@askexenow/exe-os 0.9.287 → 0.9.289

package/deploy/compose/.env.customer.example

@@ -85,7 +85,16 @@ MONITOR_HUB_PORT=8090
 MONITOR_HUB_ADMIN_EMAIL=CHANGEME_ADMIN_EMAIL
 MONITOR_HUB_ADMIN_PASSWORD=CHANGEME_MONITOR_HUB_ADMIN_PASSWORD
 
-# --- Monitoring agent (standard for managed customer VPSs) ---
+# --- Monitoring agent (host-access; OFF until explicitly enabled) ---
+# exe-monitor-agent needs SENSITIVE read-only host access to report fleet health:
+#   /var/run/docker.sock  — root-equivalent; can inspect ALL containers on the host
+#   /proc, /sys           — host process list + system-wide CPU/mem/hardware metrics
+#   /etc/os-release       — host OS name/version
+# It is GATED behind the "monitor-agent" compose profile and stays OFF by default.
+# Enable it ONLY after acknowledging this scope: run setup.sh and answer the
+# host-access prompt, or uncomment COMPOSE_PROFILES below.
+# Full scope details: deploy/monitor/HOST-ACCESS-CONSENT.md
+# COMPOSE_PROFILES=monitor-agent
 MONITOR_AGENT_IMAGE_TAG=update.askexe.com/askexe/exe-monitor-agent:v0.9.4
 # Reports to the local hub. Auto-populated by `exe-os stack-update` during bootstrap.
 MONITOR_HUB_URL=http://exe-monitor-hub:8090

package/deploy/compose/.env.example

@@ -98,7 +98,14 @@ MONITOR_HUB_PORT=8090
 MONITOR_HUB_ADMIN_EMAIL=CHANGEME_ADMIN_EMAIL
 MONITOR_HUB_ADMIN_PASSWORD=CHANGEME_MONITOR_HUB_ADMIN_PASSWORD
 
-# --- Monitoring agent (standard for managed customer VPSs) ---
+# --- Monitoring agent (host-access; OFF until explicitly enabled) ---
+# exe-monitor-agent needs SENSITIVE read-only host access to report fleet
+# health: /var/run/docker.sock (root-equivalent — inspect ALL containers),
+# /proc, /sys (host CPU/mem/hardware), /etc/os-release (host OS). It is GATED
+# behind the "monitor-agent" compose profile and stays OFF by default.
+# To enable: run setup.sh and acknowledge the host-access prompt, or add
+# "monitor-agent" to COMPOSE_PROFILES below. Scope: deploy/monitor/HOST-ACCESS-CONSENT.md.
+# COMPOSE_PROFILES=monitor-agent
 MONITOR_AGENT_IMAGE_TAG=ghcr.io/askexe/exe-monitor-agent:v0.9.4
 # Reports to the local hub. Auto-populated by `exe-os stack-update` during bootstrap.
 MONITOR_HUB_URL=http://exe-monitor-hub:8090

package/deploy/compose/README.md

@@ -41,11 +41,38 @@ upstream LTS rolls.
 - `frontend` (`10.43.0.0/24`) — apps that terminate user traffic
   (`exe-crm`, `exe-wiki`, `exe-gateway`). DBs never join this net.
 
+Services do NOT pin static container IPs — Docker assigns addresses from each
+network's subnet. Services reach each other by service name (Docker DNS), so
+pinned IPs were unnecessary and broke updates on existing installs whose
+networks were created with different IPAM subnets ("no configured subnet
+contains IP address …"). Do not reintroduce `ipv4_address:` on services.
+
 Apps publish their HTTP ports to `127.0.0.1` on the host so the host-installed
 nginx (Lane A-1 `nginx-tls`) can reverse-proxy them. Override the host port via
 `CRM_HOST_PORT` / `WIKI_HOST_PORT` / `GATEWAY_HTTP_HOST_PORT` /
 `GATEWAY_WS_HOST_PORT` if you co-host multiple stacks.
 
+## Monitor agent — host-access consent (OFF by default)
+
+`exe-monitor-agent` reports host/container health to the monitoring hub, but it
+needs **sensitive read-only host access** to do so: `/var/run/docker.sock`
+(root-equivalent — can inspect every container), `/proc`, `/sys`, and
+`/etc/os-release`. Because that access is effectively root on the box, the agent
+is **gated behind the `monitor-agent` compose profile** and does **not** start by
+default.
+
+The operator opts in explicitly:
+
+- **`setup.sh`** prints the disclosure and asks `Enable the monitor agent with
+  this host access? [y/N]`. Answering yes appends `monitor-agent` to
+  `COMPOSE_PROFILES` in `.env`. For unattended installs, set
+  `MONITOR_AGENT_HOST_ACCESS_CONSENT=yes` (or `no`) before running setup.
+- **Manual:** uncomment `COMPOSE_PROFILES=monitor-agent` in `.env`.
+
+With the profile unset, `docker compose up -d` brings up the full stack **without**
+the agent and none of the host mounts above are exposed. Full scope and rationale:
+[`deploy/monitor/HOST-ACCESS-CONSENT.md`](../monitor/HOST-ACCESS-CONSENT.md).
+
 ## Company Brain projection guard
 
 `exed` is the only place in the stack that should project cloud/local memory

package/deploy/compose/docker-compose.yml

@@ -2,7 +2,10 @@
 #
 # Services: exe-db (postgres) + clickhouse + redis + exe-crm + exe-wiki + exe-os + exe-gateway + exe-erp + otel-collector
 # ONE postgres (exe-db) — all services connect to it via DATABASE_URL.
-# Standard for managed customer VPSs: exe-monitor-agent reports fleet health to monitor.askexe.com.
+# Optional: exe-monitor-agent reports fleet health to the monitoring hub. It needs
+#   sensitive host access (docker.sock, /proc, /sys) so it is gated behind the
+#   "monitor-agent" compose profile and stays OFF until the operator consents.
+#   See deploy/monitor/HOST-ACCESS-CONSENT.md.
 # All image tags pinned per-client via .env (no :latest). Healthchecks on every service.
 # Named volumes for state; explicit subnets; depends_on with service_healthy gates.
 #
@@ -38,8 +41,7 @@ services:
       - postgres_data:/var/lib/postgresql/data
       - ./init-db.sql:/docker-entrypoint-initdb.d/01-init.sql:ro
     networks:
-      backend:
-        ipv4_address: 10.42.0.10
+      - backend
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-exe} -d ${POSTGRES_DB:-exedb}"]
       interval: 10s
@@ -78,8 +80,7 @@ services:
         soft: 262144
         hard: 262144
     networks:
-      backend:
-        ipv4_address: 10.42.0.11
+      - backend
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8123/ping"]
       interval: 10s
@@ -101,8 +102,7 @@ services:
     volumes:
       - redis_data:/data
     networks:
-      backend:
-        ipv4_address: 10.42.0.12
+      - backend
     healthcheck:
       test: ["CMD-SHELL", "redis-cli -a $${REDIS_PASSWORD:?REDIS_PASSWORD is required} ping | grep -q PONG"]
       interval: 10s
@@ -148,8 +148,7 @@ services:
     ports:
       - "127.0.0.1:${GOTRUE_HOST_PORT:-9999}:9999"
     networks:
-      backend:
-        ipv4_address: 10.42.0.13
+      - backend
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:9999/health"]
       interval: 15s
@@ -178,8 +177,7 @@ services:
     volumes:
       - monitor_hub_data:/app/pb_data
     networks:
-      backend:
-        ipv4_address: 10.42.0.14
+      - backend
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8090/api/health"]
       interval: 30s
@@ -234,10 +232,8 @@ services:
       - crm_data:/app/.local-storage
       - ${BRANDING_CONFIG:-./branding.json}:/app/branding.json:ro
     networks:
-      backend:
-        ipv4_address: 10.42.0.20
-      frontend:
-        ipv4_address: 10.43.0.20
+      - backend
+      - frontend
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000/healthz"]
       interval: 30s
@@ -282,8 +278,7 @@ services:
       - crm_data:/app/.local-storage
       - ${BRANDING_CONFIG:-./branding.json}:/app/branding.json:ro
     networks:
-      backend:
-        ipv4_address: 10.42.0.24
+      - backend
     healthcheck:
       test: ["CMD-SHELL", "tr '\\0' ' ' < /proc/1/cmdline | grep -q 'worker:prod'"]
       interval: 30s
@@ -328,10 +323,8 @@ services:
       - wiki_data:/app/server/storage
       - ${BRANDING_CONFIG:-./branding.json}:/app/branding.json:ro
     networks:
-      backend:
-        ipv4_address: 10.42.0.21
-      frontend:
-        ipv4_address: 10.43.0.21
+      - backend
+      - frontend
     healthcheck:
       test: ["CMD", "node", "-e", "const http=require('http');const r=http.get('http://127.0.0.1:3001/api/ping',s=>{process.exit(s.statusCode===200?0:1)});r.on('error',()=>process.exit(1));r.setTimeout(4000,()=>process.exit(1))"]
       interval: 30s
@@ -375,8 +368,7 @@ services:
       - "${EXED_HEALTH_HOST_BIND:-127.0.0.1}:${EXED_HOST_PORT:-8765}:8765"
       - "${EXE_MCP_HOST_BIND:-127.0.0.1}:${EXE_MCP_HOST_PORT:-48739}:48739"
     networks:
-      backend:
-        ipv4_address: 10.42.0.22
+      - backend
     healthcheck:
       # Bug f0f3b187: start_period was 30s but entrypoint runs license check +
       # optional model download before the health server is up. 60s matches the
@@ -421,8 +413,7 @@ services:
     volumes:
       - exe_os_data:/home/exed/.exe-os
     networks:
-      backend:
-        ipv4_address: 10.42.0.33
+      - backend
     deploy:
       resources:
         limits:
@@ -478,10 +469,8 @@ services:
       - gateway_whatsapp_auth:/app/auth_info
       - ./gateway.json:/data/gateway.json:ro
     networks:
-      backend:
-        ipv4_address: 10.42.0.23
-      frontend:
-        ipv4_address: 10.43.0.23
+      - backend
+      - frontend
     healthcheck:
       test: ["CMD", "node", "-e", "const http=require('http');const r=http.get('http://localhost:3100/health',s=>{process.exit(s.statusCode===200?0:1)});r.on('error',()=>process.exit(1));r.setTimeout(4000,()=>process.exit(1))"]
       interval: 30s
@@ -492,9 +481,29 @@ services:
       driver: json-file
       options: { max-size: "10m", max-file: "3" }
 
+  # ------------------------------------------------------------------
+  # exe-monitor-agent — fleet health reporter (Beszel agent).
+  #
+  # ⚠️  HOST-ACCESS CONSENT REQUIRED.
+  # This agent needs sensitive read-only host access to report system
+  # health (CPU/mem/disk, container stats, OS identity):
+  #   - /var/run/docker.sock  → enumerate & inspect ALL containers on the host
+  #   - /proc                 → host process list + system-wide CPU/mem stats
+  #   - /sys                  → host hardware/kernel metrics (temps, block devs)
+  #   - /etc/os-release       → host OS name/version
+  # The Docker socket in particular is effectively root-equivalent on the
+  # host, so this service is GATED behind the "monitor-agent" compose
+  # profile and does NOT start by default. The operator must explicitly
+  # acknowledge this scope during setup (setup.sh prompt) or by setting
+  # MONITOR_AGENT_HOST_ACCESS_CONSENT=true, which sets COMPOSE_PROFILES to
+  # include "monitor-agent". See deploy/monitor/HOST-ACCESS-CONSENT.md.
+  # ------------------------------------------------------------------
   exe-monitor-agent:
     image: ${MONITOR_AGENT_IMAGE_TAG:-ghcr.io/askexe/exe-monitor-agent:v0.9.4}
     container_name: exe-monitor-agent
+    # Host-access consent gate: only starts when the operator has
+    # acknowledged the host-access scope (COMPOSE_PROFILES=monitor-agent).
+    profiles: ["monitor-agent"]
     restart: unless-stopped
     # Depends on hub so pairing can succeed on first boot.
     depends_on:
@@ -517,8 +526,7 @@ services:
       - /etc/os-release:/host/etc/os-release:ro
       - monitor_agent_data:/var/lib/beszel-agent
     networks:
-      backend:
-        ipv4_address: 10.42.0.30
+      - backend
     healthcheck:
       test: ["CMD", "/app/beszel-agent", "health"]
       interval: 30s
@@ -556,8 +564,7 @@ services:
     ports:
       - "127.0.0.1:${EXE_UPDATE_HOST_PORT:-3200}:${EXE_REGISTRY_PROXY_PORT:-3200}"
     networks:
-      backend:
-        ipv4_address: 10.42.0.25
+      - backend
     healthcheck:
       test: ["CMD", "node", "-e", "fetch('http://127.0.0.1:3200/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"]
       interval: 30s
@@ -607,10 +614,8 @@ services:
     environment:
       TUNNEL_TOKEN: ${CLOUDFLARE_TUNNEL_TOKEN}
     networks:
-      backend:
-        ipv4_address: 10.42.0.31
-      frontend:
-        ipv4_address: 10.43.0.31
+      - backend
+      - frontend
     healthcheck:
       # `tunnel info` requires API credentials unavailable in token mode.
       # The command above exposes cloudflared's local metrics endpoint; use it
@@ -684,8 +689,7 @@ services:
     volumes:
       - erp_sites:/home/frappe/frappe-bench/sites
     networks:
-      backend:
-        ipv4_address: 10.42.0.26
+      - backend
     healthcheck:
       test: ["CMD-SHELL", "curl -sf http://localhost:8000/api/method/ping -H 'Host: ${ERP_SITE_NAME:-erp.localhost}' || exit 1"]
       interval: 30s
@@ -716,10 +720,8 @@ services:
     ports:
       - "127.0.0.1:${ERP_API_PORT:-8069}:80"
     networks:
-      backend:
-        ipv4_address: 10.42.0.32
-      frontend:
-        ipv4_address: 10.43.0.32
+      - backend
+      - frontend
     healthcheck:
       test: ["CMD", "wget", "-qO-", "http://127.0.0.1:80/"]
       interval: 30s
@@ -738,7 +740,28 @@ services:
     container_name: exe-erp-websocket
     restart: unless-stopped
     entrypoint: []
-    command: ["sh", "-c", "node /home/frappe/frappe-bench/apps/frappe/socketio.js 2>/dev/null || node /home/frappe/frappe-bench/apps/frappe/realtime/index.js"]
+    # Frappe relocated the server-side realtime/socketio entry point between
+    # versions (legacy apps/frappe/socketio.js -> apps/frappe/realtime/index.js
+    # in Frappe 17). Hardcoding a single absolute path crash-loops the container
+    # when the path differs in the shipped image (bug 35576eed). Resolve the
+    # actual entry at runtime: try the two known canonical paths, then fall back
+    # to discovering the realtime server file inside the frappe app dir,
+    # explicitly excluding the browser-side socketio_client.js and *.min.js.
+    command:
+      - sh
+      - -c
+      - |
+        set -e
+        APP=/home/frappe/frappe-bench/apps/frappe
+        for c in "$$APP/socketio.js" "$$APP/realtime/index.js" "$$APP/realtime/server.js"; do
+          if [ -f "$$c" ]; then echo "[exe-erp-websocket] starting $$c"; exec node "$$c"; fi
+        done
+        ENTRY=$$(find "$$APP/realtime" "$$APP" -maxdepth 2 -type f -name '*.js' \
+          ! -name '*_client.js' ! -name '*.min.js' 2>/dev/null \
+          | grep -E '/(socketio|realtime/(index|server))\.js$$' | head -n1)
+        if [ -n "$$ENTRY" ]; then echo "[exe-erp-websocket] starting discovered $$ENTRY"; exec node "$$ENTRY"; fi
+        echo "[exe-erp-websocket] FATAL: no realtime/socketio server entry found under $$APP" >&2
+        exit 1
     depends_on:
       exe-erp:
         condition: service_healthy
@@ -753,8 +776,7 @@ services:
     volumes:
       - erp_sites:/home/frappe/frappe-bench/sites
     networks:
-      backend:
-        ipv4_address: 10.42.0.27
+      - backend
     deploy:
       resources:
         limits:
@@ -788,8 +810,7 @@ services:
     volumes:
       - erp_sites:/home/frappe/frappe-bench/sites
     networks:
-      backend:
-        ipv4_address: 10.42.0.28
+      - backend
     deploy:
       resources:
         limits:
@@ -823,8 +844,7 @@ services:
     volumes:
       - erp_sites:/home/frappe/frappe-bench/sites
     networks:
-      backend:
-        ipv4_address: 10.42.0.29
+      - backend
     deploy:
       resources:
         limits:
@@ -855,8 +875,7 @@ services:
       - "127.0.0.1:${OTEL_METRICS_PORT:-8888}:8888"  # Collector own metrics
       - "127.0.0.1:${OTEL_HEALTH_PORT:-13133}:13133" # Health check
     networks:
-      backend:
-        ipv4_address: 10.42.0.40
+      - backend
     # otel-contrib is a scratch image (no shell/wget/curl). Health is monitored
     # externally via curl http://127.0.0.1:13133/ from health-monitor.sh.
     # The health_check extension inside the collector still runs on :13133.
@@ -882,8 +901,7 @@ services:
     ports:
       - "127.0.0.1:${AUTH_PORT:-3300}:80"
     networks:
-      frontend:
-        ipv4_address: 10.43.0.35
+      - frontend
     depends_on:
       exe-db:
         condition: service_healthy

package/deploy/compose/generate-env.ts

@@ -150,7 +150,14 @@ export function generateEnv(options: GenerateEnvOptions): string {
     `MONITOR_HUB_ADMIN_EMAIL=admin@${normalizedDomain}`,
     `MONITOR_HUB_ADMIN_PASSWORD=${randomSecret(24)}`,
     "",
-    "# --- Monitoring agent (standard for managed customer VPSs) ---",
+    "# --- Monitoring agent (host-access; OFF until explicitly enabled) ---",
+    "# exe-monitor-agent needs SENSITIVE read-only host access to report fleet",
+    "# health: /var/run/docker.sock (root-equivalent — inspect ALL containers),",
+    "# /proc, /sys (host CPU/mem/hardware), /etc/os-release (host OS). It is GATED",
+    "# behind the \"monitor-agent\" compose profile and stays OFF by default.",
+    "# To enable: run setup.sh and acknowledge the host-access prompt, or add",
+    "# \"monitor-agent\" to COMPOSE_PROFILES below. Scope: deploy/monitor/HOST-ACCESS-CONSENT.md.",
+    "# COMPOSE_PROFILES=monitor-agent",
     `MONITOR_AGENT_IMAGE_TAG=${MONITOR_AGENT_IMAGE_TAG}`,
     "# Reports to the local hub. Auto-populated by `exe-os stack-update` during bootstrap.",
     `MONITOR_HUB_URL=${DEFAULT_MONITOR_HUB_URL}`,
@@ -277,7 +284,14 @@ export function generateExampleEnv(): string {
     "MONITOR_HUB_ADMIN_EMAIL=CHANGEME_ADMIN_EMAIL",
     "MONITOR_HUB_ADMIN_PASSWORD=CHANGEME_MONITOR_HUB_ADMIN_PASSWORD",
     "",
-    "# --- Monitoring agent (standard for managed customer VPSs) ---",
+    "# --- Monitoring agent (host-access; OFF until explicitly enabled) ---",
+    "# exe-monitor-agent needs SENSITIVE read-only host access to report fleet",
+    "# health: /var/run/docker.sock (root-equivalent — inspect ALL containers),",
+    "# /proc, /sys (host CPU/mem/hardware), /etc/os-release (host OS). It is GATED",
+    "# behind the \"monitor-agent\" compose profile and stays OFF by default.",
+    "# To enable: run setup.sh and acknowledge the host-access prompt, or add",
+    "# \"monitor-agent\" to COMPOSE_PROFILES below. Scope: deploy/monitor/HOST-ACCESS-CONSENT.md.",
+    "# COMPOSE_PROFILES=monitor-agent",
     `MONITOR_AGENT_IMAGE_TAG=${MONITOR_AGENT_IMAGE_TAG}`,
     "# Reports to the local hub. Auto-populated by `exe-os stack-update` during bootstrap.",
     `MONITOR_HUB_URL=${DEFAULT_MONITOR_HUB_URL}`,

package/deploy/compose/setup.sh

@@ -123,6 +123,69 @@ ENVEOF
   info ".env generated with auto-generated secrets"
 fi
 
+# Step 2b: Host-access consent for the monitor agent.
+#
+# exe-monitor-agent reports fleet health to the monitoring hub, but to do so it
+# needs SENSITIVE read-only host access:
+#   - /var/run/docker.sock  (root-equivalent: enumerate/inspect ALL containers)
+#   - /proc, /sys           (host process list + system-wide CPU/mem/hardware)
+#   - /etc/os-release       (host OS identity)
+# The service is gated behind the "monitor-agent" compose profile and stays OFF
+# until the operator explicitly acknowledges this scope here. Acknowledgement is
+# recorded by adding "monitor-agent" to COMPOSE_PROFILES in .env. Pre-answer in
+# automation by exporting MONITOR_AGENT_HOST_ACCESS_CONSENT=yes|no.
+info "Step 2b: Monitor agent host-access consent"
+MONITOR_CONSENT="no"
+if grep -q '^COMPOSE_PROFILES=.*monitor-agent' .env 2>/dev/null; then
+  info "Monitor agent already enabled (COMPOSE_PROFILES contains monitor-agent) — keeping it on."
+  MONITOR_CONSENT="yes"
+else
+  cat <<'CONSENT'
+
+  ┌──────────────────────────────────────────────────────────────────────┐
+  │  HOST-ACCESS DISCLOSURE — exe-monitor-agent                            │
+  ├──────────────────────────────────────────────────────────────────────┤
+  │  Enabling the monitor agent grants it READ-ONLY access to the host:    │
+  │    • /var/run/docker.sock  — inspect ALL containers (root-equivalent)  │
+  │    • /proc                 — host process list + system CPU/mem stats   │
+  │    • /sys                  — host hardware/kernel metrics               │
+  │    • /etc/os-release       — host OS name/version                       │
+  │                                                                        │
+  │  The Docker socket is effectively root on this machine. Only enable    │
+  │  the agent if you trust the monitor image and accept this scope.       │
+  │  Details: deploy/monitor/HOST-ACCESS-CONSENT.md                        │
+  └──────────────────────────────────────────────────────────────────────┘
+
+CONSENT
+  ANS="${MONITOR_AGENT_HOST_ACCESS_CONSENT:-}"
+  if [[ -z "$ANS" ]]; then
+    if [[ -t 0 ]]; then
+      read -r -p "  Enable the monitor agent with this host access? [y/N] " ANS
+    else
+      warn "Non-interactive shell and MONITOR_AGENT_HOST_ACCESS_CONSENT unset — monitor agent stays DISABLED."
+      ANS="no"
+    fi
+  fi
+  # Lowercase without bash 4 expansions (macOS ships bash 3.2).
+  ANS_LC=$(printf '%s' "$ANS" | tr '[:upper:]' '[:lower:]')
+  case "$ANS_LC" in
+    y|yes|true|1) MONITOR_CONSENT="yes";;
+    *) MONITOR_CONSENT="no";;
+  esac
+
+  if [[ "$MONITOR_CONSENT" == "yes" ]]; then
+    # Append "monitor-agent" to COMPOSE_PROFILES (create or extend the line).
+    if grep -q '^COMPOSE_PROFILES=' .env 2>/dev/null; then
+      sed -i.bak -E 's/^(COMPOSE_PROFILES=)(.*)$/\1\2,monitor-agent/' .env && rm -f .env.bak
+    else
+      echo "COMPOSE_PROFILES=monitor-agent" >> .env
+    fi
+    info "Monitor agent ENABLED — host access acknowledged (COMPOSE_PROFILES=monitor-agent)."
+  else
+    info "Monitor agent DISABLED — host access not granted. Re-run setup or set COMPOSE_PROFILES=monitor-agent in .env to enable later."
+  fi
+fi
+
 # Step 3a: Bootstrap gateway.json (must exist before `docker compose up` or
 # Docker will create it as a directory instead of a file, leaving the gateway
 # with an empty config and WhatsApp adapters disabled).

package/dist/active-agent-DVMG6WVY.js

@@ -0,0 +1,27 @@
+import "./chunk-SH45SJQW.js";
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-HJQQ7746.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-3X2ZT5FN.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-SCQEAMO3.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-5P3HOBZX.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-JJVXXRZV.js

@@ -0,0 +1,26 @@
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-HJQQ7746.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-3X2ZT5FN.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-SCQEAMO3.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-5P3HOBZX.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-KB4346K6.js

@@ -0,0 +1,26 @@
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-YACAOZVG.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-WLDBPKRL.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-R5LCP56X.js";
+import "./chunk-5DNJPRDW.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-T3B5RK4H.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-LTYLGBJX.js

@@ -0,0 +1,27 @@
+import "./chunk-SH45SJQW.js";
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-RW4EMKQF.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-XVDWHYIK.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-CZ47BFAT.js";
+import "./chunk-5DNJPRDW.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-CEKZ77KA.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-V4W557J4.js

@@ -0,0 +1,26 @@
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-RW4EMKQF.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-XVDWHYIK.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-CZ47BFAT.js";
+import "./chunk-5DNJPRDW.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-CEKZ77KA.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-XZVU5XBO.js

@@ -0,0 +1,27 @@
+import "./chunk-SH45SJQW.js";
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-YACAOZVG.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-WLDBPKRL.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-R5LCP56X.js";
+import "./chunk-5DNJPRDW.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-T3B5RK4H.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/agentic-ontology-2LJST3BE.js

@@ -0,0 +1,25 @@
+import {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+} from "./chunk-G6GC2YSP.js";
+import "./chunk-MLKGABMK.js";
+export {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+};