@askexenow/exe-os 0.9.290 → 0.9.292

package/deploy/compose/docker-compose.yml

@@ -29,9 +29,31 @@ services:
     image: ${EXE_DB_IMAGE:-pgvector/pgvector:pg16}
     container_name: exe-db
     restart: unless-stopped
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
+    #
+    # WAL archiving / PITR (bug 5176aa4e). OPT-IN, first-boot-safe: defaults
+    # keep archive_mode=off so a fresh stack boots exactly as before (RPO = the
+    # nightly pg_dump). Set PG_ARCHIVE_MODE=on in .env to enable continuous WAL
+    # archiving for point-in-time recovery — archived segments land in the
+    # pg_wal_archive volume (back it up off-box via backup.sh --upload-r2).
+    # archive_command is a no-op (/bin/true) unless overridden so the server
+    # never wedges if the archive target is unwritable.
+    command:
+      - postgres
+      - -c
+      - wal_level=${PG_WAL_LEVEL:-replica}
+      - -c
+      - archive_mode=${PG_ARCHIVE_MODE:-off}
+      - -c
+      - archive_command=${PG_ARCHIVE_COMMAND:-test ! -d /var/lib/postgresql/wal_archive || cp %p /var/lib/postgresql/wal_archive/%f || /bin/true}
+      - -c
+      - archive_timeout=${PG_ARCHIVE_TIMEOUT:-300}
+      - -c
+      - max_wal_senders=${PG_MAX_WAL_SENDERS:-3}
     environment:
       POSTGRES_USER: ${POSTGRES_USER:-exe}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}
@@ -39,6 +61,9 @@ services:
       PGDATA: /var/lib/postgresql/data/pgdata
     volumes:
       - postgres_data:/var/lib/postgresql/data
+      # WAL archive destination for PITR. Lives on a named volume so it survives
+      # container recreation; push it off-box for true disaster recovery.
+      - pg_wal_archive:/var/lib/postgresql/wal_archive
       - ./init-db.sql:/docker-entrypoint-initdb.d/01-init.sql:ro
     networks:
       - backend
@@ -56,9 +81,11 @@ services:
     image: clickhouse/clickhouse-server:24.8.4.13-alpine
     container_name: clickhouse
     restart: unless-stopped
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       CLICKHOUSE_DB: ${CLICKHOUSE_DB:-default}
       CLICKHOUSE_USER: ${CLICKHOUSE_USER:-exe}
@@ -95,9 +122,11 @@ services:
     image: redis:7.4-alpine
     container_name: redis
     restart: unless-stopped
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     command: ["redis-server", "--requirepass", "${REDIS_PASSWORD:?REDIS_PASSWORD is required}", "--save", "60", "1", "--appendonly", "yes"]
     volumes:
       - redis_data:/data
@@ -120,9 +149,11 @@ services:
     depends_on:
       exe-db:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       GOTRUE_API_PORT: ${GOTRUE_API_PORT:-9999}
       GOTRUE_DB_DRIVER: postgres
@@ -137,14 +168,20 @@ services:
       GOTRUE_JWT_SECRET: ${GOTRUE_JWT_SECRET:?GOTRUE_JWT_SECRET is required}
       GOTRUE_JWT_EXP: ${GOTRUE_JWT_EXP:-3600}
       GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
-      API_EXTERNAL_URL: ${GOTRUE_EXTERNAL_URL:-https://auth.askexe.com}
+      # No hardcoded askexe.com fallback — GOTRUE_EXTERNAL_URL is set per-customer
+      # in .env (https://auth.<domain>) and must be present (bug 47965144 class).
+      API_EXTERNAL_URL: ${GOTRUE_EXTERNAL_URL:?GOTRUE_EXTERNAL_URL is required — set to https://auth.<your-domain> in .env}
       GOTRUE_DISABLE_SIGNUP: ${GOTRUE_DISABLE_SIGNUP:-true}
       GOTRUE_MAILER_AUTOCONFIRM: ${GOTRUE_MAILER_AUTOCONFIRM:-false}
       GOTRUE_SMTP_HOST: ${SMTP_HOST:-}
       GOTRUE_SMTP_PORT: ${SMTP_PORT:-587}
       GOTRUE_SMTP_USER: ${SMTP_USER:-}
       GOTRUE_SMTP_PASS: ${SMTP_PASS:-}
-      GOTRUE_SMTP_ADMIN_EMAIL: ${SMTP_FROM:-noreply@askexe.com}
+      # Bug 133c9d5b: never fall back to a hardcoded askexe.com sender. SMTP_FROM
+      # is written to .env by generate-env.ts as noreply@<customer-domain>. A
+      # missing value fails loudly rather than silently sending auth mail From
+      # noreply@askexe.com (wrong branding + SPF/DKIM/DMARC failure).
+      GOTRUE_SMTP_ADMIN_EMAIL: ${SMTP_FROM:?SMTP_FROM is required — set to noreply@<your-domain> in .env}
     ports:
       - "127.0.0.1:${GOTRUE_HOST_PORT:-9999}:9999"
     networks:
@@ -208,9 +245,11 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       NODE_ENV: production
       NODE_PORT: "3000"
@@ -258,9 +297,11 @@ services:
         condition: service_healthy
       exe-crm:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       NODE_ENV: production
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
@@ -300,9 +341,11 @@ services:
         condition: service_healthy
       gotrue:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       NODE_ENV: production
       SERVER_PORT: "3001"
@@ -342,9 +385,11 @@ services:
     image: ${EXE_OS_SERVER_IMAGE_TAG:-${EXE_OS_IMAGE_TAG:-${EXED_IMAGE_TAG:-ghcr.io/askexe/exe-os:v0.9.270}}}
     container_name: exe-os
     restart: unless-stopped
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       NODE_ENV: production
       EXED_PORT: "8765"
@@ -401,9 +446,11 @@ services:
     depends_on:
       exe-os:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       NODE_ENV: production
       EXE_OS_DIR: /home/exed/.exe-os
@@ -432,9 +479,11 @@ services:
     depends_on:
       exe-os:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       NODE_ENV: production
       EXE_GATEWAY_HOME: /data
@@ -550,9 +599,11 @@ services:
     profiles: ["registry-proxy", "askexe-control-plane"]
     restart: unless-stopped
     entrypoint: ["node", "/app/dist/bin/registry-proxy.js"]
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       EXE_REGISTRY_PROXY_PORT: "${EXE_REGISTRY_PROXY_PORT:-3200}"
       EXE_REGISTRY_PROXY_HOST: "${EXE_REGISTRY_PROXY_HOST:-0.0.0.0}"
@@ -637,7 +688,7 @@ services:
   # 4 services: gunicorn API, websocket, RQ worker, scheduler.
 
   exe-erp:
-    image: ${ERP_IMAGE_TAG:-ghcr.io/askexe/exe-erp:v0.2.0-final3}
+    image: ${ERP_IMAGE_TAG:-ghcr.io/askexe/exe-erp:v0.2.0-final8}
     container_name: exe-erp
     restart: unless-stopped
     entrypoint: ["/usr/local/bin/entrypoint.sh"]
@@ -658,9 +709,11 @@ services:
         condition: service_healthy
       gotrue:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       DB_HOST: exe-db
       DB_PORT: "5432"
@@ -736,7 +789,7 @@ services:
       options: { max-size: "10m", max-file: "3" }
 
   exe-erp-websocket:
-    image: ${ERP_IMAGE_TAG:-ghcr.io/askexe/exe-erp:v0.2.0-final3}
+    image: ${ERP_IMAGE_TAG:-ghcr.io/askexe/exe-erp:v0.2.0-final8}
     container_name: exe-erp-websocket
     restart: unless-stopped
     entrypoint: []
@@ -765,9 +818,11 @@ services:
     depends_on:
       exe-erp:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       REDIS_SOCKETIO: redis://:${REDIS_PASSWORD:?REDIS_PASSWORD is required}@redis:6379/5
       SITE_NAME: ${ERP_SITE_NAME:-erp.askexe.com}
@@ -786,7 +841,7 @@ services:
       options: { max-size: "10m", max-file: "3" }
 
   exe-erp-queue:
-    image: ${ERP_IMAGE_TAG:-ghcr.io/askexe/exe-erp:v0.2.0-final3}
+    image: ${ERP_IMAGE_TAG:-ghcr.io/askexe/exe-erp:v0.2.0-final8}
     container_name: exe-erp-queue
     restart: unless-stopped
     entrypoint: []
@@ -794,9 +849,11 @@ services:
     depends_on:
       exe-erp:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       DB_HOST: exe-db
       DB_PORT: "5432"
@@ -820,7 +877,7 @@ services:
       options: { max-size: "10m", max-file: "3" }
 
   exe-erp-scheduler:
-    image: ${ERP_IMAGE_TAG:-ghcr.io/askexe/exe-erp:v0.2.0-final3}
+    image: ${ERP_IMAGE_TAG:-ghcr.io/askexe/exe-erp:v0.2.0-final8}
     container_name: exe-erp-scheduler
     restart: unless-stopped
     entrypoint: []
@@ -828,9 +885,11 @@ services:
     depends_on:
       exe-erp:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
+    # SECURITY (bug 67d62490): no blanket `env_file: .env`. Each service
+    # receives ONLY the secrets it owns via the explicit `environment:` block
+    # below (values interpolated from .env at compose-parse time, never the
+    # whole secret file). A compromise of one app container cannot read another
+    # service's GOTRUE_JWT_SECRET / DB passwords / CLOUDFLARE_TUNNEL_TOKEN, etc.
     environment:
       DB_HOST: exe-db
       DB_PORT: "5432"
@@ -898,6 +957,15 @@ services:
     image: ${AUTH_IMAGE_TAG:-update.askexe.com/askexe/exe-auth:v0.1.0}
     container_name: exe-auth
     restart: unless-stopped
+    environment:
+      # Customer apex domain — the gateway templates its nginx server_name, CORS
+      # origin, default redirect and SPA domain from this at container start.
+      # Never falls back to askexe.com (bug 47965144).
+      DOMAIN: ${DOMAIN:?DOMAIN is required — set to your customer apex domain (e.g. hygo.co)}
+      AUTH_SERVER_NAME: ${AUTH_SERVER_NAME:-}
+      AUTH_CORS_ORIGIN: ${AUTH_CORS_ORIGIN:-}
+      AUTH_DEFAULT_REDIRECT: ${AUTH_DEFAULT_REDIRECT:-}
+      AUTH_DEFAULT_PRODUCT: ${AUTH_DEFAULT_PRODUCT:-AUTH}
     ports:
       - "127.0.0.1:${AUTH_PORT:-3300}:80"
     networks:
@@ -921,9 +989,18 @@ services:
 # ------------------------------------------------------------------
 # Volumes
 # ------------------------------------------------------------------
+# At-rest encryption (bug 5176aa4e): the named volumes below default to the
+# local driver (plain ext4). For at-rest encryption of the relational/analytics
+# data — matching the SQLCipher-encrypted memory store — mount the Docker data
+# root (/var/lib/docker) on a LUKS-encrypted block device, or override
+# PG_DATA_DEVICE / driver_opts to point these volumes at an encrypted device.
+# See deploy/CUSTOMER-GUIDE.md > "Encryption at rest (optional)".
 volumes:
   postgres_data:
     driver: local
+  # WAL archive for point-in-time recovery (enabled via PG_ARCHIVE_MODE=on).
+  pg_wal_archive:
+    driver: local
   clickhouse_data:
     driver: local
   clickhouse_logs:

package/deploy/compose/generate-env.ts

@@ -55,6 +55,11 @@ export function generateEnv(options: GenerateEnvOptions): string {
   const gatewayWsAuthToken = randomSecret(RANDOM_SECRET_48);
 
   return joinEnvLines([
+    "# --- Domain ---",
+    "# Customer apex domain. Drives auth gateway templating (server_name, CORS,",
+    "# default redirect) and the GoTrue From address. Never falls back to askexe.com.",
+    `DOMAIN=${normalizedDomain}`,
+    "",
     "# --- Data Layer ---",
     `POSTGRES_USER=${POSTGRES_USER}`,
     `POSTGRES_PASSWORD=${randomSecret(RANDOM_SECRET_32)}`,
@@ -71,8 +76,21 @@ export function generateEnv(options: GenerateEnvOptions): string {
     "GOTRUE_API_PORT=9999",
     `GOTRUE_SITE_URL=https://crm.${normalizedDomain}`,
     `GOTRUE_EXTERNAL_URL=https://auth.${normalizedDomain}`,
+    "# SSO redirect allow-list (bug 66f8e10a): app origins the gateway may bounce",
+    "# users back to via ?redirect=. Required for unified SSO across crm/wiki/erp.",
+    `GOTRUE_URI_ALLOW_LIST=https://crm.${normalizedDomain},https://wiki.${normalizedDomain},https://erp.${normalizedDomain}`,
     "GOTRUE_DISABLE_SIGNUP=true",
     "GOTRUE_MAILER_AUTOCONFIRM=false",
+    "# Auth emails (confirm/reset/magic-link) send From this customer-domain",
+    "# address — not noreply@askexe.com (bug 133c9d5b). Configure SPF/DKIM/DMARC",
+    "# for this sender. SMTP stays off until SMTP_HOST is set.",
+    `SMTP_FROM=noreply@${normalizedDomain}`,
+    "# To enable verified email confirmation, set SMTP_HOST/PORT/USER/PASS below.",
+    "# MAILER_AUTOCONFIRM is already false, so once SMTP is live, ownership is verified.",
+    "SMTP_HOST=",
+    "SMTP_PORT=587",
+    "SMTP_USER=",
+    "SMTP_PASS=",
     "",
     "# --- CRM ---",
     `CRM_IMAGE_TAG=${CRM_IMAGE_TAG}`,
@@ -188,6 +206,10 @@ export function generateExampleEnv(): string {
     "# Copy to .env before deployment and replace every CHANGEME_* value.",
     "# Values under # SET_MANUALLY must be provided by the operator.",
     "",
+    "# --- Domain ---",
+    "# Customer apex domain. Drives auth gateway templating and GoTrue From address.",
+    "DOMAIN=CHANGEME_DOMAIN",
+    "",
     "# --- Data Layer ---",
     `POSTGRES_USER=${POSTGRES_USER}`,
     "POSTGRES_PASSWORD=CHANGEME_POSTGRES_PASSWORD",
@@ -204,8 +226,17 @@ export function generateExampleEnv(): string {
     "GOTRUE_API_PORT=9999",
     "GOTRUE_SITE_URL=https://crm.CHANGEME_DOMAIN",
     "GOTRUE_EXTERNAL_URL=https://auth.CHANGEME_DOMAIN",
+    "# SSO redirect allow-list (bug 66f8e10a) — app origins for unified SSO.",
+    "GOTRUE_URI_ALLOW_LIST=https://crm.CHANGEME_DOMAIN,https://wiki.CHANGEME_DOMAIN,https://erp.CHANGEME_DOMAIN",
     "GOTRUE_DISABLE_SIGNUP=true",
     "GOTRUE_MAILER_AUTOCONFIRM=false",
+    "# From address for auth emails — customer domain, not askexe.com (bug 133c9d5b).",
+    "SMTP_FROM=noreply@CHANGEME_DOMAIN",
+    "# To enable verified email confirmation, set SMTP_* below (MAILER_AUTOCONFIRM stays false).",
+    "SMTP_HOST=",
+    "SMTP_PORT=587",
+    "SMTP_USER=",
+    "SMTP_PASS=",
     "",
     "# --- CRM ---",
     `CRM_IMAGE_TAG=${CRM_IMAGE_TAG}`,

package/deploy/compose/setup.sh

@@ -55,6 +55,7 @@ else
       info "Generating secrets inline..."
       gen() { openssl rand -hex "$1"; }
       cat > .env << ENVEOF
+DOMAIN=${DOMAIN}
 POSTGRES_USER=exe
 POSTGRES_PASSWORD=$(gen 32)
 POSTGRES_DB=exedb
@@ -65,10 +66,18 @@ REDIS_PASSWORD=$(gen 32)
 GOTRUE_JWT_SECRET=$(gen 48)
 GOTRUE_SITE_URL=https://crm.${DOMAIN}
 GOTRUE_EXTERNAL_URL=https://auth.${DOMAIN}
-GOTRUE_DISABLE_SIGNUP=false
-GOTRUE_MAILER_AUTOCONFIRM=true
+# Invite-only by default; never autoconfirm without an SMTP round-trip (bug 36c04fe3).
+# Configure SMTP_HOST below and keep MAILER_AUTOCONFIRM=false to verify email ownership.
+GOTRUE_DISABLE_SIGNUP=true
+GOTRUE_MAILER_AUTOCONFIRM=false
 GOTRUE_EXTERNAL_EMAIL_ENABLED=true
 GOTRUE_EXTERNAL_PHONE_ENABLED=false
+# Auth-email From address — customer domain, not askexe.com (bug 133c9d5b).
+SMTP_FROM=noreply@${DOMAIN}
+SMTP_HOST=
+SMTP_PORT=587
+SMTP_USER=
+SMTP_PASS=
 IS_SIGN_UP_DISABLED=true
 AUTH_PASSWORD_ENABLED=true
 CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.3

package/dist/active-agent-5DCUU6QR.js

@@ -0,0 +1,28 @@
+import "./chunk-SH45SJQW.js";
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-7YEOKPZ6.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-LCOPVYU2.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-LJONNOFH.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-7HLWBYH7.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-5P3HOBZX.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-JTTDI66I.js

@@ -0,0 +1,27 @@
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-CSXNLHUU.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-MUQ46NLH.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-HNDG5ZDJ.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-7HLWBYH7.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-R36FAN53.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-NQAHMQSR.js

@@ -0,0 +1,27 @@
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-7YEOKPZ6.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-LCOPVYU2.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-LJONNOFH.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-7HLWBYH7.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-5P3HOBZX.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-QHGHLMYS.js

@@ -0,0 +1,28 @@
+import "./chunk-SH45SJQW.js";
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-CSXNLHUU.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-MUQ46NLH.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-HNDG5ZDJ.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-7HLWBYH7.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-R36FAN53.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/agentic-ontology-7RXZLSZY.js

@@ -0,0 +1,25 @@
+import {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+} from "./chunk-M46T2E3A.js";
+import "./chunk-MLKGABMK.js";
+export {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+};

package/dist/agentic-ontology-BSSNX24R.js

@@ -0,0 +1,25 @@
+import {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+} from "./chunk-JXOXGBC2.js";
+import "./chunk-MLKGABMK.js";
+export {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+};