@askexenow/exe-os 0.9.287 → 0.9.289

package/dist/exe-key-7PDQ72W2.js

@@ -0,0 +1,580 @@
+#!/usr/bin/env node
+import {
+  requestDeployRestart
+} from "./chunk-7L2EV3XX.js";
+import {
+  disposeDatabase,
+  ensureSchema,
+  getClient,
+  initDatabase
+} from "./chunk-3X2ZT5FN.js";
+import {
+  assertValidDbPath
+} from "./chunk-2I23RPSI.js";
+import "./chunk-SCQEAMO3.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-FXU7JOXK.js";
+import {
+  exportMnemonic,
+  getKeyStorageInfo,
+  getMasterKey,
+  importMnemonic,
+  setMasterKey
+} from "./chunk-Z42MXYWW.js";
+import {
+  loadConfig
+} from "./chunk-5P3HOBZX.js";
+import "./chunk-LYH5HE24.js";
+import {
+  isMainModule
+} from "./chunk-6Y4B3QF6.js";
+import "./chunk-MLKGABMK.js";
+
+// src/bin/exe-key.ts
+import crypto from "crypto";
+import { createInterface } from "readline";
+import { existsSync, statSync, mkdirSync, copyFileSync, renameSync, rmSync, writeFileSync } from "fs";
+import path from "path";
+import os from "os";
+import { execSync } from "child_process";
+import { createClient } from "@libsql/client";
+function isInteractiveTerminal() {
+  return Boolean(process.stdin.isTTY && process.stdout.isTTY && !process.env.CI);
+}
+function shouldRefuseRotationMutation(dryRun, interactive) {
+  return !dryRun && !interactive;
+}
+function shouldRefuseTrustedKeyImport(dryRun, interactive) {
+  return !dryRun && !interactive;
+}
+function ask(rl, prompt) {
+  return new Promise((resolve) => rl.question(prompt, (answer) => resolve(answer.trim())));
+}
+function humanBytes(bytes) {
+  const gb = bytes / 1024 ** 3;
+  if (gb >= 1) return `${gb.toFixed(1)}GB`;
+  return `${(bytes / 1024 ** 2).toFixed(0)}MB`;
+}
+function expandHome(p) {
+  return p.replace(/^~(?=$|\/)/, os.homedir());
+}
+function dataDir() {
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path.join(os.homedir(), ".exe-os");
+}
+function dbSidecarPaths(dbPath) {
+  return [dbPath, `${dbPath}-wal`, `${dbPath}-shm`];
+}
+function daemonStatus() {
+  const pidPath = path.join(dataDir(), "exed.pid");
+  if (!existsSync(pidPath)) return { pid: null, alive: false };
+  const pid = execSync(`cat ${JSON.stringify(pidPath)}`, { encoding: "utf8" }).trim();
+  if (!pid) return { pid: null, alive: false };
+  try {
+    process.kill(Number(pid), 0);
+    return { pid, alive: true };
+  } catch {
+    return { pid, alive: false };
+  }
+}
+async function stopDaemonIfAlive() {
+  const daemon = daemonStatus();
+  if (!daemon.alive || !daemon.pid) return;
+  if (Number(daemon.pid) <= 1) {
+    try {
+      execSync("docker inspect exed >/dev/null 2>&1 && docker stop exed >/dev/null", { timeout: 3e4 });
+      return;
+    } catch {
+      throw new Error("Refusing to signal PID 1. Stop the exed Docker container manually, then retry.");
+    }
+  }
+  const result = requestDeployRestart("key-rotation");
+  if (!result.ok) {
+    throw new Error(`Daemon stop failed: ${result.skipped}`);
+  }
+  for (let i = 0; i < 10; i++) {
+    await new Promise((resolve) => setTimeout(resolve, 500));
+    if (!daemonStatus().alive) return;
+  }
+  throw new Error(`Daemon pid ${daemon.pid} did not stop after orchestrated kill; refusing to rotate`);
+}
+async function keyStatus() {
+  const key = await getMasterKey();
+  const storage = await getKeyStorageInfo();
+  if (!key) {
+    console.log("Encryption key: MISSING");
+    console.log(`Storage: ${storage.kind} \u2014 ${storage.note}`);
+    console.log("DB open: skipped");
+    return 1;
+  }
+  console.log("Encryption key: FOUND");
+  console.log(`Storage: ${storage.kind} \u2014 ${storage.note}`);
+  console.log(`Key length: ${key.length} bytes`);
+  try {
+    const config = await loadConfig();
+    await initDatabase({ dbPath: config.dbPath, encryptionKey: key.toString("hex") });
+    const client = getClient();
+    const memories = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+    const tasks = await client.execute("SELECT COUNT(*) as cnt FROM tasks");
+    console.log(`DB open: OK (${memories.rows[0]?.cnt ?? 0} memories, ${tasks.rows[0]?.cnt ?? 0} tasks)`);
+    return 0;
+  } catch (err) {
+    console.log(`DB open: FAILED (${err instanceof Error ? err.message : String(err)})`);
+    return 2;
+  }
+}
+async function preflight() {
+  const key = await getMasterKey();
+  if (!key) throw new Error("memory encryption key not found");
+  console.log("\u2713 Memory encryption key found");
+  const config = await loadConfig();
+  assertValidDbPath(config.dbPath, "exe-key preflight");
+  const dbPath = expandHome(config.dbPath);
+  if (!existsSync(dbPath)) throw new Error(`DB not found at ${dbPath}`);
+  const dbSize = statSync(dbPath).size;
+  console.log(`\u2713 DB exists: ${dbPath} (${humanBytes(dbSize)})`);
+  await initDatabase({ dbPath: config.dbPath, encryptionKey: key.toString("hex") });
+  const client = getClient();
+  const memories = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+  const tasks = await client.execute("SELECT COUNT(*) as cnt FROM tasks");
+  const behaviors = await client.execute("SELECT COUNT(*) as cnt FROM behaviors");
+  console.log(`\u2713 Current key opens DB: ${memories.rows[0]?.cnt ?? 0} memories, ${tasks.rows[0]?.cnt ?? 0} tasks, ${behaviors.rows[0]?.cnt ?? 0} behaviors`);
+  const daemon = daemonStatus();
+  console.log(`${daemon.alive ? "\u26A0" : "\u2713"} Daemon: ${daemon.alive ? `running (pid ${daemon.pid}) \u2014 rotation will stop it before mutation` : "not running"}`);
+  if (config.cloud?.apiKey) {
+    console.log("\u2713 Cloud sync is configured: this wizard will re-upload a clean encrypted cloud backup after rotation.");
+  } else {
+    console.log("\u2713 Cloud sync not configured");
+  }
+  const mnemonic = await exportMnemonic(key);
+  console.log(`\u2713 Current recovery phrase is available (${mnemonic.split(/\s+/).length} words; not printed)`);
+  return { key, dbPath, cloudConfigured: Boolean(config.cloud?.apiKey) };
+}
+function quoteIdent(name) {
+  return `"${name.replaceAll('"', '""')}"`;
+}
+async function getTableNames(client) {
+  const rs = await client.execute("SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%' ORDER BY name");
+  return rs.rows.map((row) => String(row.name)).filter((name) => !name.includes("_fts"));
+}
+async function getColumns(client, table) {
+  const rs = await client.execute(`PRAGMA table_info(${quoteIdent(table)})`);
+  return rs.rows.map((row) => String(row.name));
+}
+async function copyTable(source, target, table) {
+  const sourceCols = await getColumns(source, table);
+  let targetCols;
+  try {
+    targetCols = await getColumns(target, table);
+  } catch {
+    return 0;
+  }
+  const targetSet = new Set(targetCols);
+  const cols = sourceCols.filter((col) => targetSet.has(col));
+  if (cols.length === 0) return 0;
+  const countRs = await source.execute(`SELECT COUNT(*) as cnt FROM ${quoteIdent(table)}`);
+  const count = Number(countRs.rows[0]?.cnt ?? 0);
+  const pageSize = table === "memories" ? 250 : 1e3;
+  const colSql = cols.map(quoteIdent).join(", ");
+  const placeholders = cols.map(() => "?").join(", ");
+  const insertSql = `INSERT OR REPLACE INTO ${quoteIdent(table)} (${colSql}) VALUES (${placeholders})`;
+  let offset = 0;
+  let copied = 0;
+  while (offset < count) {
+    const rs = await source.execute({
+      sql: `SELECT ${colSql} FROM ${quoteIdent(table)} LIMIT ? OFFSET ?`,
+      args: [pageSize, offset]
+    });
+    const stmts = rs.rows.map((row) => ({
+      sql: insertSql,
+      args: cols.map((col) => row[col])
+    }));
+    if (stmts.length > 0) {
+      await target.batch(stmts, "write");
+      copied += stmts.length;
+    }
+    offset += rs.rows.length;
+    if (rs.rows.length === 0) break;
+    if (table === "memories" && copied % 5e3 === 0) {
+      console.log(`  copying memories: ${copied}/${count}`);
+    }
+  }
+  return copied;
+}
+async function rotateWizard(argv) {
+  const dryRun = argv.includes("--dry-run");
+  console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log(" EXE OS KEY ROTATION WIZARD");
+  console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log("");
+  console.log("\u{1F6A8}\u{1F6A8}\u{1F6A8} DANGER \u2014 KEY ROTATION IS A ONE-WAY SECURITY ACTION \u{1F6A8}\u{1F6A8}\u{1F6A8}");
+  console.log("*** READ THIS BEFORE CONTINUING ***");
+  console.log("");
+  console.log("Running `exe-os key rotate` will:");
+  console.log("  1. Remove the current memory encryption key from active use.");
+  console.log("  2. Create a NEW memory encryption key and a NEW 24-word recovery phrase.");
+  console.log("  3. Re-encrypt your local memory database with the new key.");
+  console.log("  4. Make the old key useless for any NEW data after rotation.");
+  console.log("  5. Automatically re-upload Exe Cloud with the new key after you save the phrase.");
+  console.log("");
+  console.log("Your old-key encrypted backup is kept for safety, but your active Exe OS memory will use the NEW key.");
+  console.log("Do not continue unless you are ready to save the NEW 24-word recovery phrase.");
+  console.log("After rotation, this wizard will make cloud sync safe again automatically.");
+  console.log("");
+  if (shouldRefuseRotationMutation(dryRun, isInteractiveTerminal())) {
+    console.error("For safety, key rotation must be run in your local Terminal. To preview without changes, run: exe-os key rotate --dry-run");
+    return 1;
+  }
+  let pf;
+  try {
+    pf = await preflight();
+  } catch (err) {
+    console.error(`Preflight failed: ${err instanceof Error ? err.message : String(err)}`);
+    return 1;
+  }
+  if (dryRun) {
+    console.log("");
+    console.log("Dry run complete. No key, DB, daemon, or cloud state changed.");
+    return 0;
+  }
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    console.log("");
+    console.log("Before continuing, confirm you understand this creates a NEW 24-word recovery phrase.");
+    console.log("You must save the new phrase after rotation. Without it, you can lose access to encrypted memories.");
+    const answer = await ask(rl, 'Type exactly "I WANT TO CHANGE MY KEY" to continue: ');
+    if (answer !== "I WANT TO CHANGE MY KEY") {
+      console.log("Cancelled.");
+      return 1;
+    }
+  } finally {
+    rl.close();
+  }
+  const rotationId = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+  const baseDir = path.join(dataDir(), "key-rotation", rotationId);
+  mkdirSync(baseDir, { recursive: true, mode: 448 });
+  const backupDir = path.join(baseDir, "pre-rotation-encrypted-backup");
+  mkdirSync(backupDir, { recursive: true, mode: 448 });
+  const newDbPath = path.join(baseDir, "new-memories.db");
+  const newKey = crypto.randomBytes(32);
+  const newKeyTempPath = path.join(baseDir, "NEW_KEY_DO_NOT_SHARE.base64");
+  writeFileSync(newKeyTempPath, `${newKey.toString("base64")}
+`, { mode: 384 });
+  console.log(`Rotation workspace: ${baseDir}`);
+  console.log("Stopping daemon...");
+  await stopDaemonIfAlive();
+  console.log("Backing up encrypted DB/WAL/SHM...");
+  const dbDir = path.dirname(pf.dbPath);
+  for (const name of ["memories.db", "memories.db-wal", "memories.db-shm"]) {
+    const src = path.join(dbDir, name);
+    if (existsSync(src)) copyFileSync(src, path.join(backupDir, name));
+  }
+  console.log("Creating fresh encrypted DB with new key...");
+  await initDatabase({ dbPath: newDbPath, encryptionKey: newKey.toString("hex") });
+  await ensureSchema();
+  const target = getClient();
+  await target.execute("PRAGMA foreign_keys=OFF");
+  assertValidDbPath(pf.dbPath, "exe-key rotate source");
+  const source = createClient({ url: `file:${pf.dbPath}`, encryptionKey: pf.key.toString("hex") });
+  await source.execute("PRAGMA busy_timeout = 30000");
+  const tables = await getTableNames(source);
+  const copiedTables = [];
+  for (const table of tables) {
+    const copied = await copyTable(source, target, table);
+    copiedTables.push({ table, count: copied });
+    console.log(`\u2713 copied ${table}: ${copied}`);
+  }
+  const generationId = crypto.randomUUID();
+  await target.execute({ sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES (?, ?)", args: ["key_rotation_at", (/* @__PURE__ */ new Date()).toISOString()] });
+  await target.execute({ sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES (?, ?)", args: ["key_rotation_generation_id", generationId] });
+  await target.execute({ sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES (?, ?)", args: ["cloud_reupload_required", pf.cloudConfigured ? "1" : "0"] });
+  await target.execute("DELETE FROM sync_meta WHERE key IN ('last_cloud_pull_version', 'last_cloud_push_version')");
+  const verifyMem = await target.execute("SELECT COUNT(*) as cnt FROM memories");
+  const verifyTasks = await target.execute("SELECT COUNT(*) as cnt FROM tasks");
+  const expectedMemories = Number(verifyMem.rows[0]?.cnt ?? 0);
+  const expectedTasks = Number(verifyTasks.rows[0]?.cnt ?? 0);
+  console.log(`Verified new DB: ${expectedMemories} memories, ${expectedTasks} tasks`);
+  await target.execute("PRAGMA wal_checkpoint(TRUNCATE)");
+  try {
+    source.close();
+  } catch {
+  }
+  try {
+    target.close();
+  } catch {
+  }
+  console.log("Swapping DB files...");
+  for (const name of ["memories.db", "memories.db-wal", "memories.db-shm"]) {
+    const current = path.join(dbDir, name);
+    if (existsSync(current)) renameSync(current, path.join(backupDir, `moved-${name}`));
+  }
+  copyFileSync(newDbPath, pf.dbPath);
+  rmSync(path.join(dbDir, "memories.db-wal"), { force: true });
+  rmSync(path.join(dbDir, "memories.db-shm"), { force: true });
+  console.log("Installing new key into OS keychain...");
+  await setMasterKey(newKey);
+  await initDatabase({ dbPath: pf.dbPath, encryptionKey: newKey.toString("hex") });
+  const finalClient = getClient();
+  const finalMem = await finalClient.execute("SELECT COUNT(*) as cnt FROM memories");
+  const finalTasks = await finalClient.execute("SELECT COUNT(*) as cnt FROM tasks");
+  const finalMemoryCount = Number(finalMem.rows[0]?.cnt ?? 0);
+  const finalTaskCount = Number(finalTasks.rows[0]?.cnt ?? 0);
+  if (finalMemoryCount !== expectedMemories || finalTaskCount !== expectedTasks) {
+    throw new Error(`Post-swap verification mismatch: expected ${expectedMemories}/${expectedTasks}, got ${finalMemoryCount}/${finalTaskCount}. Backup kept at ${backupDir}`);
+  }
+  rmSync(newKeyTempPath, { force: true });
+  writeFileSync(path.join(baseDir, "rotation-manifest.json"), JSON.stringify({
+    rotationId,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    backupDir,
+    generationId,
+    cloudReuploadRequired: pf.cloudConfigured,
+    finalCounts: { memories: finalMemoryCount, tasks: finalTaskCount },
+    copiedTables
+  }, null, 2) + "\n", { mode: 384 });
+  console.log("Restarting daemon and verifying daemon DB access...");
+  try {
+    const { connectEmbedDaemon, sendDaemonRequest, isClientConnected, disconnectClient } = await import("./lib/exe-daemon-client.js");
+    await connectEmbedDaemon();
+    const resp = await sendDaemonRequest({ type: "db-execute", sql: "SELECT COUNT(*) as cnt FROM memories", args: [] });
+    if (resp.error) throw new Error(String(resp.error));
+    console.log(`\u2713 Daemon connected: ${isClientConnected()} (${resp.db?.rows?.[0]?.cnt ?? "?"} memories)`);
+    disconnectClient();
+  } catch (err) {
+    console.log(`\u26A0 Daemon restart/verify failed: ${err instanceof Error ? err.message : String(err)}`);
+    console.log("  You can retry by running any exe-os command that starts the daemon.");
+  }
+  console.log("");
+  console.log("Key rotation complete.");
+  console.log(`Backup kept at: ${backupDir}`);
+  console.log(`New DB verified: ${finalMemoryCount} memories, ${finalTaskCount} tasks`);
+  if (pf.cloudConfigured) {
+    console.log("Local key rotation is complete.");
+    console.log("Cloud sync is paused until your newly encrypted cloud backup is re-uploaded.");
+    console.log("");
+  }
+  const newRecoveryPhrase = await exportMnemonic(newKey);
+  console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log(" REQUIRED: SAVE YOUR NEW RECOVERY PHRASE");
+  console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log("Write these 24 words down now. They will not be uploaded to Exe Cloud.");
+  console.log("");
+  console.log(newRecoveryPhrase);
+  console.log("");
+  console.log("If you need to reveal it again later from this trusted local Terminal, run:");
+  console.log("  exe-os cloud link --show-full");
+  console.log("");
+  console.log("Do not continue to cloud re-upload until the NEW phrase is saved.");
+  if (pf.cloudConfigured) {
+    const rl2 = createInterface({ input: process.stdin, output: process.stdout });
+    try {
+      const saved = await ask(rl2, 'After saving the 24 words, type exactly "I SAVED MY NEW RECOVERY PHRASE" to continue: ');
+      if (saved !== "I SAVED MY NEW RECOVERY PHRASE") {
+        console.log("Cloud re-upload skipped. Save the phrase with:");
+        console.log("  exe-os cloud link --show-full");
+        console.log("Then run:");
+        console.log("  exe-os cloud reupload");
+        return 0;
+      }
+    } finally {
+      rl2.close();
+    }
+    console.log("Starting automatic cloud re-upload now...");
+    try {
+      const { main: runCloud } = await import("./bin/exe-cloud.js");
+      const originalArgv = process.argv;
+      try {
+        process.argv = [process.argv[0], process.argv[1], "reupload", "--local-db-is-source-of-truth"];
+        await runCloud();
+      } finally {
+        process.argv = originalArgv;
+      }
+      console.log("\u2713 Cloud re-upload finished. Main device rotation is complete.");
+    } catch (err) {
+      console.log(`\u26A0 Cloud re-upload did not finish: ${err instanceof Error ? err.message : String(err)}`);
+      console.log("Your local key rotation succeeded, but normal cloud sync remains blocked.");
+      console.log("Retry with the support fallback command:");
+      console.log("  exe-os cloud reupload");
+    }
+  }
+  console.log("");
+  console.log("Cleanup guidance:");
+  console.log("  1. Verify the new recovery phrase opens this DB on another local terminal/device.");
+  console.log("  2. Keep the old-key encrypted backup until verification is complete.");
+  console.log(`  3. After verification, manually review/remove the sensitive rotation workspace: ${baseDir}`);
+  return 0;
+}
+async function acceptRotationWizard(argv) {
+  const dryRun = argv.includes("--dry-run");
+  console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log(" EXE OS TRUSTED NODE KEY ACCEPTANCE");
+  console.log("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log("");
+  console.log("This command is for a trusted VPS/projection worker after another device rotated the Exe OS key.");
+  console.log("");
+  console.log("It will:");
+  console.log("  1. Keep a local old-key backup first.");
+  console.log("  2. Import the NEW 24-word recovery phrase into this machine's secure key store.");
+  console.log("  3. Stop the local daemon if it is running.");
+  console.log("  4. Move this machine's old local encrypted SQLite DB aside as a backup.");
+  console.log("  5. Create a fresh local SQLite DB encrypted with the NEW key.");
+  console.log("  6. Pull from Exe Cloud to prove the NEW key can decrypt the newly uploaded cloud backup.");
+  console.log("  7. Roll back to the old key/local DB automatically if cloud verification fails.");
+  console.log("");
+  console.log("It will NOT rotate or re-encrypt local memory. The source of truth after this is Exe Cloud.");
+  console.log("Use this only on devices/VPS nodes that are allowed to decrypt memory and project it into exe-db.");
+  console.log("");
+  if (shouldRefuseTrustedKeyImport(dryRun, isInteractiveTerminal())) {
+    console.error("For safety, trusted key acceptance must be run in a local SSH/Tailscale terminal. To preview without changes, run: exe-os key accept-rotation --dry-run");
+    return 1;
+  }
+  const config = await loadConfig();
+  assertValidDbPath(config.dbPath, "exe-key accept-rotation");
+  const dbPath = expandHome(config.dbPath);
+  const existingKey = await getMasterKey();
+  const daemon = daemonStatus();
+  console.log(`Daemon: ${daemon.alive ? `running (pid ${daemon.pid}) \u2014 will stop before changing key` : "not running"}`);
+  console.log(`DB path: ${dbPath}`);
+  console.log(`Existing key: ${existingKey ? "present" : "missing"}`);
+  console.log(`Cloud config: ${config.cloud?.apiKey ? "present" : "missing"}`);
+  if (!config.cloud?.apiKey || !config.cloud?.endpoint) {
+    console.error("Cloud config is missing. This command must prove the new key against Exe Cloud, so it cannot continue.");
+    console.error("Configure cloud first, or use `exe-os cloud` if this is a new device setup.");
+    return 1;
+  }
+  const existingDbFiles = dbSidecarPaths(dbPath).filter(existsSync);
+  if (existingDbFiles.length > 0) {
+    console.log(`Existing DB files: ${existingDbFiles.map((p) => path.basename(p)).join(", ")}`);
+  } else {
+    console.log("Existing DB files: none");
+  }
+  if (dryRun) {
+    console.log("");
+    console.log("Dry run complete. No key, DB, daemon, or cloud state changed.");
+    return 0;
+  }
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  let mnemonic = "";
+  try {
+    console.log("");
+    const trust = await ask(rl, 'Type exactly "I TRUST THIS DEVICE" to continue: ');
+    if (trust !== "I TRUST THIS DEVICE") {
+      console.log("Cancelled.");
+      return 1;
+    }
+    mnemonic = await ask(rl, "Paste the NEW 24-word recovery phrase: ");
+  } finally {
+    rl.close();
+  }
+  let newKey;
+  try {
+    newKey = await importMnemonic(mnemonic);
+  } catch (err) {
+    console.error(`Invalid recovery phrase: ${err instanceof Error ? err.message : String(err)}`);
+    return 1;
+  }
+  const acceptId = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+  const baseDir = path.join(dataDir(), "key-acceptance", acceptId);
+  const backupDir = path.join(baseDir, "pre-acceptance-encrypted-db");
+  mkdirSync(backupDir, { recursive: true, mode: 448 });
+  if (existingKey) {
+    writeFileSync(path.join(baseDir, "OLD_KEY_BACKUP_DELETE_AFTER_VERIFICATION.base64"), `${existingKey.toString("base64")}
+`, { mode: 384 });
+  }
+  const restoreOldState = async () => {
+    await disposeDatabase();
+    if (existingKey) await setMasterKey(existingKey);
+    for (const file of dbSidecarPaths(dbPath)) {
+      rmSync(file, { force: true });
+      const backup = path.join(backupDir, path.basename(file));
+      if (existsSync(backup)) copyFileSync(backup, file);
+    }
+  };
+  console.log(`Acceptance workspace: ${baseDir}`);
+  console.log("Stopping daemon if needed...");
+  await stopDaemonIfAlive();
+  await disposeDatabase();
+  console.log("Backing up/moving old local DB files...");
+  const dbDir = path.dirname(dbPath);
+  mkdirSync(dbDir, { recursive: true, mode: 448 });
+  for (const file of dbSidecarPaths(dbPath)) {
+    if (!existsSync(file)) continue;
+    const dest = path.join(backupDir, path.basename(file));
+    copyFileSync(file, dest);
+    renameSync(file, path.join(backupDir, `moved-${path.basename(file)}`));
+    console.log(`\u2713 moved ${path.basename(file)}`);
+  }
+  console.log("Installing new key into OS keychain...");
+  await setMasterKey(newKey);
+  console.log("Creating fresh local DB encrypted with accepted key...");
+  await initDatabase({ dbPath: config.dbPath, encryptionKey: newKey.toString("hex") });
+  await ensureSchema();
+  await disposeDatabase();
+  console.log("Verifying NEW key against Exe Cloud by pulling synced data...");
+  try {
+    const { initSyncCrypto } = await import("./lib/crypto.js");
+    const { cloudSync } = await import("./lib/cloud-sync.js");
+    const { initStore, disposeStore } = await import("./lib/store.js");
+    initSyncCrypto(newKey);
+    await initStore({ lightweight: true });
+    const result = await cloudSync({ apiKey: config.cloud.apiKey, endpoint: config.cloud.endpoint });
+    await disposeStore();
+    console.log(`\u2713 Cloud verification succeeded: ${result.totalMemories.toLocaleString()} memories visible after sync`);
+  } catch (err) {
+    console.error(`Cloud verification failed: ${err instanceof Error ? err.message : String(err)}`);
+    console.error("Rolling back to the old key/local DB backup...");
+    await restoreOldState();
+    console.error("Rollback complete. The old key remains active on this machine.");
+    return 1;
+  }
+  writeFileSync(path.join(baseDir, "acceptance-manifest.json"), JSON.stringify({
+    acceptedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    dbPath,
+    backupDir,
+    cloudConfigured: Boolean(config.cloud?.apiKey)
+  }, null, 2) + "\n", { mode: 384 });
+  console.log("");
+  console.log("Trusted node key acceptance complete.");
+  console.log(`Old local DB backup: ${backupDir}`);
+  if (existingKey) console.log(`Old key backup kept at: ${path.join(baseDir, "OLD_KEY_BACKUP_DELETE_AFTER_VERIFICATION.base64")}`);
+  console.log("");
+  console.log("Next steps on this VPS/trusted node:");
+  console.log("  1. Restart daemon/projection worker:");
+  console.log("     sudo systemctl restart exed");
+  console.log("  2. Verify:");
+  console.log("     exe-os key status");
+  console.log("     exe-os cloud status");
+  console.log("  3. If needed, pull cloud data now:");
+  console.log("     exe-os cloud sync");
+  return 0;
+}
+async function main(argv = process.argv.slice(2)) {
+  const sub = argv[0];
+  let code = 0;
+  if (sub === "status") {
+    code = await keyStatus();
+  } else if (sub === "rotate") {
+    code = await rotateWizard(argv.slice(1));
+  } else if (sub === "update") {
+    code = await acceptRotationWizard(argv.slice(1));
+  } else {
+    console.error("Usage:");
+    console.error("  exe-os key status");
+    console.error("  exe-os key rotate --dry-run");
+    console.error("  exe-os key rotate");
+    console.error("  exe-os key update --dry-run");
+    console.error("  exe-os key update");
+    code = 1;
+  }
+  if (code !== 0) process.exitCode = code;
+}
+if (isMainModule(import.meta.url) && process.argv[1]?.includes("exe-key")) {
+  main().catch((err) => {
+    console.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  });
+}
+export {
+  main,
+  shouldRefuseRotationMutation,
+  shouldRefuseTrustedKeyImport
+};