@askexenow/exe-os 0.9.283 → 0.9.285

package/dist/hooks/manifest.json

@@ -1,6 +1,6 @@
 {
   "version": 1,
-  "generatedAt": "2026-06-17T08:40:20.021Z",
+  "generatedAt": "2026-06-17T09:05:37.660Z",
   "hashes": {
     "bug-report-worker.js": "16d6fab856fd34eeeb4406f0b63578abbab9b85a2c5b552918b2dc096bff45b2",
     "codex-stop-task-finalizer.js": "2e1b30d86acf2359fe6e555e486ffc80c8b525ab43646c523e272b92d8cdaa93",

package/dist/stack-update-I2DMZ6QL.js

@@ -0,0 +1,76 @@
+import {
+  ProgressReporter,
+  assertBreakingChangesAllowed,
+  assertDeploymentScopeAllowed,
+  assertHostReadyForApply,
+  assertProductionDeployGate,
+  bootstrapStackHost,
+  buildDefaultServiceSelection,
+  canonicalizeStackManifest,
+  collectImageAvailabilityIssues,
+  collectProductionDeployGateIssues,
+  createStackUpdatePlan,
+  defaultStackPaths,
+  detectDanglingVolumes,
+  filterServicesBySelection,
+  findLatestBackupEnvFile,
+  hardenHost,
+  listAvailableVersions,
+  loadServiceSelection,
+  loadStackManifest,
+  pairMonitorAgent,
+  parseEnv,
+  parseStackManifest,
+  patchEnv,
+  printDanglingVolumes,
+  printVolumeCleanupResult,
+  readCurrentStackVersion,
+  removeDanglingVolumes,
+  rollbackStackUpdate,
+  runStackUpdate,
+  saveServiceSelection,
+  serviceSelectionPath,
+  verifyManifestImagesAvailable,
+  verifyReleaseHealth,
+  verifyStackManifestSignature
+} from "./chunk-XENDLEP5.js";
+import "./chunk-YMKUXZIG.js";
+import "./chunk-T3B5RK4H.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  ProgressReporter,
+  assertBreakingChangesAllowed,
+  assertDeploymentScopeAllowed,
+  assertHostReadyForApply,
+  assertProductionDeployGate,
+  bootstrapStackHost,
+  buildDefaultServiceSelection,
+  canonicalizeStackManifest,
+  collectImageAvailabilityIssues,
+  collectProductionDeployGateIssues,
+  createStackUpdatePlan,
+  defaultStackPaths,
+  detectDanglingVolumes,
+  filterServicesBySelection,
+  findLatestBackupEnvFile,
+  hardenHost,
+  listAvailableVersions,
+  loadServiceSelection,
+  loadStackManifest,
+  pairMonitorAgent,
+  parseEnv,
+  parseStackManifest,
+  patchEnv,
+  printDanglingVolumes,
+  printVolumeCleanupResult,
+  readCurrentStackVersion,
+  removeDanglingVolumes,
+  rollbackStackUpdate,
+  runStackUpdate,
+  saveServiceSelection,
+  serviceSelectionPath,
+  verifyManifestImagesAvailable,
+  verifyReleaseHealth,
+  verifyStackManifestSignature
+};

package/dist/stack-update-KOZLMLEI.js

@@ -0,0 +1,76 @@
+import {
+  ProgressReporter,
+  assertBreakingChangesAllowed,
+  assertDeploymentScopeAllowed,
+  assertHostReadyForApply,
+  assertProductionDeployGate,
+  bootstrapStackHost,
+  buildDefaultServiceSelection,
+  canonicalizeStackManifest,
+  collectImageAvailabilityIssues,
+  collectProductionDeployGateIssues,
+  createStackUpdatePlan,
+  defaultStackPaths,
+  detectDanglingVolumes,
+  filterServicesBySelection,
+  findLatestBackupEnvFile,
+  hardenHost,
+  listAvailableVersions,
+  loadServiceSelection,
+  loadStackManifest,
+  pairMonitorAgent,
+  parseEnv,
+  parseStackManifest,
+  patchEnv,
+  printDanglingVolumes,
+  printVolumeCleanupResult,
+  readCurrentStackVersion,
+  removeDanglingVolumes,
+  rollbackStackUpdate,
+  runStackUpdate,
+  saveServiceSelection,
+  serviceSelectionPath,
+  verifyManifestImagesAvailable,
+  verifyReleaseHealth,
+  verifyStackManifestSignature
+} from "./chunk-XNVX6XNW.js";
+import "./chunk-YMKUXZIG.js";
+import "./chunk-T3B5RK4H.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  ProgressReporter,
+  assertBreakingChangesAllowed,
+  assertDeploymentScopeAllowed,
+  assertHostReadyForApply,
+  assertProductionDeployGate,
+  bootstrapStackHost,
+  buildDefaultServiceSelection,
+  canonicalizeStackManifest,
+  collectImageAvailabilityIssues,
+  collectProductionDeployGateIssues,
+  createStackUpdatePlan,
+  defaultStackPaths,
+  detectDanglingVolumes,
+  filterServicesBySelection,
+  findLatestBackupEnvFile,
+  hardenHost,
+  listAvailableVersions,
+  loadServiceSelection,
+  loadStackManifest,
+  pairMonitorAgent,
+  parseEnv,
+  parseStackManifest,
+  patchEnv,
+  printDanglingVolumes,
+  printVolumeCleanupResult,
+  readCurrentStackVersion,
+  removeDanglingVolumes,
+  rollbackStackUpdate,
+  runStackUpdate,
+  saveServiceSelection,
+  serviceSelectionPath,
+  verifyManifestImagesAvailable,
+  verifyReleaseHealth,
+  verifyStackManifestSignature
+};

package/dist/stack-update-TRZRI6V7.js

@@ -0,0 +1,74 @@
+import {
+  ProgressReporter,
+  assertBreakingChangesAllowed,
+  assertDeploymentScopeAllowed,
+  assertHostReadyForApply,
+  assertProductionDeployGate,
+  bootstrapStackHost,
+  buildDefaultServiceSelection,
+  canonicalizeStackManifest,
+  collectProductionDeployGateIssues,
+  createStackUpdatePlan,
+  defaultStackPaths,
+  detectDanglingVolumes,
+  filterServicesBySelection,
+  findLatestBackupEnvFile,
+  hardenHost,
+  listAvailableVersions,
+  loadServiceSelection,
+  loadStackManifest,
+  pairMonitorAgent,
+  parseEnv,
+  parseStackManifest,
+  patchEnv,
+  printDanglingVolumes,
+  printVolumeCleanupResult,
+  readCurrentStackVersion,
+  removeDanglingVolumes,
+  rollbackStackUpdate,
+  runStackUpdate,
+  saveServiceSelection,
+  serviceSelectionPath,
+  verifyManifestImagesAvailable,
+  verifyReleaseHealth,
+  verifyStackManifestSignature
+} from "./chunk-OJQ34M77.js";
+import "./chunk-YMKUXZIG.js";
+import "./chunk-T3B5RK4H.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  ProgressReporter,
+  assertBreakingChangesAllowed,
+  assertDeploymentScopeAllowed,
+  assertHostReadyForApply,
+  assertProductionDeployGate,
+  bootstrapStackHost,
+  buildDefaultServiceSelection,
+  canonicalizeStackManifest,
+  collectProductionDeployGateIssues,
+  createStackUpdatePlan,
+  defaultStackPaths,
+  detectDanglingVolumes,
+  filterServicesBySelection,
+  findLatestBackupEnvFile,
+  hardenHost,
+  listAvailableVersions,
+  loadServiceSelection,
+  loadStackManifest,
+  pairMonitorAgent,
+  parseEnv,
+  parseStackManifest,
+  patchEnv,
+  printDanglingVolumes,
+  printVolumeCleanupResult,
+  readCurrentStackVersion,
+  removeDanglingVolumes,
+  rollbackStackUpdate,
+  runStackUpdate,
+  saveServiceSelection,
+  serviceSelectionPath,
+  verifyManifestImagesAvailable,
+  verifyReleaseHealth,
+  verifyStackManifestSignature
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askexenow/exe-os",
-  "version": "0.9.283",
+  "version": "0.9.285",
   "description": "AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",

package/release-notes.json

@@ -1,10 +1,11 @@
 {
-  "current": "0.9.283",
+  "current": "0.9.285",
   "notes": {
-    "0.9.283": {
-      "version": "0.9.283",
+    "0.9.285": {
+      "version": "0.9.285",
       "date": "2026-06-17",
       "features": [
+        "add image availability + platform verification to deploy gate",
         "GoTrue JWT auth for MCP — exe-os login/logout/whoami",
         "admin backfill endpoint for api_key_hash — fixes all encrypted keys",
         "implement startMonitor for Slack/Discord/Telegram/WhatsApp + SMTP via nodemailer",
@@ -28,10 +29,10 @@
         "emotional baselines per agent role (dbfbe67f) (#131)",
         "split exe-os into server (~200MB) and worker (~1GB) images (#130)",
         "out-of-process socket watchdog (c3b287cc) (#129)",
-        "hot-path session summary — compress last checkpoint into ~200 tokens at boot (edaf4eb3) (#128)",
-        "cloud-synced cross-device reminders via Cloudflare Worker KV (a4195632) (#127)"
+        "hot-path session summary — compress last checkpoint into ~200 tokens at boot (edaf4eb3) (#128)"
       ],
       "fixes": [
+        "add otel-collector to official image allowlist — unblocks stack-update",
         "correct exe-os + exe-auth digests for amd64 in manifest 0.9.24 (bug e0c3b3fb)",
         "update exe-os daemon image to v0.9.281 in manifest 0.9.24",
         "mcp_ping reports alive when running inside daemon process (bug b5fb9404)",
@@ -55,11 +56,12 @@
         "add sync_meta to SQL guard allowlist — fixes cloud sync (bug 9fbbe145)",
         "accept digest-only official images in deploy gate",
         "prevent empty/duplicate company_procedure rows at the source",
-        "remove duplicate if-block causing TS build failure",
-        "watchdog self-heal + restart-intent propagation (belt & suspenders)"
+        "remove duplicate if-block causing TS build failure"
       ],
       "security": [],
       "other": [
+        "bump v0.9.285 — deploy gate image verification",
+        "bump v0.9.284 — otel deploy gate fix",
         "bump v0.9.283 — amd64 digest fix",
         "bump v0.9.282 — daemon image v0.9.281 in manifest",
         "prepare v0.9.281 — 50 bugs fixed, stack 0.9.24 fully deployable",
@@ -82,14 +84,12 @@
         "update release-notes.json",
         "bump 0.9.275 — bundle stack 0.9.22 manifest for stack-update",
         "release: stack 0.9.22 — exe-os v0.9.270, exe-crm v0.9.48, exe-gateway v0.9.18 (digest-pinned)",
-        "bump 0.9.273 — graph/send_whatsapp/phantom-notif fixes",
-        "Add daemon smoke gate",
-        "Publish Claude Fable model support as 0.9.272"
+        "bump 0.9.273 — graph/send_whatsapp/phantom-notif fixes"
       ],
       "migration_notes": []
     },
-    "0.9.282": {
-      "version": "0.9.282",
+    "0.9.284": {
+      "version": "0.9.284",
       "date": "2026-06-17",
       "features": [
         "GoTrue JWT auth for MCP — exe-os login/logout/whoami",
@@ -119,6 +119,8 @@
         "cloud-synced cross-device reminders via Cloudflare Worker KV (a4195632) (#127)"
       ],
       "fixes": [
+        "add otel-collector to official image allowlist — unblocks stack-update",
+        "correct exe-os + exe-auth digests for amd64 in manifest 0.9.24 (bug e0c3b3fb)",
         "update exe-os daemon image to v0.9.281 in manifest 0.9.24",
         "mcp_ping reports alive when running inside daemon process (bug b5fb9404)",
         "add exe-erp-nginx for static assets + remove direct gunicorn port (bug 6776edf0)",
@@ -141,12 +143,12 @@
         "add sync_meta to SQL guard allowlist — fixes cloud sync (bug 9fbbe145)",
         "accept digest-only official images in deploy gate",
         "prevent empty/duplicate company_procedure rows at the source",
-        "remove duplicate if-block causing TS build failure",
-        "watchdog self-heal + restart-intent propagation (belt & suspenders)",
-        "skip junk/empty company_procedure rows that bloated prompts to 1.6MB"
+        "remove duplicate if-block causing TS build failure"
       ],
       "security": [],
       "other": [
+        "bump v0.9.284 — otel deploy gate fix",
+        "bump v0.9.283 — amd64 digest fix",
         "bump v0.9.282 — daemon image v0.9.281 in manifest",
         "prepare v0.9.281 — 50 bugs fixed, stack 0.9.24 fully deployable",
         "bump v0.9.280 — GoTrue MCP auth, support fixes",
@@ -169,14 +171,12 @@
         "bump 0.9.275 — bundle stack 0.9.22 manifest for stack-update",
         "release: stack 0.9.22 — exe-os v0.9.270, exe-crm v0.9.48, exe-gateway v0.9.18 (digest-pinned)",
         "bump 0.9.273 — graph/send_whatsapp/phantom-notif fixes",
-        "Add daemon smoke gate",
-        "Publish Claude Fable model support as 0.9.272",
-        "Add Claude Fable model whitelist"
+        "Add daemon smoke gate"
       ],
       "migration_notes": []
     },
-    "0.9.281": {
-      "version": "0.9.281",
+    "0.9.283": {
+      "version": "0.9.283",
       "date": "2026-06-17",
       "features": [
         "GoTrue JWT auth for MCP — exe-os login/logout/whoami",
@@ -206,6 +206,8 @@
         "cloud-synced cross-device reminders via Cloudflare Worker KV (a4195632) (#127)"
       ],
       "fixes": [
+        "correct exe-os + exe-auth digests for amd64 in manifest 0.9.24 (bug e0c3b3fb)",
+        "update exe-os daemon image to v0.9.281 in manifest 0.9.24",
         "mcp_ping reports alive when running inside daemon process (bug b5fb9404)",
         "add exe-erp-nginx for static assets + remove direct gunicorn port (bug 6776edf0)",
         "ERP healthcheck Host header + websocket path for Frappe 17 (bugs 7c905474, 468cc508)",
@@ -228,12 +230,12 @@
         "accept digest-only official images in deploy gate",
         "prevent empty/duplicate company_procedure rows at the source",
         "remove duplicate if-block causing TS build failure",
-        "watchdog self-heal + restart-intent propagation (belt & suspenders)",
-        "skip junk/empty company_procedure rows that bloated prompts to 1.6MB",
-        "match user by deviceId when encryption secret lost"
+        "watchdog self-heal + restart-intent propagation (belt & suspenders)"
       ],
       "security": [],
       "other": [
+        "bump v0.9.283 — amd64 digest fix",
+        "bump v0.9.282 — daemon image v0.9.281 in manifest",
         "prepare v0.9.281 — 50 bugs fixed, stack 0.9.24 fully deployable",
         "bump v0.9.280 — GoTrue MCP auth, support fixes",
         "bump v0.9.279 — stack v0.9.24, GoTrue support auth, optional services",
@@ -256,14 +258,12 @@
         "release: stack 0.9.22 — exe-os v0.9.270, exe-crm v0.9.48, exe-gateway v0.9.18 (digest-pinned)",
         "bump 0.9.273 — graph/send_whatsapp/phantom-notif fixes",
         "Add daemon smoke gate",
-        "Publish Claude Fable model support as 0.9.272",
-        "Add Claude Fable model whitelist",
-        "Publish stack-update service resume as 0.9.271"
+        "Publish Claude Fable model support as 0.9.272"
       ],
       "migration_notes": []
     },
-    "0.9.280": {
-      "version": "0.9.280",
+    "0.9.282": {
+      "version": "0.9.282",
       "date": "2026-06-17",
       "features": [
         "GoTrue JWT auth for MCP — exe-os login/logout/whoami",
@@ -293,34 +293,36 @@
         "cloud-synced cross-device reminders via Cloudflare Worker KV (a4195632) (#127)"
       ],
       "fixes": [
+        "update exe-os daemon image to v0.9.281 in manifest 0.9.24",
+        "mcp_ping reports alive when running inside daemon process (bug b5fb9404)",
+        "add exe-erp-nginx for static assets + remove direct gunicorn port (bug 6776edf0)",
+        "ERP healthcheck Host header + websocket path for Frappe 17 (bugs 7c905474, 468cc508)",
+        "rotate signing key to match Worker secret (bug 834ffb70)",
+        "add exe-auth service to main compose + fix image reference to update.askexe.com",
+        "align compose default image tags with manifest 0.9.24 (bug 79168bac)",
+        "isDaemonAlive falls back to socket check when PID file missing (bug b5fb9404)",
+        "correct exe-erp image tag final7→final3 in manifests 0.9.23 + 0.9.24 (bug ff960d31)",
+        "create exe_erp login role in init-db.sql (bug 9d452322)",
+        "CRM_SERVER_URL uses crm. subdomain + add EXE_CRM_ADMIN_EMAIL (bugs 8d20e779, 7debf355)",
+        "use update.askexe.com for exe-auth image in manifest 0.9.24 (bug 97f2d288)",
+        "ensure description field is never empty in feature request upstream payload (bug 0a8e16d0)",
+        "add WSL clip.exe detection to shipped tmux.conf (bug 3396fb26)",
+        "include node binary dir in exe-os-node shim PATH (bug 71adcb68)",
+        "add minimum daemon age guard to prevent crash-loop (bug 25faecf3)",
+        "digest-pin all 0.9.24 images + remove control-plane from customer manifest",
+        "resolve full UUID before upstream delivery — fixes update_bug/update_feature 400s (bug 31b1d2e3)",
+        "dual-key JWT verification — accept tokens signed by previous key (bug 2f5d6166)",
+        "add sync_meta to SQL guard allowlist — fixes cloud sync (bug 9fbbe145)",
+        "accept digest-only official images in deploy gate",
         "prevent empty/duplicate company_procedure rows at the source",
         "remove duplicate if-block causing TS build failure",
         "watchdog self-heal + restart-intent propagation (belt & suspenders)",
-        "skip junk/empty company_procedure rows that bloated prompts to 1.6MB",
-        "match user by deviceId when encryption secret lost",
-        "backfill api_key_hash on every /auth/activate call",
-        "allow dev-fallback storage secret for backfill (keys were encrypted with it)",
-        "cap model-instructions prompt under the API limit (was 1.6MB → 400)",
-        "mark keychain unavailable on write timeout; pass --session to codex/opencode",
-        "backfill api_key_hash for ALREADY encrypted keys",
-        "store api_key_hash on key upgrade — support validation works for all customers",
-        "name the target keychain on store to fix \"cannot be found\"",
-        "never re-prompt when the OS keychain is unavailable",
-        "GoTrue JWT payload decode fallback — support channel working",
-        "validate against GoTrue JWT — not just D1 license keys",
-        "stop master-key destruction on launch + fix codex --profile",
-        "clear all 25 moderate CVEs via OTel+protobufjs overrides; fix date-bomb test",
-        "auth is customer-facing (not control-plane)",
-        "patch hono HIGH CVE + fix stale worker-gate test",
-        "use hooks-free CODEX_HOME to prevent crash after 10 codex calls",
-        "per-chat runner + offset flag + execSync + clean env + GC",
-        "execFile instead of spawn, sequential loop, useOpenCode, 180s timeout",
-        "P1 CVE fixes + test alignment + tarball budget + env sync",
-        "exe-start COO_NAME resolution fails on npm install (not dev symlink)",
-        "fix FTS ambiguous column bug + CLaRa term sanitization"
+        "skip junk/empty company_procedure rows that bloated prompts to 1.6MB"
       ],
       "security": [],
       "other": [
+        "bump v0.9.282 — daemon image v0.9.281 in manifest",
+        "prepare v0.9.281 — 50 bugs fixed, stack 0.9.24 fully deployable",
         "bump v0.9.280 — GoTrue MCP auth, support fixes",
         "bump v0.9.279 — stack v0.9.24, GoTrue support auth, optional services",
         "service ownership matrix — dashboard is AskExe-only, not customer stack",
@@ -343,15 +345,16 @@
         "bump 0.9.273 — graph/send_whatsapp/phantom-notif fixes",
         "Add daemon smoke gate",
         "Publish Claude Fable model support as 0.9.272",
-        "Add Claude Fable model whitelist",
-        "Publish stack-update service resume as 0.9.271"
+        "Add Claude Fable model whitelist"
       ],
       "migration_notes": []
     },
-    "0.9.279": {
-      "version": "0.9.279",
+    "0.9.281": {
+      "version": "0.9.281",
       "date": "2026-06-17",
       "features": [
+        "GoTrue JWT auth for MCP — exe-os login/logout/whoami",
+        "admin backfill endpoint for api_key_hash — fixes all encrypted keys",
         "implement startMonitor for Slack/Discord/Telegram/WhatsApp + SMTP via nodemailer",
         "add dashboard + auth + otel to manifest as control-plane services",
         "CLI service selection + exe-build removal from customer stack",
@@ -374,39 +377,39 @@
         "split exe-os into server (~200MB) and worker (~1GB) images (#130)",
         "out-of-process socket watchdog (c3b287cc) (#129)",
         "hot-path session summary — compress last checkpoint into ~200 tokens at boot (edaf4eb3) (#128)",
-        "cloud-synced cross-device reminders via Cloudflare Worker KV (a4195632) (#127)",
-        "wire dashboard → api.askexe.com billing API (7 endpoints)",
-        "dashboard.askexe.com — customer developer portal"
+        "cloud-synced cross-device reminders via Cloudflare Worker KV (a4195632) (#127)"
       ],
       "fixes": [
-        "name the target keychain on store to fix \"cannot be found\"",
-        "never re-prompt when the OS keychain is unavailable",
-        "GoTrue JWT payload decode fallback — support channel working",
-        "validate against GoTrue JWT — not just D1 license keys",
-        "stop master-key destruction on launch + fix codex --profile",
-        "clear all 25 moderate CVEs via OTel+protobufjs overrides; fix date-bomb test",
-        "auth is customer-facing (not control-plane)",
-        "patch hono HIGH CVE + fix stale worker-gate test",
-        "use hooks-free CODEX_HOME to prevent crash after 10 codex calls",
-        "per-chat runner + offset flag + execSync + clean env + GC",
-        "execFile instead of spawn, sequential loop, useOpenCode, 180s timeout",
-        "P1 CVE fixes + test alignment + tarball budget + env sync",
-        "exe-start COO_NAME resolution fails on npm install (not dev symlink)",
-        "fix FTS ambiguous column bug + CLaRa term sanitization",
-        "document cloud_action param in consolidated procedures (customer-readiness gate)",
-        "typecheck errors (session-summary undefined, unused import)",
-        "graceful exit on missing GHCR_TOKEN prevents crash-loop (bug 3416cead) (#141)",
-        "graceful exit on missing GHCR_TOKEN prevents crash-loop (bug 3416cead) (#140)",
-        "exe-build is askexe-control-plane, not customer-deployable",
-        "unquarantine gateway-client WS tests — clear NODE_OPTIONS + CI-aware timeouts (bug d51015bb) (#119)",
-        "typecheck errors from subagent code (failover undefined model, unused vars)",
-        "config-search-cloud reconciliation + Keychain-aware boot (bugs 370587e3, e3fd2319, 6bce0a70, 6727e213) (#109)",
-        "SSE stale-session recovery + eviction notification + headless session isolation (bugs 5b601250, 56caa668, 17882f71) (#108)",
-        "platform-aware RAM gate, dynamic worker cap, dirty worktree aging (bugs a3eb23d2, ed1fb3d2) (#107)",
-        "orchestration bugs — reviewer loop, session isolation, Desktop reaper (57b06092, b313fec5, 6b3a7810) (#106)"
+        "mcp_ping reports alive when running inside daemon process (bug b5fb9404)",
+        "add exe-erp-nginx for static assets + remove direct gunicorn port (bug 6776edf0)",
+        "ERP healthcheck Host header + websocket path for Frappe 17 (bugs 7c905474, 468cc508)",
+        "rotate signing key to match Worker secret (bug 834ffb70)",
+        "add exe-auth service to main compose + fix image reference to update.askexe.com",
+        "align compose default image tags with manifest 0.9.24 (bug 79168bac)",
+        "isDaemonAlive falls back to socket check when PID file missing (bug b5fb9404)",
+        "correct exe-erp image tag final7→final3 in manifests 0.9.23 + 0.9.24 (bug ff960d31)",
+        "create exe_erp login role in init-db.sql (bug 9d452322)",
+        "CRM_SERVER_URL uses crm. subdomain + add EXE_CRM_ADMIN_EMAIL (bugs 8d20e779, 7debf355)",
+        "use update.askexe.com for exe-auth image in manifest 0.9.24 (bug 97f2d288)",
+        "ensure description field is never empty in feature request upstream payload (bug 0a8e16d0)",
+        "add WSL clip.exe detection to shipped tmux.conf (bug 3396fb26)",
+        "include node binary dir in exe-os-node shim PATH (bug 71adcb68)",
+        "add minimum daemon age guard to prevent crash-loop (bug 25faecf3)",
+        "digest-pin all 0.9.24 images + remove control-plane from customer manifest",
+        "resolve full UUID before upstream delivery — fixes update_bug/update_feature 400s (bug 31b1d2e3)",
+        "dual-key JWT verification — accept tokens signed by previous key (bug 2f5d6166)",
+        "add sync_meta to SQL guard allowlist — fixes cloud sync (bug 9fbbe145)",
+        "accept digest-only official images in deploy gate",
+        "prevent empty/duplicate company_procedure rows at the source",
+        "remove duplicate if-block causing TS build failure",
+        "watchdog self-heal + restart-intent propagation (belt & suspenders)",
+        "skip junk/empty company_procedure rows that bloated prompts to 1.6MB",
+        "match user by deviceId when encryption secret lost"
       ],
       "security": [],
       "other": [
+        "prepare v0.9.281 — 50 bugs fixed, stack 0.9.24 fully deployable",
+        "bump v0.9.280 — GoTrue MCP auth, support fixes",
         "bump v0.9.279 — stack v0.9.24, GoTrue support auth, optional services",
         "service ownership matrix — dashboard is AskExe-only, not customer stack",
         "bump version to 0.9.278",