@askexenow/exe-os 0.9.294 → 0.9.296

package/deploy/compose/cloudflared/config.yml.example

@@ -4,15 +4,20 @@
 #   1. Create a tunnel at dash.cloudflare.com > Zero Trust > Networks > Tunnels
 #   2. Copy the tunnel token and set CLOUDFLARE_TUNNEL_TOKEN in .env
 #   3. Configure public hostnames in the Cloudflare dashboard:
-#        crm.<domain>     → http://exe-crm:3000
-#        wiki.<domain>    → http://exe-wiki:3001
+#        crm.<domain>     → http://exe-sso-edge:80   (unified SSO redirect — bug 96f8b2b2)
+#        wiki.<domain>    → http://exe-sso-edge:80   (unified SSO redirect)
+#        erp.<domain>     → http://exe-sso-edge:80   (unified SSO redirect)
 #        gateway.<domain> → http://exe-gateway:3100
-#        erp.<domain>     → http://exe-erp:8000
 #        monitor.<domain> → http://exe-monitor-hub:8090
 #        auth.<domain>    → http://gotrue:9999
 #        api.<domain>     → http://exe-os:8765
 #   No config.yml or credentials file needed — the token embeds everything.
 #
+#   IMPORTANT: crm/wiki/erp MUST route through exe-sso-edge (NOT straight to the
+#   app container). The edge is what 302s unauthenticated visitors to
+#   auth.<domain>; routing direct to the app skips the redirect (this was the
+#   bug). exe-sso-edge picks the app by Host header, so all three share one route.
+#
 # ADVANCED (config file mode): only needed if you want to manage routes locally
 # instead of via the Cloudflare dashboard. Leave CLOUDFLARE_TUNNEL_TOKEN empty
 # and edit docker-compose.yml cloudflared command to use:
@@ -26,15 +31,15 @@ tunnel: CHANGEME_TUNNEL_ID
 credentials-file: /etc/cloudflared/CHANGEME_TUNNEL_ID.json
 
 ingress:
-  # CRM
+  # CRM / Wiki / ERP — all routed through the unified SSO edge (bug 96f8b2b2).
+  # exe-sso-edge selects the app by Host header and 302s unauthenticated
+  # visitors to auth.<domain>/?product=<App>&redirect=<app-url>.
   - hostname: crm.CHANGEME_DOMAIN
-    service: http://exe-crm:3000
-  # Wiki
+    service: http://exe-sso-edge:80
   - hostname: wiki.CHANGEME_DOMAIN
-    service: http://exe-wiki:3001
-  # ERP
+    service: http://exe-sso-edge:80
   - hostname: erp.CHANGEME_DOMAIN
-    service: http://exe-erp:8000
+    service: http://exe-sso-edge:80
   # Gateway (WhatsApp, webhooks, pairing)
   - hostname: gateway.CHANGEME_DOMAIN
     service: http://exe-gateway:3100

package/deploy/compose/docker-compose.yml

@@ -630,6 +630,66 @@ services:
       driver: json-file
       options: { max-size: "10m", max-file: "3" }
 
+  # ------------------------------------------------------------------
+  # Unified SSO edge — reverse proxy in front of crm / wiki / erp (bug 96f8b2b2)
+  #
+  # cloudflared routes the app subdomains to THIS edge instead of straight to
+  # each app container. The edge includes deploy/nginx/snippets/sso-redirect.conf
+  # per app server block, so an unauthenticated top-level request 302s to
+  # auth.<domain>/?product=<App>&redirect=<app-url>. The app then consumes the
+  # returned ?access_token (it already shares GoTrue) and sets its session cookie;
+  # subsequent requests carry the cookie and skip the redirect.
+  #
+  # Config is templated from ${DOMAIN} at container start (envsubst in the
+  # entrypoint) — no customer domain is baked into the image. Per-app session
+  # cookie names live in sso-edge/default.conf.template.
+  # ------------------------------------------------------------------
+
+  exe-sso-edge:
+    image: nginx:alpine
+    container_name: exe-sso-edge
+    restart: unless-stopped
+    depends_on:
+      exe-crm:
+        condition: service_healthy
+      exe-wiki:
+        condition: service_healthy
+      exe-erp-nginx:
+        condition: service_healthy
+    environment:
+      DOMAIN: ${DOMAIN:?DOMAIN is required — set to your customer apex domain (e.g. hygo.co)}
+      # Neutralize nginx:alpine's built-in 20-envsubst-on-templates.sh: it would
+      # envsubst EVERY $var in the template (mangling nginx runtime vars). Our
+      # 99-render script (escapes runtime vars, substitutes only ${DOMAIN}) is the
+      # single source of truth. Point the built-in at an empty dir so it no-ops.
+      NGINX_ENVSUBST_TEMPLATE_DIR: /etc/nginx/no-templates
+    volumes:
+      - ./sso-edge/default.conf.template:/etc/nginx/exe-templates/default.conf.template:ro
+      - ./sso-edge/sso-redirect.conf:/etc/nginx/snippets/sso-redirect.conf:ro
+      - ./sso-edge/entrypoint.sh:/docker-entrypoint.d/99-render-sso-edge.sh:ro
+    # nginx:alpine runs /docker-entrypoint.d/*.sh then `nginx -g 'daemon off;'`.
+    # Our script renders the template from ${DOMAIN}; it does not exec nginx
+    # itself (the base entrypoint does), so it ends after `nginx -t`.
+    networks:
+      - backend
+      - frontend
+    healthcheck:
+      # Probe an app subdomain so the gate's server block (not the default 404)
+      # answers. Unauthenticated → 302, which wget treats as success with
+      # --max-redirect=0; any 2xx/3xx from the edge proves it is serving.
+      test: ["CMD", "wget", "-qO-", "--max-redirect=0", "--header=Host: crm.${DOMAIN}", "http://127.0.0.1:80/"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 20s
+    deploy:
+      resources:
+        limits:
+          memory: 64M
+    logging:
+      driver: json-file
+      options: { max-size: "10m", max-file: "3" }
+
   # ------------------------------------------------------------------
   # Infrastructure — Cloudflare Tunnel (replaces nginx + SSL certs)
   #
@@ -656,22 +716,32 @@ services:
       run
       --token ${CLOUDFLARE_TUNNEL_TOKEN}
     depends_on:
-      exe-crm:
+      # App subdomains (crm/wiki/erp) are fronted by exe-sso-edge for the unified
+      # SSO redirect (bug 96f8b2b2); gateway is routed directly.
+      exe-sso-edge:
         condition: service_healthy
       exe-gateway:
         condition: service_healthy
-      exe-wiki:
-        condition: service_healthy
     environment:
       TUNNEL_TOKEN: ${CLOUDFLARE_TUNNEL_TOKEN}
     networks:
       - backend
       - frontend
     healthcheck:
-      # `tunnel info` requires API credentials unavailable in token mode.
-      # The command above exposes cloudflared's local metrics endpoint; use it
-      # for container liveness without hitting the Cloudflare control plane.
-      test: ["CMD-SHELL", "pgrep -x cloudflared && wget -q --spider http://localhost:2000/ready || exit 1"]
+      # Bug 218b4d02 (HYGO): the original `tunnel info` probe needs exactly one
+      # positional arg (tunnel ID/name) + API creds unavailable in token mode, so
+      # it exited 255 and the container was ALWAYS 'unhealthy' (false alarm — the
+      # tunnel works). The follow-up `pgrep + wget /ready` probe is ALSO broken:
+      # cloudflare/cloudflared is a distroless, SHELL-LESS image (no sh/wget/
+      # pgrep/curl), so CMD-SHELL (`/bin/sh -c …`) can't execute at all and the
+      # check still always fails.
+      #
+      # The cloudflared binary is the ONLY executable in the image. Use it as an
+      # exec-form (no shell) liveness probe — `--version` exits 0 iff the binary
+      # is runnable, needs no tunnel ID and never touches the Cloudflare control
+      # plane. (Token-mode tunnels expose /ready on :2000 but there is no
+      # in-image HTTP client to reach it, so this is the cleanest valid probe.)
+      test: ["CMD", "cloudflared", "--version"]
       interval: 30s
       timeout: 5s
       start_period: 30s
@@ -954,7 +1024,7 @@ services:
   # ------------------------------------------------------------------
 
   exe-auth:
-    image: ${AUTH_IMAGE_TAG:-update.askexe.com/askexe/exe-auth:v0.1.0}
+    image: ${AUTH_IMAGE_TAG:-update.askexe.com/askexe/exe-auth:v0.1.1}
     container_name: exe-auth
     restart: unless-stopped
     environment:
@@ -969,10 +1039,18 @@ services:
     ports:
       - "127.0.0.1:${AUTH_PORT:-3300}:80"
     networks:
+      # Bug d2b6b3d9 (HYGO): exe-auth's nginx proxies /api/ to upstream
+      # `gotrue` (backend-only). With frontend-only networking nginx fails DNS
+      # resolution at boot — '[emerg] host not found in upstream "gotrue"' — and
+      # restart-loops. It needs `backend` to resolve+reach gotrue (and frontend
+      # for the cloudflared tunnel), matching exe-crm/exe-wiki/gateway.
+      - backend
       - frontend
     depends_on:
       exe-db:
         condition: service_healthy
+      gotrue:
+        condition: service_healthy
     healthcheck:
       test: ["CMD", "wget", "-qO-", "http://127.0.0.1:80/"]
       interval: 30s

package/deploy/compose/sso-edge/default.conf.template

@@ -0,0 +1,87 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# Unified SSO edge — reverse proxy in front of crm / wiki / erp  (bug 96f8b2b2)
+#
+# WHY THIS EXISTS
+#   #198 shipped deploy/nginx/snippets/sso-redirect.conf but on a cloudflared-
+#   fronted stack (HYGO) cloudflared routes straight to each app container, so
+#   the snippet was never in the serving path and unauth requests returned 200
+#   with no 302. This edge puts a real nginx in the request path (cloudflared →
+#   exe-sso-edge → app) and INCLUDES the snippet per app server block, so an
+#   unauthenticated top-level request 302s to auth.<domain>.
+#
+# TEMPLATING
+#   ${DOMAIN} is substituted at container start by `envsubst` in the entrypoint
+#   (matching the exe-auth gateway convention). No customer domain is hardcoded.
+#   nginx runtime variables ($request_uri, $cookie_*, $arg_*, $sso_*) are escaped
+#   in the entrypoint so envsubst leaves them untouched.
+# ─────────────────────────────────────────────────────────────────────────────
+
+upstream sso_crm  { server exe-crm:3000; }
+upstream sso_wiki { server exe-wiki:3001; }
+# ERP must be reached through its own nginx (gunicorn can't serve /assets/ — bug 6776edf0)
+upstream sso_erp  { server exe-erp-nginx:80; }
+
+map $http_upgrade $sso_conn_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+# Shared proxy headers (avoids repetition; keeps WebSocket upgrade working).
+proxy_http_version 1.1;
+proxy_set_header Host              $host;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto https;
+proxy_set_header Upgrade           $http_upgrade;
+proxy_set_header Connection        $sso_conn_upgrade;
+proxy_read_timeout 120;
+client_max_body_size 50m;
+
+# ── CRM ──────────────────────────────────────────────────────────────────────
+server {
+    listen 80;
+    server_name crm.${DOMAIN};
+
+    set $sso_auth_base      "https://auth.${DOMAIN}";
+    set $sso_app_url        "https://crm.${DOMAIN}";
+    set $sso_product        "CRM";
+    set $sso_session_cookie $cookie_tokenPair;        # Twenty/CRM session cookie
+    include /etc/nginx/snippets/sso-redirect.conf;
+
+    location / { proxy_pass http://sso_crm; }
+}
+
+# ── Wiki ─────────────────────────────────────────────────────────────────────
+server {
+    listen 80;
+    server_name wiki.${DOMAIN};
+
+    set $sso_auth_base      "https://auth.${DOMAIN}";
+    set $sso_app_url        "https://wiki.${DOMAIN}";
+    set $sso_product        "Wiki";
+    set $sso_session_cookie $cookie_wiki_session;     # exe-wiki session cookie
+    include /etc/nginx/snippets/sso-redirect.conf;
+
+    location / { proxy_pass http://sso_wiki; }
+}
+
+# ── ERP ──────────────────────────────────────────────────────────────────────
+server {
+    listen 80;
+    server_name erp.${DOMAIN};
+
+    set $sso_auth_base      "https://auth.${DOMAIN}";
+    set $sso_app_url        "https://erp.${DOMAIN}";
+    set $sso_product        "ERP";
+    set $sso_session_cookie $cookie_sid;              # Frappe/ERPNext session cookie
+    include /etc/nginx/snippets/sso-redirect.conf;
+
+    location / { proxy_pass http://sso_erp; }
+}
+
+# Default — unknown host → 404 (no open proxy).
+server {
+    listen 80 default_server;
+    server_name _;
+    return 404;
+}

package/deploy/compose/sso-edge/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+# SSO edge render script (bug 96f8b2b2).
+#
+# Mounted as /docker-entrypoint.d/99-render-sso-edge.sh. The nginx:alpine base
+# entrypoint runs every /docker-entrypoint.d/*.sh and THEN execs
+# `nginx -g 'daemon off;'`, so this script only renders config — it must NOT
+# exec nginx itself.
+#
+# Renders the templated server blocks from ${DOMAIN} only, mirroring the
+# exe-auth gateway's start-time templating so no customer domain is baked in.
+set -eu
+
+: "${DOMAIN:?DOMAIN is required — set to your customer apex domain (e.g. hygo.co)}"
+
+TEMPLATE=/etc/nginx/exe-templates/default.conf.template
+TARGET=/etc/nginx/conf.d/default.conf
+
+# Substitute ONLY ${DOMAIN}. All nginx runtime variables ($request_uri,
+# $cookie_*, $arg_*, $sso_*, $host, $remote_addr, $proxy_add_x_forwarded_for,
+# $http_upgrade, $sso_conn_upgrade) must survive envsubst untouched.
+envsubst '${DOMAIN}' < "$TEMPLATE" > "$TARGET"
+
+echo "[sso-edge] rendered default.conf for DOMAIN=${DOMAIN}"

package/deploy/compose/sso-edge/sso-redirect.conf

@@ -0,0 +1,63 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# Unified SSO redirect snippet  (bug 66f8e10a)
+#
+# Funnels UNAUTHENTICATED visitors of an app subdomain (crm / wiki / erp) to the
+# central auth gateway at auth.<domain>, then lets the gateway redirect them back
+# with ?access_token=.  Without this, each app serves its own login form and the
+# advertised "single front door" does not exist.
+#
+# ── How it works ────────────────────────────────────────────────────────────
+#  1. nginx checks for a session cookie that the app sets once authenticated.
+#     The cookie name differs per app (Twenty/CRM, Wiki, Frappe/ERP) — set it
+#     via $sso_session_cookie below.
+#  2. If the cookie is ABSENT, nginx 302-redirects to:
+#       https://auth.<domain>/?product=<App>&redirect=https://<app>.<domain><uri>
+#  3. The gateway authenticates against the shared GoTrue and bounces the user
+#     back to the app URL with ?access_token=<jwt>&refresh_token=<...>.
+#  4. The app consumes the token (it already shares GoTrue) and sets its session
+#     cookie — subsequent requests carry the cookie and skip the redirect.
+#
+# ── Per-customer install ────────────────────────────────────────────────────
+# These are templated values — replace before installing, or render with envsubst
+# (DOMAIN, APP_NAME, APP_SUBDOMAIN, APP_SESSION_COOKIE):
+#
+#   server {
+#     server_name crm.${DOMAIN};
+#     set $sso_auth_base   "https://auth.${DOMAIN}";
+#     set $sso_app_url     "https://crm.${DOMAIN}";
+#     set $sso_product     "CRM";
+#     set $sso_session_cookie $cookie_tokenPair;   # Twenty/CRM session cookie
+#     include /etc/nginx/snippets/sso-redirect.conf;
+#     location / { proxy_pass http://exe-crm:3000; }
+#   }
+#
+#   For Wiki:  set $sso_product "Wiki"; set $sso_session_cookie $cookie_wiki_session;
+#              proxy_pass http://exe-wiki:3001;
+#   For ERP:   set $sso_product "ERP";  set $sso_session_cookie $cookie_sid;
+#              proxy_pass http://exe-erp:8000;
+#
+# NOTE: This is an EDGE-level gate (host nginx in front of the app). If you front
+# the stack with Cloudflare Tunnel instead of host nginx, implement the same gate
+# with Cloudflare Access (see sso-redirect.README.md) — cloudflared ingress alone
+# cannot express a cookie-conditional redirect.
+# ─────────────────────────────────────────────────────────────────────────────
+
+# Decide whether the request is authenticated. If the app session cookie is
+# present we treat the request as authenticated and do NOT redirect.
+# $sso_session_cookie must be set by the including server block (default: empty).
+set $sso_needs_login 1;
+if ($sso_session_cookie) {
+    set $sso_needs_login 0;
+}
+
+# Never redirect the SSO callback itself (it carries ?access_token=) or static/
+# health/API paths — only redirect top-level navigations.
+if ($arg_access_token) {
+    set $sso_needs_login 0;
+}
+
+# Perform the redirect for unauthenticated top-level page loads.
+# $request_uri preserves the path + query the user was trying to reach.
+if ($sso_needs_login = 1) {
+    return 302 "$sso_auth_base/?product=$sso_product&redirect=$sso_app_url$request_uri";
+}

package/deploy/stack-manifests/v0.9.json

@@ -1346,7 +1346,7 @@
       "breakingChanges": [],
       "services": {
         "exe-os": {
-          "image": "update.askexe.com/askexe/exe-os:v0.9.281@sha256:f5926c281b9f158063128daed39c1d296eec29e986e88ec33686440c177e5c4e",
+          "image": "update.askexe.com/askexe/exe-os:v0.9.294@sha256:cb89b04278beafc1596dd7b7c0012cbb75ce58a8e4c0ea2c1ffa5efffd5a03d7",
           "env": "EXE_OS_IMAGE_TAG",
           "composeService": "exe-os",
           "healthUrl": "http://127.0.0.1:8765/health",
@@ -1408,7 +1408,7 @@
           "description": "Monitoring Dashboard"
         },
         "auth": {
-          "image": "update.askexe.com/askexe/exe-auth:v0.1.0@sha256:9203e855eb45635913cd6772eaaa49209a6c32468f56051f9fa0760817a30e7d",
+          "image": "update.askexe.com/askexe/exe-auth:v0.1.1",
           "env": "AUTH_IMAGE_TAG",
           "composeService": "exe-auth",
           "healthUrl": "http://127.0.0.1:3300/",

package/dist/active-agent-AFX2FODG.js

@@ -0,0 +1,28 @@
+import "./chunk-SH45SJQW.js";
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-AKV44JEH.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-WUKHLCBE.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-2E43UXRH.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-7HLWBYH7.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-R36FAN53.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-E2IJA7YX.js

@@ -0,0 +1,27 @@
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-AKV44JEH.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-WUKHLCBE.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-2E43UXRH.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-7HLWBYH7.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-R36FAN53.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/agentic-ontology-A2YUZK5O.js

@@ -0,0 +1,25 @@
+import {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+} from "./chunk-465PQFTH.js";
+import "./chunk-MLKGABMK.js";
+export {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+};

package/dist/assets/com.askexe.exed.plist

@@ -40,8 +40,11 @@
   <!-- Environment -->
   <key>EnvironmentVariables</key>
   <dict>
+    <!-- Resolved at install time: the running node's bin dir is front-loaded so
+         the daemon and its children find node even when it lives in an
+         nvm/volta/fnm dir outside the system defaults (bug 19d3bfdb / 71adcb68). -->
     <key>PATH</key>
-    <string>/usr/local/bin:/usr/bin:/bin:/opt/homebrew/bin</string>
+    <string>__PATH__</string>
     <key>HOME</key>
     <string>__HOME__</string>__EXE_EMBEDDINGS_ENV__
   </dict>