@askexenow/exe-os 0.9.294 → 0.9.296

package/dist/chunk-LXDQTW32.js

@@ -0,0 +1,230 @@
+// src/bin/vps-health-gate.ts
+import { spawnSync } from "child_process";
+import { appendFileSync, existsSync, mkdirSync, readdirSync } from "fs";
+import http from "http";
+import path from "path";
+var DEPLOY_LOG = "/opt/exe-stack/deploy-log.jsonl";
+var BACKUP_DIR = "/opt/exe-stack/backups";
+async function checkCRM() {
+  const start = Date.now();
+  try {
+    const status = await httpGet("http://localhost:3000/api");
+    return {
+      check: "crm",
+      status: status >= 200 && status < 400 ? "pass" : "fail",
+      message: status >= 200 && status < 400 ? `CRM healthy (HTTP ${status})` : `CRM unhealthy (HTTP ${status})`,
+      durationMs: Date.now() - start
+    };
+  } catch (err) {
+    return {
+      check: "crm",
+      status: "fail",
+      message: `CRM unreachable: ${err instanceof Error ? err.message : err}`,
+      durationMs: Date.now() - start
+    };
+  }
+}
+async function checkGateway() {
+  const start = Date.now();
+  try {
+    const status = await httpGet("http://localhost:3100/health");
+    return {
+      check: "gateway",
+      status: status >= 200 && status < 300 ? "pass" : "fail",
+      message: status >= 200 && status < 300 ? `Gateway healthy (HTTP ${status})` : `Gateway unhealthy (HTTP ${status})`,
+      durationMs: Date.now() - start
+    };
+  } catch (err) {
+    return {
+      check: "gateway",
+      status: "fail",
+      message: `Gateway unreachable: ${err instanceof Error ? err.message : err}`,
+      durationMs: Date.now() - start
+    };
+  }
+}
+function checkPostgres() {
+  const start = Date.now();
+  const databaseUrl = process.env.DATABASE_URL || "postgres://exe@localhost:5432/exedb";
+  const result = spawnSync("psql", [databaseUrl, "-c", "SELECT 1"], {
+    encoding: "utf8",
+    stdio: ["pipe", "pipe", "pipe"],
+    timeout: 1e4
+  });
+  return {
+    check: "postgres",
+    status: result.status === 0 ? "pass" : "fail",
+    message: result.status === 0 ? "Postgres responding" : `Postgres failed: ${result.stderr?.trim() || `exit ${result.status}`}`,
+    durationMs: Date.now() - start
+  };
+}
+function checkRawEvents() {
+  const start = Date.now();
+  const databaseUrl = process.env.DATABASE_URL || "postgres://exe@localhost:5432/exedb";
+  const result = spawnSync(
+    "psql",
+    [databaseUrl, "-t", "-c", "SELECT count(*) FROM raw.raw_events"],
+    {
+      encoding: "utf8",
+      stdio: ["pipe", "pipe", "pipe"],
+      timeout: 1e4
+    }
+  );
+  if (result.status !== 0) {
+    return {
+      check: "raw_events",
+      status: "fail",
+      message: `raw.raw_events query failed: ${result.stderr?.trim() || `exit ${result.status}`}`,
+      durationMs: Date.now() - start
+    };
+  }
+  const count = parseInt(result.stdout?.trim() || "0", 10);
+  return {
+    check: "raw_events",
+    status: count > 0 ? "pass" : "fail",
+    message: count > 0 ? `raw.raw_events has ${count} rows` : "raw.raw_events is empty",
+    durationMs: Date.now() - start
+  };
+}
+async function checkGoTrue() {
+  const start = Date.now();
+  try {
+    const status = await httpGet("http://localhost:9999/health");
+    return {
+      check: "gotrue",
+      status: status >= 200 && status < 300 ? "pass" : "fail",
+      message: status >= 200 && status < 300 ? `GoTrue healthy (HTTP ${status})` : `GoTrue unhealthy (HTTP ${status})`,
+      durationMs: Date.now() - start
+    };
+  } catch (err) {
+    return {
+      check: "gotrue",
+      status: "fail",
+      message: `GoTrue unreachable: ${err instanceof Error ? err.message : err}`,
+      durationMs: Date.now() - start
+    };
+  }
+}
+async function runHealthGate() {
+  console.log("[health-gate] Running post-deploy health checks...\n");
+  const results = [];
+  results.push(checkPostgres());
+  results.push(checkRawEvents());
+  results.push(await checkCRM());
+  results.push(await checkGateway());
+  results.push(await checkGoTrue());
+  const passed = results.every((r) => r.status === "pass");
+  for (const r of results) {
+    const icon = r.status === "pass" ? "\u2713" : "\u2717";
+    const color = r.status === "pass" ? "\x1B[32m" : "\x1B[31m";
+    console.log(`  ${color}${icon}\x1B[0m ${r.check.padEnd(12)} ${r.message} (${r.durationMs}ms)`);
+  }
+  console.log("");
+  const result = {
+    passed,
+    results,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  return result;
+}
+function logResult(result) {
+  mkdirSync(path.dirname(DEPLOY_LOG), { recursive: true });
+  const line = JSON.stringify({
+    ...result,
+    type: "health_gate"
+  }) + "\n";
+  try {
+    appendFileSync(DEPLOY_LOG, line);
+    console.log(`[health-gate] Result logged to ${DEPLOY_LOG}`);
+  } catch (err) {
+    console.warn(`[health-gate] Failed to write deploy log: ${err instanceof Error ? err.message : err}`);
+  }
+}
+function restorePreDeployBackup() {
+  if (!existsSync(BACKUP_DIR)) return false;
+  const backups = readdirSync(BACKUP_DIR).filter((f) => f.startsWith("pg-pre-deploy-") && f.endsWith(".dump")).sort().reverse();
+  if (backups.length === 0) {
+    console.warn("[health-gate] No pre-deploy backup found to restore");
+    return false;
+  }
+  const latest = backups[0];
+  const filepath = path.join(BACKUP_DIR, latest);
+  const databaseUrl = process.env.DATABASE_URL || "postgres://exe@localhost:5432/exedb";
+  console.log(`[health-gate] Restoring pre-deploy backup: ${latest}`);
+  const result = spawnSync("pg_restore", ["-d", databaseUrl, "--clean", "--if-exists", filepath], {
+    encoding: "utf8",
+    stdio: ["pipe", "pipe", "pipe"],
+    timeout: 3e5
+  });
+  if (result.status !== 0) {
+    console.error(`[health-gate] pg_restore failed: ${result.stderr?.trim() || `exit ${result.status}`}`);
+    return false;
+  }
+  console.log("[health-gate] \u2713 Pre-deploy backup restored");
+  return true;
+}
+function httpGet(url) {
+  return new Promise((resolve, reject) => {
+    const req = http.request(url, { method: "GET", timeout: 1e4 }, (res) => {
+      res.resume();
+      resolve(res.statusCode ?? 0);
+    });
+    req.on("timeout", () => req.destroy(new Error("timeout")));
+    req.on("error", reject);
+    req.end();
+  });
+}
+async function main(args) {
+  if (args.includes("--help") || args.includes("-h")) {
+    console.log(`
+  exe-os vps-health-gate \u2014 Post-deploy health checks
+
+  Runs 5 checks: Postgres, raw_events, CRM, Gateway, GoTrue.
+  If any check fails, triggers rollback and exits with code 1.
+
+  Usage:
+    exe-os vps-health-gate              Run health gate
+    exe-os vps-health-gate --check-only Run checks without rollback on failure
+`);
+    return;
+  }
+  const checkOnly = args.includes("--check-only");
+  const result = await runHealthGate();
+  logResult(result);
+  if (result.passed) {
+    console.log("[health-gate] \u2713 All checks passed \u2014 deploy is healthy");
+    return;
+  }
+  const failed = result.results.filter((r) => r.status === "fail");
+  console.error(`[health-gate] \u2717 ${failed.length} check(s) failed`);
+  if (checkOnly) {
+    process.exitCode = 1;
+    return;
+  }
+  console.log("[health-gate] Starting rollback...");
+  restorePreDeployBackup();
+  try {
+    const { rollbackStackUpdate, defaultStackPaths } = await import("./stack-update-JF7F56AS.js");
+    const paths = defaultStackPaths();
+    await rollbackStackUpdate({
+      manifestRef: paths.manifestRef,
+      composeFile: paths.composeFile,
+      envFile: paths.envFile
+    });
+    console.log("[health-gate] \u2713 Stack rolled back to previous version");
+  } catch (err) {
+    console.error(`[health-gate] Stack rollback failed: ${err instanceof Error ? err.message : err}`);
+  }
+  process.exitCode = 1;
+}
+
+export {
+  checkCRM,
+  checkGateway,
+  checkPostgres,
+  checkRawEvents,
+  checkGoTrue,
+  runHealthGate,
+  logResult,
+  main
+};

package/dist/chunk-MEP7OUVZ.js

@@ -0,0 +1,181 @@
+import {
+  getClient
+} from "./chunk-WUKHLCBE.js";
+import {
+  loadConfig
+} from "./chunk-R36FAN53.js";
+
+// src/lib/reminders.ts
+import crypto from "crypto";
+async function getCloudConfig() {
+  try {
+    const config = await loadConfig();
+    if (config.cloud?.apiKey && config.cloud?.endpoint) {
+      return { apiKey: config.cloud.apiKey, endpoint: config.cloud.endpoint };
+    }
+  } catch {
+  }
+  return null;
+}
+function apiBaseUrl(cloud) {
+  try {
+    const url = new URL(cloud.endpoint);
+    if (url.hostname.startsWith("sync.")) {
+      url.hostname = url.hostname.replace(/^sync\./, "api.");
+      return url.origin;
+    }
+  } catch {
+  }
+  return "https://api.askexe.com";
+}
+async function cloudPushReminder(cloud, text, dueDate) {
+  try {
+    const base = apiBaseUrl(cloud);
+    await fetch(`${base}/v1/reminders`, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${cloud.apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ text, due_date: dueDate })
+    });
+  } catch (err) {
+    process.stderr.write(`[reminders] cloud push failed: ${err instanceof Error ? err.message : String(err)}
+`);
+  }
+}
+async function cloudFetchReminders(cloud) {
+  try {
+    const base = apiBaseUrl(cloud);
+    const res = await fetch(`${base}/v1/reminders`, {
+      method: "GET",
+      headers: {
+        "Authorization": `Bearer ${cloud.apiKey}`
+      }
+    });
+    if (!res.ok) return [];
+    const data = await res.json();
+    if (!Array.isArray(data.items)) return [];
+    return data.items.map((r) => ({
+      id: r.id,
+      text: r.text,
+      createdAt: r.created_at,
+      dueDate: r.due_date,
+      completedAt: r.completed_at,
+      source: "cloud"
+    }));
+  } catch (err) {
+    process.stderr.write(`[reminders] cloud fetch failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return [];
+  }
+}
+async function cloudDeleteReminder(cloud, id) {
+  try {
+    const base = apiBaseUrl(cloud);
+    await fetch(`${base}/v1/reminders/${encodeURIComponent(id)}`, {
+      method: "DELETE",
+      headers: {
+        "Authorization": `Bearer ${cloud.apiKey}`
+      }
+    });
+  } catch (err) {
+    process.stderr.write(`[reminders] cloud delete failed: ${err instanceof Error ? err.message : String(err)}
+`);
+  }
+}
+function dedup(local, cloud) {
+  const localKeys = /* @__PURE__ */ new Set();
+  for (const r of local) {
+    localKeys.add(`${r.text.trim().toLowerCase()}|${r.dueDate ?? ""}`);
+  }
+  const merged = local.map((r) => ({ ...r, source: "local" }));
+  for (const r of cloud) {
+    const key = `${r.text.trim().toLowerCase()}|${r.dueDate ?? ""}`;
+    if (localKeys.has(key)) {
+      const existing = merged.find(
+        (m) => m.text.trim().toLowerCase() === r.text.trim().toLowerCase() && (m.dueDate ?? "") === (r.dueDate ?? "")
+      );
+      if (existing) existing.source = "both";
+    } else {
+      merged.push({ ...r, source: "cloud" });
+    }
+  }
+  return merged;
+}
+async function createReminder(text, dueDate) {
+  const client = getClient();
+  const id = crypto.randomUUID();
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await client.execute({
+    sql: `INSERT INTO reminders (id, text, created_at, due_date) VALUES (?, ?, ?, ?)`,
+    args: [id, text, now, dueDate ?? null]
+  });
+  const cloud = await getCloudConfig();
+  if (cloud) {
+    cloudPushReminder(cloud, text, dueDate ?? null).catch(() => {
+    });
+  }
+  return { id, text, createdAt: now, dueDate: dueDate ?? null, completedAt: null };
+}
+async function listReminders(includeCompleted = false) {
+  const client = getClient();
+  const sql = includeCompleted ? `SELECT id, text, created_at, due_date, completed_at FROM reminders ORDER BY due_date ASC NULLS LAST LIMIT 500` : `SELECT id, text, created_at, due_date, completed_at FROM reminders WHERE completed_at IS NULL ORDER BY due_date ASC NULLS LAST LIMIT 500`;
+  const result = await client.execute(sql);
+  const local = result.rows.map((row) => ({
+    id: String(row.id),
+    text: String(row.text),
+    createdAt: String(row.created_at),
+    dueDate: row.due_date ? String(row.due_date) : null,
+    completedAt: row.completed_at ? String(row.completed_at) : null
+  }));
+  const cloud = await getCloudConfig();
+  if (cloud) {
+    const cloudReminders = await cloudFetchReminders(cloud);
+    return dedup(local, cloudReminders);
+  }
+  return local;
+}
+async function completeReminder(idOrText) {
+  const client = getClient();
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  let result = await client.execute({
+    sql: `SELECT id, text FROM reminders WHERE id = ? AND completed_at IS NULL`,
+    args: [idOrText]
+  });
+  if (result.rows.length === 0) {
+    result = await client.execute({
+      sql: `SELECT id, text FROM reminders WHERE completed_at IS NULL AND text LIKE '%' || ? || '%' LIMIT 1`,
+      args: [idOrText]
+    });
+  }
+  if (result.rows.length === 0) return null;
+  const row = result.rows[0];
+  const id = String(row.id);
+  const text = String(row.text);
+  await client.execute({
+    sql: `UPDATE reminders SET completed_at = ? WHERE id = ?`,
+    args: [now, id]
+  });
+  const cloud = await getCloudConfig();
+  if (cloud) {
+    cloudDeleteReminder(cloud, id).catch(() => {
+    });
+    cloudFetchReminders(cloud).then((cloudReminders) => {
+      for (const cr of cloudReminders) {
+        if (cr.text.trim().toLowerCase() === text.trim().toLowerCase()) {
+          cloudDeleteReminder(cloud, cr.id).catch(() => {
+          });
+        }
+      }
+    }).catch(() => {
+    });
+  }
+  return { id, text, createdAt: "", dueDate: null, completedAt: now };
+}
+
+export {
+  createReminder,
+  listReminders,
+  completeReminder
+};

package/dist/chunk-MN2B2LKS.js

@@ -0,0 +1,240 @@
+import {
+  getClient,
+  isCoordinatorName,
+  loadEmployeesSync
+} from "./chunk-WUKHLCBE.js";
+
+// src/lib/steward-gate.ts
+import crypto from "crypto";
+var ROLE_PERMISSIONS = {
+  coordinator: /* @__PURE__ */ new Set([
+    "close_task",
+    "cancel_task",
+    "merge_entities",
+    "purge_document",
+    "deactivate_behavior",
+    "override"
+  ]),
+  manager: /* @__PURE__ */ new Set([
+    "close_task",
+    // their team only — enforced contextually
+    "deactivate_behavior"
+    // their team's behaviors
+  ]),
+  specialist: /* @__PURE__ */ new Set([
+    "deactivate_behavior_own",
+    // own behaviors only
+    "delete_own_memory"
+  ])
+};
+var UNIVERSAL_OPS = /* @__PURE__ */ new Set([
+  "update_own_task",
+  "store_memory",
+  "store_behavior"
+]);
+var MANAGER_ROLES = /* @__PURE__ */ new Set(["CTO", "CMO"]);
+var StewardGate = class {
+  /**
+   * Check whether an agent has authority for a destructive operation.
+   */
+  async checkAuthority(agent, operation, target) {
+    const role = await this.resolveRole(agent);
+    if (UNIVERSAL_OPS.has(operation)) {
+      const decision2 = {
+        allowed: true,
+        reason: `Operation "${operation}" is universally permitted.`,
+        confidence: 1,
+        requires_override: false
+      };
+      await this.logDecision(agent, operation, target, decision2);
+      return decision2;
+    }
+    const permissions = ROLE_PERMISSIONS[role];
+    let allowed = permissions.has(operation);
+    let reason;
+    if (!allowed && role === "specialist" && operation === "deactivate_behavior") {
+      const isOwn = await this.isOwnBehavior(agent, target);
+      if (isOwn) {
+        allowed = true;
+        reason = `Specialist "${agent}" can deactivate their own behavior.`;
+      } else {
+        reason = `Specialist "${agent}" cannot deactivate behaviors belonging to other agents.`;
+      }
+    } else if (allowed) {
+      reason = `Role "${role}" has authority for "${operation}".`;
+    } else {
+      reason = `Role "${role}" does not have authority for "${operation}". Requires coordinator override.`;
+    }
+    let requiresOverride = !allowed;
+    let confidence = allowed ? 0.95 : 0.9;
+    try {
+      const dreamingPath = "./dreaming.js";
+      const dreaming = await import(
+        /* @vite-ignore */
+        dreamingPath
+      );
+      if (typeof dreaming.calculateDrift === "function") {
+        const driftScore = await dreaming.calculateDrift(agent);
+        if (typeof driftScore === "number" && driftScore > 0.8) {
+          requiresOverride = true;
+          confidence = Math.max(0.5, confidence - 0.3);
+          reason += ` (\u26A0\uFE0F High drift score: ${driftScore.toFixed(2)} \u2014 requires override.)`;
+        }
+      }
+    } catch {
+    }
+    const decision = {
+      allowed: allowed && !requiresOverride,
+      reason,
+      confidence,
+      requires_override: requiresOverride
+    };
+    await this.logDecision(agent, operation, target, decision);
+    return decision;
+  }
+  /**
+   * Record an explicit coordinator override that bypasses the gate.
+   */
+  async override(agent, operation, target, reason) {
+    const role = await this.resolveRole(agent);
+    if (role !== "coordinator") {
+      const decision2 = {
+        allowed: false,
+        reason: `Only coordinators can issue overrides. "${agent}" is a ${role}.`,
+        confidence: 1,
+        requires_override: false
+      };
+      await this.logDecision(agent, `override:${operation}`, target, decision2);
+      return decision2;
+    }
+    const decision = {
+      allowed: true,
+      reason: `Coordinator override: ${reason}`,
+      confidence: 1,
+      requires_override: false
+    };
+    await this.logDecision(agent, `override:${operation}`, target, decision);
+    return decision;
+  }
+  /**
+   * Query the audit trail.
+   */
+  async getAuditLog(opts) {
+    await this.ensureAuditTable();
+    const client = getClient();
+    const conditions = [];
+    const args = [];
+    if (opts?.agent) {
+      conditions.push("agent = ?");
+      args.push(opts.agent);
+    }
+    if (opts?.operation) {
+      conditions.push("operation = ?");
+      args.push(opts.operation);
+    }
+    const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+    const limit = opts?.limit ?? 50;
+    const result = await client.execute({
+      sql: `SELECT * FROM steward_audit ${where} ORDER BY created_at DESC LIMIT ?`,
+      args: [...args, limit]
+    });
+    return result.rows.map((row) => ({
+      id: String(row.id),
+      agent: String(row.agent),
+      operation: String(row.operation),
+      target: String(row.target),
+      decision: {
+        allowed: Number(row.allowed) === 1,
+        reason: String(row.reason),
+        confidence: Number(row.confidence),
+        requires_override: Number(row.requires_override) === 1
+      },
+      timestamp: String(row.created_at)
+    }));
+  }
+  // -------------------------------------------------------------------------
+  // Internal methods
+  // -------------------------------------------------------------------------
+  /**
+   * Resolve an agent name to a role category.
+   */
+  async resolveRole(agent) {
+    if (isCoordinatorName(agent)) return "coordinator";
+    try {
+      const employees = loadEmployeesSync();
+      const employee = employees.find((e) => e.name === agent);
+      if (employee && MANAGER_ROLES.has(employee.role)) return "manager";
+    } catch {
+    }
+    return "specialist";
+  }
+  /**
+   * Check if a behavior belongs to the given agent.
+   */
+  async isOwnBehavior(agent, behaviorId) {
+    try {
+      const client = getClient();
+      const result = await client.execute({
+        sql: "SELECT agent_id FROM behaviors WHERE id = ? LIMIT 1",
+        args: [behaviorId]
+      });
+      if (result.rows.length === 0) return false;
+      return String(result.rows[0].agent_id) === agent;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Ensure the steward_audit table exists.
+   */
+  async ensureAuditTable() {
+    const client = getClient();
+    await client.execute({
+      sql: `CREATE TABLE IF NOT EXISTS steward_audit (
+        id                TEXT PRIMARY KEY,
+        agent             TEXT NOT NULL,
+        operation         TEXT NOT NULL,
+        target            TEXT NOT NULL,
+        allowed           INTEGER NOT NULL,
+        reason            TEXT NOT NULL,
+        confidence        REAL NOT NULL,
+        requires_override INTEGER NOT NULL DEFAULT 0,
+        created_at        TEXT NOT NULL
+      )`,
+      args: []
+    });
+  }
+  /**
+   * Log a gate decision to the audit trail.
+   */
+  async logDecision(agent, operation, target, decision) {
+    try {
+      await this.ensureAuditTable();
+      const client = getClient();
+      await client.execute({
+        sql: `INSERT INTO steward_audit (id, agent, operation, target, allowed, reason, confidence, requires_override, created_at)
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+        args: [
+          crypto.randomUUID(),
+          agent,
+          operation,
+          target,
+          decision.allowed ? 1 : 0,
+          decision.reason,
+          decision.confidence,
+          decision.requires_override ? 1 : 0,
+          (/* @__PURE__ */ new Date()).toISOString()
+        ]
+      });
+    } catch {
+      process.stderr.write(
+        `[steward-gate] Audit log write failed for ${agent}:${operation}
+`
+      );
+    }
+  }
+};
+
+export {
+  StewardGate
+};