@askexenow/exe-os 0.9.270 → 0.9.271

package/dist/stack-release-2KSOYDIV.js

@@ -0,0 +1,712 @@
+#!/usr/bin/env node
+import "./chunk-MLKGABMK.js";
+
+// src/bin/stack-release.ts
+import { readFileSync, writeFileSync, existsSync } from "fs";
+import { execFile as execFileCb } from "child_process";
+import { promisify } from "util";
+import path from "path";
+import { createInterface } from "readline";
+var execFile = promisify(execFileCb);
+function findExeOsRoot() {
+  let dir = path.dirname(new URL(import.meta.url).pathname);
+  for (let i = 0; i < 5; i++) {
+    const pkgPath = path.join(dir, "package.json");
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+        if (pkg.name === "@askexenow/exe-os") return dir;
+      } catch {
+      }
+    }
+    dir = path.dirname(dir);
+  }
+  return path.resolve(path.dirname(new URL(import.meta.url).pathname), "..", "..");
+}
+var EXE_OS_ROOT = findExeOsRoot();
+var PARENT_DIR = path.dirname(EXE_OS_ROOT);
+var MANIFEST_PATH = path.join(EXE_OS_ROOT, "deploy", "stack-manifests", "v0.9.json");
+function resolveRepoPath(dirName) {
+  const direct = path.join(PARENT_DIR, dirName);
+  if (existsSync(direct)) return direct;
+  const aliases = {
+    "exe-crm": ["openclaw", "exe-crm"],
+    "exe-wiki": ["ink", "exe-wiki"]
+  };
+  const candidates = aliases[dirName];
+  if (candidates) {
+    for (const alias of candidates) {
+      const p = path.join(PARENT_DIR, alias);
+      if (existsSync(p)) return p;
+    }
+  }
+  return direct;
+}
+function buildRepoConfigs() {
+  return [
+    {
+      serviceKey: "exe-os",
+      ghRepo: "AskExe/exe-os",
+      localPath: EXE_OS_ROOT,
+      imageName: "update.askexe.com/askexe/exe-os",
+      releaseWorkflow: "release-stack-image.yml",
+      simpleTag: true,
+      defaultBranch: "main"
+    },
+    {
+      serviceKey: "gateway",
+      ghRepo: "AskExe/exe-gateway",
+      localPath: resolveRepoPath("exe-gateway"),
+      imageName: "update.askexe.com/askexe/exe-gateway",
+      releaseWorkflow: "release-image.yml",
+      simpleTag: true,
+      defaultBranch: "main"
+    },
+    {
+      serviceKey: "crm",
+      ghRepo: "AskExe/exe-crm",
+      localPath: resolveRepoPath("exe-crm"),
+      imageName: "update.askexe.com/askexe/exe-crm",
+      releaseWorkflow: "release-stack-image.yml",
+      simpleTag: true,
+      defaultBranch: "main"
+    },
+    {
+      serviceKey: "erp",
+      ghRepo: "AskExe/exe-erp",
+      localPath: resolveRepoPath("exe-erp"),
+      imageName: "update.askexe.com/askexe/exe-erp",
+      releaseWorkflow: "release-stack-image.yml",
+      simpleTag: true,
+      defaultBranch: "main"
+    },
+    {
+      serviceKey: "wiki",
+      ghRepo: "AskExe/exe-wiki",
+      localPath: resolveRepoPath("exe-wiki"),
+      imageName: "update.askexe.com/askexe/exe-wiki",
+      releaseWorkflow: "release-stack-image.yml",
+      simpleTag: true,
+      defaultBranch: "master"
+    },
+    {
+      serviceKey: "monitor-hub",
+      ghRepo: "AskExe/exe-monitor",
+      localPath: resolveRepoPath("exe-monitor"),
+      imageName: "update.askexe.com/askexe/exe-monitor-hub",
+      releaseWorkflow: "release-stack-image.yml",
+      simpleTag: true,
+      defaultBranch: "main"
+    },
+    {
+      serviceKey: "monitor-agent",
+      ghRepo: "AskExe/exe-monitor",
+      localPath: resolveRepoPath("exe-monitor"),
+      imageName: "update.askexe.com/askexe/exe-monitor-agent",
+      releaseWorkflow: "release-stack-image.yml",
+      simpleTag: true,
+      defaultBranch: "main"
+    }
+  ];
+}
+function parseReleaseArgs(argv) {
+  const flags = {
+    stack: false,
+    dryRun: false,
+    yes: false,
+    repos: null,
+    major: false,
+    minor: false,
+    skipImageVerify: false
+  };
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === "--stack") flags.stack = true;
+    else if (arg === "--dry-run") flags.dryRun = true;
+    else if (arg === "--yes" || arg === "-y") flags.yes = true;
+    else if (arg === "--major") flags.major = true;
+    else if (arg === "--minor") flags.minor = true;
+    else if (arg === "--skip-image-verify") flags.skipImageVerify = true;
+    else if (arg === "--repos" && argv[i + 1]) {
+      flags.repos = argv[++i].split(",").map((s) => s.trim()).filter(Boolean);
+    } else if (arg.startsWith("--repos=")) {
+      flags.repos = arg.slice("--repos=".length).split(",").map((s) => s.trim()).filter(Boolean);
+    }
+  }
+  return flags;
+}
+async function git(repoPath, ...args) {
+  const { stdout } = await execFile("git", ["-C", repoPath, ...args]);
+  return stdout.trim();
+}
+async function getLastTag(repoPath) {
+  try {
+    return await git(repoPath, "describe", "--tags", "--abbrev=0");
+  } catch {
+    return null;
+  }
+}
+async function getCommitsSinceTag(repoPath, tag) {
+  try {
+    const output = await git(repoPath, "log", `${tag}..HEAD`, "--oneline");
+    return output.split("\n").filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+async function ghRun(args) {
+  const { stdout } = await execFile("gh", args);
+  return stdout.trim();
+}
+function bumpVersion(version, mode) {
+  const parts = version.split(".").map(Number);
+  if (parts.length < 3) throw new Error(`Invalid version: ${version}`);
+  const [major, minor, patch] = parts;
+  switch (mode) {
+    case "major":
+      return `${major + 1}.0.0`;
+    case "minor":
+      return `${major}.${minor + 1}.0`;
+    case "patch":
+    default:
+      return `${major}.${minor}.${patch + 1}`;
+  }
+}
+function readPackageVersion(repoPath) {
+  const pkgPath = path.join(repoPath, "package.json");
+  const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+  return pkg.version;
+}
+function readStackReleaseJson(repoPath) {
+  const p = path.join(repoPath, "stack.release.json");
+  if (!existsSync(p)) return null;
+  return JSON.parse(readFileSync(p, "utf8"));
+}
+async function detectChanges(repos) {
+  const changes = [];
+  for (const repo of repos) {
+    if (!existsSync(repo.localPath)) {
+      log("warn", `Repo not found: ${repo.localPath} \u2014 skipping ${repo.serviceKey}`);
+      continue;
+    }
+    const lastTag = await getLastTag(repo.localPath);
+    if (!lastTag) {
+      log("warn", `No tags found in ${repo.serviceKey} \u2014 skipping`);
+      continue;
+    }
+    const commits = await getCommitsSinceTag(repo.localPath, lastTag);
+    if (commits.length === 0) {
+      log("info", `${repo.serviceKey}: no changes since ${lastTag}`);
+      continue;
+    }
+    const currentVersion = readPackageVersion(repo.localPath);
+    changes.push({
+      repo,
+      currentVersion,
+      newVersion: "",
+      // filled in step 2
+      commits,
+      tag: ""
+      // filled in step 2
+    });
+  }
+  return changes;
+}
+async function bumpVersions(changes, mode, dryRun) {
+  for (const change of changes) {
+    const newVersion = bumpVersion(change.currentVersion, mode);
+    change.newVersion = newVersion;
+    change.tag = `v${newVersion}`;
+    if (dryRun) {
+      log("dry", `${change.repo.serviceKey}: ${change.currentVersion} -> ${newVersion}`);
+      continue;
+    }
+    const pkgPath = path.join(change.repo.localPath, "package.json");
+    const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+    pkg.version = newVersion;
+    writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n");
+    const srf = readStackReleaseJson(change.repo.localPath);
+    if (srf) {
+      srf.version = newVersion;
+      srf.sourceVersion = newVersion;
+      if (typeof srf.image === "string") {
+        const imageBase = srf.image.replace(/:v[^:]+$/, "");
+        srf.image = `${imageBase}:v${newVersion}`;
+      }
+      if (srf.components && typeof srf.components === "object") {
+        const components = srf.components;
+        for (const key of Object.keys(components)) {
+          const base = components[key].replace(/:v[^:]+$/, "");
+          components[key] = `${base}:v${newVersion}`;
+        }
+      }
+      writeFileSync(
+        path.join(change.repo.localPath, "stack.release.json"),
+        JSON.stringify(srf, null, 2) + "\n"
+      );
+    }
+    await git(change.repo.localPath, "add", "package.json", "stack.release.json");
+    await git(change.repo.localPath, "commit", "-m", `chore: bump v${newVersion} for stack release`);
+    await git(change.repo.localPath, "push", "origin", change.repo.defaultBranch);
+    log("ok", `${change.repo.serviceKey}: bumped ${change.currentVersion} -> ${newVersion}`);
+  }
+}
+async function tagAndTriggerCI(changes, dryRun) {
+  for (const change of changes) {
+    if (dryRun) {
+      log("dry", `Would tag ${change.repo.serviceKey} ${change.tag}`);
+      continue;
+    }
+    await git(change.repo.localPath, "tag", change.tag);
+    await git(change.repo.localPath, "push", "origin", change.tag);
+    log("ok", `Tagged ${change.repo.serviceKey} ${change.tag} \u2014 CI triggered`);
+  }
+}
+async function waitForCI(changes, dryRun) {
+  if (dryRun) {
+    return changes.map((c) => ({
+      repo: c.repo,
+      tag: c.tag,
+      status: "completed",
+      conclusion: "success"
+    }));
+  }
+  const TIMEOUT_MS = 15 * 60 * 1e3;
+  const POLL_INTERVAL_MS = 30 * 1e3;
+  const startTime = Date.now();
+  const statuses = changes.map((c) => ({
+    repo: c.repo,
+    tag: c.tag,
+    status: "in_progress"
+  }));
+  log("info", `Waiting for ${changes.length} CI build(s)... (timeout: 15m)`);
+  while (Date.now() - startTime < TIMEOUT_MS) {
+    const pending = statuses.filter((s) => s.status === "in_progress");
+    if (pending.length === 0) break;
+    for (const st of pending) {
+      try {
+        const output = await ghRun([
+          "run",
+          "list",
+          "--repo",
+          st.repo.ghRepo,
+          "--workflow",
+          st.repo.releaseWorkflow,
+          "--limit",
+          "1",
+          "--json",
+          "status,conclusion,url"
+        ]);
+        const runs = JSON.parse(output);
+        const latest = runs[0];
+        if (!latest) continue;
+        if (latest.status === "completed") {
+          st.status = "completed";
+          st.conclusion = latest.conclusion ?? "unknown";
+          st.url = latest.url;
+          if (st.conclusion === "success") {
+            log("ok", `CI passed: ${st.repo.serviceKey} ${st.tag}`);
+          } else {
+            log("fail", `CI failed: ${st.repo.serviceKey} ${st.tag} (${st.conclusion}) \u2014 ${st.url}`);
+          }
+        }
+      } catch (err) {
+        log("warn", `Failed to check CI for ${st.repo.serviceKey}: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+    const stillPending = statuses.filter((s) => s.status === "in_progress");
+    if (stillPending.length === 0) break;
+    log("info", `${stillPending.length} CI build(s) still running... (${Math.round((Date.now() - startTime) / 1e3)}s elapsed)`);
+    await sleep(POLL_INTERVAL_MS);
+  }
+  for (const st of statuses) {
+    if (st.status === "in_progress") {
+      st.status = "timed_out";
+      log("fail", `CI timed out: ${st.repo.serviceKey} ${st.tag}`);
+    }
+  }
+  return statuses;
+}
+var PROXY_REGISTRY = "update.askexe.com";
+var GHCR_REGISTRY = "ghcr.io";
+function shortImageName(imageName) {
+  const parts = imageName.split("/");
+  return parts[parts.length - 1] ?? imageName;
+}
+async function checkRegistryManifest(registry, repo, tag, token) {
+  const url = `https://${registry}/v2/${repo}/manifests/${tag}`;
+  const headers = [
+    "-H",
+    "Accept: application/vnd.oci.image.index.v1+json"
+  ];
+  if (token) {
+    headers.push("-H", `Authorization: Bearer ${token}`);
+  }
+  try {
+    const { stdout } = await execFile("curl", [
+      "-sS",
+      "-m",
+      "30",
+      "-o",
+      "/dev/null",
+      "-w",
+      "%{http_code}",
+      ...headers,
+      url
+    ]);
+    const code = parseInt(stdout.trim(), 10);
+    return { status: code, ok: code >= 200 && code < 300 };
+  } catch {
+    return { status: 0, ok: false };
+  }
+}
+async function warmProxyCache(imageRef) {
+  try {
+    await execFile("docker", ["pull", imageRef], { timeout: 12e4 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function verifyImages(changes, ciStatuses, dryRun) {
+  if (dryRun) {
+    return changes.map((c) => ({
+      repo: c.repo,
+      tag: `v${c.newVersion}`,
+      ghcr: "ok",
+      proxy: "ok"
+    }));
+  }
+  const proxyToken = process.env.EXE_REGISTRY_PROXY_PULL_TOKEN ?? void 0;
+  const results = [];
+  log("info", "Verifying Docker images are pullable...");
+  for (const change of changes) {
+    const ci = ciStatuses.find((s) => s.repo.serviceKey === change.repo.serviceKey);
+    if (!ci || ci.status !== "completed" || ci.conclusion !== "success") continue;
+    const tag = `v${change.newVersion}`;
+    const shortName = shortImageName(change.repo.imageName);
+    const proxyRepo = `askexe/${shortName}`;
+    const ghcrRepo = `askexe/${shortName}`;
+    const result = {
+      repo: change.repo,
+      tag,
+      ghcr: "error",
+      proxy: "error"
+    };
+    const proxyCheck = await checkRegistryManifest(PROXY_REGISTRY, proxyRepo, tag, proxyToken);
+    if (proxyCheck.ok) {
+      result.proxy = "ok";
+    } else {
+      result.proxy = "pending";
+    }
+    let ghcrToken = process.env.GHCR_TOKEN?.trim() || void 0;
+    if (!ghcrToken) {
+      try {
+        const { stdout } = await execFile("gh", ["auth", "token"]);
+        ghcrToken = stdout.trim();
+      } catch {
+      }
+    }
+    const ghcrCheck = await checkRegistryManifest(GHCR_REGISTRY, ghcrRepo, tag, ghcrToken);
+    if (ghcrCheck.ok) {
+      result.ghcr = "ok";
+    } else if (ghcrCheck.status === 401 || ghcrCheck.status === 403) {
+      result.ghcr = "error";
+      result.detail = `GHCR auth failed (${ghcrCheck.status}) \u2014 cannot verify image. Fix gh auth or GHCR_TOKEN.`;
+      log("fail", `GHCR auth returned ${ghcrCheck.status} for ${shortName}:${tag} \u2014 cannot verify, treating as error`);
+    } else {
+      result.ghcr = "missing";
+      result.detail = `GHCR returned ${ghcrCheck.status} for ${ghcrRepo}:${tag}`;
+    }
+    if (result.ghcr === "ok" && result.proxy !== "ok") {
+      log("info", `Warming proxy cache for ${shortName}:${tag}...`);
+      const proxyRef = `${PROXY_REGISTRY}/${proxyRepo}:${tag}`;
+      const warmed = await warmProxyCache(proxyRef);
+      if (warmed) {
+        result.proxy = "ok";
+        log("ok", `Proxy cache warmed: ${shortName}:${tag}`);
+      } else {
+        result.proxy = "pending";
+        log("warn", `Could not warm proxy for ${shortName}:${tag} \u2014 GHCR has it, proxy will cache on first customer pull`);
+      }
+    }
+    if (result.ghcr === "ok" && result.proxy === "ok") {
+      log("ok", `Image verified: ${shortName}:${tag} (GHCR + proxy)`);
+    } else if (result.ghcr === "ok" && result.proxy === "pending") {
+      log("warn", `Image on GHCR only: ${shortName}:${tag} (proxy will cache on first pull)`);
+    } else if (result.ghcr === "missing") {
+      log("fail", `Image NOT FOUND on GHCR: ${shortName}:${tag} \u2014 release may be broken!`);
+    }
+    results.push(result);
+  }
+  return results;
+}
+function printImageVerification(results) {
+  if (results.length === 0) return;
+  console.log("\n  Image verification:");
+  for (const r of results) {
+    const shortName = shortImageName(r.repo.imageName);
+    const ghcrIcon = r.ghcr === "ok" ? "\x1B[32m\u2713\x1B[0m" : "\x1B[31m\u2717\x1B[0m";
+    const proxyIcon = r.proxy === "ok" ? "\x1B[32m\u2713\x1B[0m" : r.proxy === "pending" ? "\x1B[33m~\x1B[0m" : "\x1B[31m\u2717\x1B[0m";
+    const proxyLabel = r.proxy === "pending" ? "pending (first pull will cache)" : r.proxy;
+    console.log(
+      `    ${shortName}:${r.tag}`.padEnd(40) + `${ghcrIcon} GHCR  ${proxyIcon} proxy${r.proxy === "pending" ? ` (${proxyLabel})` : ""}`
+    );
+  }
+  console.log("");
+}
+function updateStackManifest(changes, ciStatuses, dryRun, imageResults) {
+  const manifest = JSON.parse(readFileSync(MANIFEST_PATH, "utf8"));
+  const currentLatest = manifest.latest;
+  const currentParts = currentLatest.split(".").map(Number);
+  const newStackVersion = `${currentParts[0]}.${currentParts[1]}.${(currentParts[2] ?? 0) + 1}`;
+  const baseEntry = manifest.stacks[currentLatest];
+  const baseServices = baseEntry?.services ?? {};
+  const services = {};
+  for (const [key, svc] of Object.entries(baseServices)) {
+    services[key] = { ...svc };
+  }
+  const successfulChanges = [];
+  for (const change of changes) {
+    const ciStatus = ciStatuses.find((s) => s.repo.serviceKey === change.repo.serviceKey);
+    if (ciStatus && ciStatus.status === "completed" && ciStatus.conclusion === "success") {
+      successfulChanges.push(change);
+      const svc = services[change.repo.serviceKey];
+      if (svc) {
+        const imageTag = `${change.repo.imageName}:v${change.newVersion}`;
+        const imgResult = imageResults?.find((r) => r.repo.serviceKey === change.repo.serviceKey);
+        svc.image = imgResult?.digest ? `${imageTag}@${imgResult.digest}` : imageTag;
+      }
+    }
+  }
+  if (successfulChanges.length === 0 && !dryRun) {
+    log("warn", "No successful CI builds \u2014 manifest not updated");
+    return currentLatest;
+  }
+  const notesParts = [];
+  for (const change of successfulChanges) {
+    const summaries = change.commits.slice(0, 5).map((c) => {
+      const msg = c.replace(/^[a-f0-9]+ /, "");
+      return msg;
+    });
+    notesParts.push(`${change.repo.serviceKey} v${change.newVersion}: ${summaries.join("; ")}`);
+  }
+  const notes = notesParts.join(". ");
+  const exeOsVersion = readPackageVersion(EXE_OS_ROOT);
+  const newEntry = {
+    version: newStackVersion,
+    releasedAt: (/* @__PURE__ */ new Date()).toISOString().replace(/T.*/, "T00:00:00Z"),
+    notes,
+    npmVersion: exeOsVersion,
+    breakingChanges: [],
+    services
+  };
+  if (dryRun) {
+    log("dry", `Would create stack ${newStackVersion} in manifest`);
+    log("dry", `Notes: ${notes}`);
+    return newStackVersion;
+  }
+  manifest.latest = newStackVersion;
+  manifest.stacks[newStackVersion] = newEntry;
+  writeFileSync(MANIFEST_PATH, JSON.stringify(manifest, null, 2) + "\n");
+  log("ok", `Stack manifest updated: ${currentLatest} -> ${newStackVersion}`);
+  return newStackVersion;
+}
+async function commitAndTagExeOs(newStackVersion, _exeOsChange, dryRun) {
+  if (dryRun) {
+    log("dry", `Would commit manifest + tag exe-os stack-v${newStackVersion}`);
+    return;
+  }
+  const status = await git(EXE_OS_ROOT, "status", "--porcelain", "deploy/stack-manifests/v0.9.json");
+  if (status) {
+    await git(EXE_OS_ROOT, "add", "deploy/stack-manifests/v0.9.json");
+    const commitMsg = `chore: stack release v${newStackVersion}`;
+    await git(EXE_OS_ROOT, "commit", "-m", commitMsg);
+    await git(EXE_OS_ROOT, "push", "origin", "main");
+    log("ok", `Committed stack manifest v${newStackVersion}`);
+  }
+  const stackTag = `stack-v${newStackVersion}`;
+  try {
+    await git(EXE_OS_ROOT, "tag", stackTag);
+    await git(EXE_OS_ROOT, "push", "origin", stackTag);
+    log("ok", `Tagged exe-os ${stackTag}`);
+  } catch (err) {
+    log("warn", `Failed to tag exe-os ${stackTag}: ${err instanceof Error ? err.message : String(err)}`);
+  }
+}
+function printSummary(changes, ciStatuses, newStackVersion, dryRun) {
+  const divider = "\u2500".repeat(70);
+  console.log(`
+${divider}`);
+  console.log(`  ${dryRun ? "[DRY RUN] " : ""}Stack Release Summary \u2014 v${newStackVersion}`);
+  console.log(divider);
+  console.log(
+    `  ${"Service".padEnd(14)} ${"Version".padEnd(20)} ${"Commits".padEnd(8)} ${"CI".padEnd(12)}`
+  );
+  console.log(`  ${"\u2500".repeat(14)} ${"\u2500".repeat(20)} ${"\u2500".repeat(8)} ${"\u2500".repeat(12)}`);
+  for (const change of changes) {
+    const ci = ciStatuses.find((s) => s.repo.serviceKey === change.repo.serviceKey);
+    const ciLabel = dryRun ? "\x1B[33mpending\x1B[0m" : ci?.status === "completed" && ci.conclusion === "success" ? "\x1B[32msuccess\x1B[0m" : ci?.status === "timed_out" ? "\x1B[31mtimed out\x1B[0m" : `\x1B[31m${ci?.conclusion ?? ci?.status ?? "unknown"}\x1B[0m`;
+    const versionStr = `${change.currentVersion} -> ${change.newVersion}`;
+    console.log(
+      `  ${change.repo.serviceKey.padEnd(14)} ${versionStr.padEnd(20)} ${String(change.commits.length).padEnd(8)} ${ciLabel}`
+    );
+  }
+  if (changes.length === 0) {
+    console.log("  No changes detected across any repo.");
+  }
+  console.log(divider);
+  if (!dryRun) {
+    const failed = ciStatuses.filter(
+      (s) => s.status !== "completed" || s.conclusion !== "success"
+    );
+    if (failed.length > 0) {
+      console.log("\n  \x1B[31mWarning:\x1B[0m Some CI builds failed. Check the links above.");
+    } else if (changes.length > 0) {
+      console.log(
+        `
+  \x1B[32mAll done.\x1B[0m Customers will pull new images from update.askexe.com on next stack-update.`
+      );
+    }
+  }
+  console.log("");
+}
+function log(level, msg) {
+  const prefix = {
+    info: "\x1B[36m[info]\x1B[0m",
+    ok: "\x1B[32m[ok]\x1B[0m",
+    warn: "\x1B[33m[warn]\x1B[0m",
+    fail: "\x1B[31m[fail]\x1B[0m",
+    dry: "\x1B[35m[dry-run]\x1B[0m"
+  };
+  console.log(`  ${prefix[level]} ${msg}`);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function confirm(message) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(`
+  ${message} [y/N] `, (answer) => {
+      rl.close();
+      resolve(answer.trim().toLowerCase() === "y" || answer.trim().toLowerCase() === "yes");
+    });
+  });
+}
+async function runStackRelease(flags) {
+  if (!flags.stack) {
+    console.error("Usage: exe-os release --stack [--dry-run] [--repos <list>] [--yes] [--skip-image-verify]");
+    process.exit(1);
+  }
+  console.log(`
+  \x1B[1mexe-os stack release\x1B[0m${flags.dryRun ? " (dry run)" : ""}
+`);
+  const allRepos = buildRepoConfigs();
+  let repos;
+  if (flags.repos) {
+    repos = [];
+    for (const name of flags.repos) {
+      const match = allRepos.find(
+        (r) => r.serviceKey === name || r.ghRepo.endsWith(`/${name}`) || r.ghRepo === name
+      );
+      if (match) {
+        repos.push(match);
+      } else {
+        log("warn", `Unknown repo: ${name} \u2014 skipping`);
+      }
+    }
+    if (repos.length === 0) {
+      console.error("No valid repos specified.");
+      process.exit(1);
+    }
+  } else {
+    repos = allRepos;
+  }
+  for (const repo of repos) {
+    if (!existsSync(repo.localPath)) {
+      log("fail", `Repo not found: ${repo.localPath} (${repo.serviceKey})`);
+      log("info", `Expected sibling directory of exe-os. Verify the directory exists.`);
+      process.exit(1);
+    }
+  }
+  log("info", "Detecting changes across repos...");
+  const changes = await detectChanges(repos);
+  if (changes.length === 0) {
+    console.log("\n  No changes detected since last tags. Nothing to release.\n");
+    return;
+  }
+  const bumpMode = flags.major ? "major" : flags.minor ? "minor" : "patch";
+  for (const change of changes) {
+    const newVersion = bumpVersion(change.currentVersion, bumpMode);
+    change.newVersion = newVersion;
+    change.tag = `v${newVersion}`;
+  }
+  console.log("\n  Planned releases:");
+  for (const change of changes) {
+    console.log(
+      `    ${change.repo.serviceKey.padEnd(14)} ${change.currentVersion} -> ${change.newVersion}  (${change.commits.length} commit${change.commits.length === 1 ? "" : "s"})`
+    );
+  }
+  if (!flags.yes && !flags.dryRun) {
+    const ok = await confirm("Proceed with release?");
+    if (!ok) {
+      console.log("  Aborted.\n");
+      return;
+    }
+  }
+  await bumpVersions(changes, bumpMode, flags.dryRun);
+  log("info", "Tagging repos and triggering CI...");
+  await tagAndTriggerCI(changes, flags.dryRun);
+  const ciStatuses = await waitForCI(changes, flags.dryRun);
+  let imageResults = [];
+  if (flags.skipImageVerify) {
+    log("warn", "Image verification skipped (--skip-image-verify)");
+  } else {
+    imageResults = await verifyImages(changes, ciStatuses, flags.dryRun);
+    const failed = imageResults.filter((r) => (r.ghcr === "missing" || r.ghcr === "error") && r.proxy !== "ok");
+    if (failed.length > 0 && !flags.dryRun) {
+      for (const m of failed) {
+        log("fail", `${shortImageName(m.repo.imageName)}:${m.tag} \u2014 GHCR status: ${m.ghcr}, proxy: ${m.proxy} \u2014 cannot release`);
+      }
+      log("fail", "Aborting: images not verified. Fix GHCR auth/CI or use --skip-image-verify to override.");
+      process.exit(1);
+    }
+    const pending = imageResults.filter((r) => r.proxy === "pending");
+    if (pending.length > 0) {
+      for (const p of pending) {
+        log("warn", `${shortImageName(p.repo.imageName)}:${p.tag} \u2014 proxy cache pending`);
+      }
+      if (!flags.dryRun) {
+        log("fail", "Aborting: proxy cache not ready for all images. Wait for proxy propagation or use --skip-image-verify.");
+        process.exit(1);
+      }
+    }
+    printImageVerification(imageResults);
+  }
+  log("info", "Updating stack manifest...");
+  const newStackVersion = updateStackManifest(changes, ciStatuses, flags.dryRun, imageResults);
+  const exeOsChange = changes.find((c) => c.repo.serviceKey === "exe-os");
+  await commitAndTagExeOs(newStackVersion, exeOsChange, flags.dryRun);
+  printSummary(changes, ciStatuses, newStackVersion, flags.dryRun);
+  if (!flags.skipImageVerify && !flags.dryRun && imageResults.length > 0) {
+    const pendingImages = imageResults.filter((r) => r.proxy === "pending");
+    if (pendingImages.length > 0) {
+      log("info", "Re-checking proxy availability for pending images...");
+      for (const r of pendingImages) {
+        const shortName = shortImageName(r.repo.imageName);
+        const proxyRepo = `askexe/${shortName}`;
+        const proxyToken = process.env.EXE_REGISTRY_PROXY_PULL_TOKEN ?? void 0;
+        const recheck = await checkRegistryManifest(PROXY_REGISTRY, proxyRepo, r.tag, proxyToken);
+        if (recheck.ok) {
+          r.proxy = "ok";
+        }
+      }
+      printImageVerification(imageResults);
+    }
+  }
+}
+export {
+  parseReleaseArgs,
+  runStackRelease
+};