREAM_TOKEN or GHCR_TOKEN is required");
-  if (options.pullTokens.length === 0) throw new Error("EXE_REGISTRY_PROXY_PULL_TOKENS is required");
-  if (!options.allowedNamespace || !/^[a-z0-9._-]+$/i.test(options.allowedNamespace)) {
+  if (options.pullTokens.length === 0 && !options.licenseValidatorUrl) {
+    throw new Error("EXE_REGISTRY_PROXY_PULL_TOKENS or EXE_REGISTRY_PROXY_LICENSE_VALIDATOR_URL is required");
+  }
+  const namespace = options.allowedNamespace ?? "askexe";
+  if (!/^[a-z0-9._-]+$/i.test(namespace)) {
     throw new Error("EXE_REGISTRY_PROXY_ALLOWED_NAMESPACE must be a registry-safe namespace");
   }
 }
 function timingSafeIncludes(values, candidate) {
   return values.some((value) => value === candidate);
 }
+function isLicenseKeyFormat(value) {
+  return value.startsWith("exe_sk_") || value.startsWith("exe_lk_");
+}
+async function validateLicenseKey(licenseKey, validatorUrl) {
+  try {
+    const res = await fetch(validatorUrl, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ licenseKey }),
+      signal: AbortSignal.timeout(5e3)
+    });
+    return res.ok;
+  } catch {
+    return false;
+  }
+}
 function parseBasicAuth(header) {
   if (!header?.startsWith("Basic ")) return null;
   try {
@@ -112,10 +132,18 @@ function createRegistryProxyServer(options) {
       return;
     }
     const auth = parseBasicAuth(req.headers.authorization);
-    if (!auth || !timingSafeIncludes(options.pullTokens, auth.password)) {
+    if (!auth) {
       unauthorized(res);
       return;
     }
+    const isPullToken = timingSafeIncludes(options.pullTokens, auth.password);
+    if (!isPullToken) {
+      const licenseOk = options.licenseValidatorUrl && isLicenseKeyFormat(auth.password) ? await validateLicenseKey(auth.password, options.licenseValidatorUrl) : false;
+      if (!licenseOk) {
+        unauthorized(res);
+        return;
+      }
+    }
     const upstreamUrl = new URL(requestUrl.pathname + requestUrl.search, upstream.origin);
     const headers = new Headers();
     for (const [key, value] of Object.entries(req.headers)) {

package/dist/{chunk-UIRWDGMB.js → chunk-TD5CADZ5.js}

@@ -204,7 +204,7 @@ async function main(args) {
   console.log("[health-gate] Starting rollback...");
   restorePreDeployBackup();
   try {
-    const { rollbackStackUpdate, defaultStackPaths } = await import("./stack-update-JIWJGGLX.js");
+    const { rollbackStackUpdate, defaultStackPaths } = await import("./stack-update-7F2E2MBJ.js");
     const paths = defaultStackPaths();
     await rollbackStackUpdate({
       manifestRef: paths.manifestRef,

package/dist/hooks/manifest.json

@@ -1,6 +1,6 @@
 {
   "version": 1,
-  "generatedAt": "2026-06-09T10:58:51.886Z",
+  "generatedAt": "2026-06-09T11:17:57.737Z",
   "hashes": {
     "bug-report-worker.js": "a6039ded4fe88f726e8abee1943ab0b3eb041caadf6b31c62fdf26cc4b44ed15",
     "codex-stop-task-finalizer.js": "14c012358cec82d3e45631d8fbf680b5801300dbcacfc518f6db5865160fd8f9",

package/dist/lib/registry-proxy.js

@@ -4,7 +4,7 @@ import {
   parsePullTokens,
   registryProxyOptionsFromEnv,
   runRegistryProxy
-} from "../chunk-SVXDCELZ.js";
+} from "../chunk-SHN5O73O.js";
 import "../chunk-MLKGABMK.js";
 export {
   assertRegistryProxyConfig,

package/dist/{stack-update-JIWJGGLX.js → stack-update-7F2E2MBJ.js}

@@ -20,7 +20,7 @@ import {
   runStackUpdate,
   verifyReleaseHealth,
   verifyStackManifestSignature
-} from "./chunk-ITZVPCBQ.js";
+} from "./chunk-BYCNUKII.js";
 import "./chunk-MOZ2YQ54.js";
 import "./chunk-VXIMSRTO.js";
 import "./chunk-LYH5HE24.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askexenow/exe-os",
-  "version": "0.9.243",
+  "version": "0.9.244",
   "description": "AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",

package/release-notes.json

@@ -1,6 +1,106 @@
 {
-  "current": "0.9.243",
+  "current": "0.9.244",
   "notes": {
+    "0.9.244": {
+      "version": "0.9.244",
+      "date": "2026-06-09",
+      "features": [
+        "Entity Profile UI — knowledge graph explorer + entity detail view",
+        "log MCP session open/close to stderr for docker logs visibility",
+        "Graph→PostgreSQL sync timer — automatic SQLite→exe-db projection",
+        "project GraphRAG data to PostgreSQL during cloud sync pull",
+        "add behavior effectiveness tracking — attribution, conflicts, scoring, load",
+        "close the reinforcement loop — dreaming reads investigation data",
+        "add reviews to Cloudflare support system — separate from bugs/features",
+        "self-improvement auto-merges simple fixes, notifies on failures",
+        "automatic investigation record system for debugging cycle tracking",
+        "smoke test + Playwright E2E + self-improvement cron",
+        "P0 procedures — verify your own fix + confidence decay",
+        "boot output as formatted table with box-drawing characters",
+        "show auto-fix cycle status in exe-os boot",
+        "graceful daemon restart — persist MCP sessions for transparent recovery",
+        "default to keyword+graph search, embeddings opt-in",
+        "server-side telemetry storage + admin insights endpoint",
+        "enrich telemetry payload with usage counters and auto-insights",
+        "add telemetry auto-insight computation engine",
+        "auto-calibration in dreaming cycle + telemetry integration",
+        "first-class time estimation on tasks — auto-tracked, queryable",
+        "add agent assertion system — confidence tracking on task lifecycle",
+        "auto-run dreaming cycle on session end — zero-touch self-improvement",
+        "add dreaming system + structured handoffs to platform procedures",
+        "add snapshot + boot to platform procedures and operating procedures",
+        "add `exe-os boot --project X` CLI command for project boot verification"
+      ],
+      "fixes": [
+        "registry proxy accepts license keys + stack-update reads .env license",
+        "stack-release uses defaultBranch per repo (wiki uses master)",
+        "prevent stale task intercom prompts",
+        "v0.9.241 — 13 more bug fixes (28 total this session)",
+        "sync lockfile for Docker build — npm ci --omit=dev works again",
+        "keep review notifications session-local and test-safe",
+        "CI Dockerfile reference — Dockerfile.exed → Dockerfile.exe-os",
+        "v0.9.240 — 15 bug fixes across HYGO, Jack, platform (stack v0.9.15)",
+        "keep daemon memory recall FTS bounded",
+        "keep daemon cloud sync off CRDT heap path",
+        "suppress ENOBUFS in reapers + skip boot-time sync execution",
+        "MCP health probe in prompt hook + Docker image build tolerance",
+        "plug MCP session memory leak — zombie McpServer instances accumulated",
+        "lower RSS watchdog to 1.5/2.5GB + add GC after heavy operations",
+        "snapshot crash — daemon fallback + dreaming scope binding",
+        "skip duplicate initStore in WS client — prevents 2-8s event loop block",
+        "add session scope imports to dreaming, project-boot, telemetry-upload",
+        "resolve typecheck errors for npm publish",
+        "add setImmediate yields to Graph→PG sync — prevent event loop blocking",
+        "convert SQLite short hex IDs to valid UUIDs for PostgreSQL projection",
+        "delay initial graph sync tick to 60s + add debug logging",
+        "share DB init state between MCP HTTP and timer ticks",
+        "allow VPS daemon to run in PostgreSQL-only mode (no encryption key)",
+        "detect response body failures — build pass ≠ feature works",
+        "coordinators see all tasks cross-session by default"
+      ],
+      "security": [
+        "fix shell injection, SSRF, socket leaks, backup validation",
+        "bump v0.9.139 — 2 CRITICAL security fixes, 14 bug fixes, 6 features, customer config preservation",
+        "fix 2 CRITICAL + 1 HIGH from post-fix audit",
+        "validate X-Agent-Role against roster — prevent privilege escalation",
+        "release: stack v0.9.8 — security hardening + Hygo bug fixes",
+        "add webhook HMAC-SHA256 validation + disable query param auth in prod",
+        "pin GitHub Actions to SHAs, update jose to 6.2.3",
+        "harden support intake against abuse and data leakage",
+        "bump to v0.9.22 — Codex MCP parity + customer bug fixes + security audit remediation",
+        "audit: pre-hygo exe-gateway security report",
+        "add SECURITY.md — trust document for pre-install security evaluation",
+        "fix 4 pricing tier bypass vulnerabilities (audit F1-F4)"
+      ],
+      "other": [
+        "bump v0.9.244",
+        "cover registry proxy license auth fallbacks",
+        "update release notes for v0.9.243",
+        "stack release v0.9.16",
+        "bump v0.9.243 for stack release",
+        "bump v0.9.242 for stack release",
+        "add STACK-RELEASE.md — full release process documentation",
+        "claurst competitive analysis — npm distribution + free-tier mode",
+        "bump stack.release.json to v0.9.240 for CI image build",
+        "update release notes for v0.9.238-239",
+        "release: stack v0.9.14 — gateway audit fixes",
+        "release: stack v0.9.13 — HYGO deployment readiness",
+        "incremental Graph→PG sync — 86K rows → deltas only",
+        "batch Graph→PG sync — 500 rows per INSERT instead of row-by-row",
+        "consolidate daemon timers into unified orchestration tick (#78)",
+        "revise GLiNER — Haiku API now, GLiNER when cost matters",
+        "capture GLiNER entity extraction in ARCHITECTURE.md",
+        "detailed design system structure + Phase 2 component list",
+        "exe-os-design-system — unified design system for all products",
+        "GoTrue JWT unified auth architecture — founder directive 2026-06-08",
+        "Thread + Graph Discovery architecture — unified knowledge view",
+        "move heavy jobs to 9 PM — GraphRAG, skill sweep, backup",
+        "Mode 3 Client-Side RAG architecture — memories never leave device",
+        "bump to v0.9.230 — P0 WAL backup corruption fix for Jack",
+        "bump to v0.9.225"
+      ],
+      "migration_notes": []
+    },
     "0.9.243": {
       "version": "0.9.243",
       "date": "2026-06-09",
@@ -232,34 +332,6 @@
         "bump to v0.9.230 — P0 WAL backup corruption fix for Jack"
       ],
       "migration_notes": []
-    },
-    "0.9.228": {
-      "version": "0.9.228",
-      "date": "2026-06-08",
-      "features": [
-        "default to keyword+graph search, embeddings opt-in",
-        "server-side telemetry storage + admin insights endpoint",
-        "enrich telemetry payload with usage counters and auto-insights",
-        "add telemetry auto-insight computation engine",
-        "auto-calibration in dreaming cycle + telemetry integration",
-        "first-class time estimation on tasks — auto-tracked, queryable",
-        "add agent assertion system — confidence tracking on task lifecycle",
-        "auto-run dreaming cycle on session end — zero-touch self-improvement",
-        "add dreaming system + structured handoffs to platform procedures"
-      ],
-      "fixes": [
-        "harden install for first-time VPS users — 5 fragility fixes",
-        "resolveDataDir finds exe-os install regardless of which user runs it",
-        "health check uses SUDO_USER home, not /root",
-        "auto-sudo on Linux when global node_modules needs root",
-        "improve setup wizard UX — boxed team display, remove Dashboard mode",
-        "show full license key with --show-full, auto-select default model"
-      ],
-      "security": [],
-      "other": [
-        "bump to v0.9.225"
-      ],
-      "migration_notes": []
     }
   }
 }