npm - @askexenow/exe-os - Versions diffs - 0.9.297 → 0.9.298 - Mend

@askexenow/exe-os 0.9.297 → 0.9.298

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/deploy/compose/.env.customer.example +6 -1
package/deploy/compose/.env.example +6 -1
package/deploy/compose/docker-compose.yml +24 -5
package/deploy/compose/generate-env.ts +20 -2
package/deploy/compose/setup.sh +10 -1
package/dist/active-agent-3JXJQ2GZ.js +27 -0
package/dist/active-agent-XK54VI3S.js +28 -0
package/dist/agentic-ontology-BPJOT2H2.js +25 -0
package/dist/backfill-metadata-OTLLYTX4.js +600 -0
package/dist/behaviors-BGEUHF7D.js +46 -0
package/dist/bin/agentic-ontology-backfill.js +5 -5
package/dist/bin/agentic-reflection-backfill.js +6 -6
package/dist/bin/agentic-semantic-label.js +5 -5
package/dist/bin/backfill-conversations.js +4 -4
package/dist/bin/backfill-responses.js +4 -4
package/dist/bin/backfill-vectors.js +5 -5
package/dist/bin/bulk-sync-postgres.js +7 -7
package/dist/bin/cc-doctor.js +5 -4
package/dist/bin/cleanup-stale-review-tasks.js +9 -9
package/dist/bin/cli.js +15 -15
package/dist/bin/exe-agent-config.js +2 -2
package/dist/bin/exe-agent.js +13 -13
package/dist/bin/exe-assign.js +5 -5
package/dist/bin/exe-boot.js +32 -17
package/dist/bin/exe-call.js +4 -4
package/dist/bin/exe-cloud.js +7 -7
package/dist/bin/exe-dispatch.js +9 -9
package/dist/bin/exe-doctor.js +2 -2
package/dist/bin/exe-export-behaviors.js +7 -7
package/dist/bin/exe-forget.js +6 -6
package/dist/bin/exe-gateway.js +7 -7
package/dist/bin/exe-healthcheck.js +5 -4
package/dist/bin/exe-heartbeat.js +9 -9
package/dist/bin/exe-kill.js +12 -12
package/dist/bin/exe-launch-agent.js +25 -16
package/dist/bin/exe-new-employee.js +6 -6
package/dist/bin/exe-pending-messages.js +10 -10
package/dist/bin/exe-pending-notifications.js +9 -9
package/dist/bin/exe-pending-reviews.js +9 -9
package/dist/bin/exe-rename.js +4 -4
package/dist/bin/exe-review.js +11 -11
package/dist/bin/exe-search.js +5 -5
package/dist/bin/exe-session-cleanup.js +14 -14
package/dist/bin/exe-settings.js +8 -8
package/dist/bin/exe-start-codex.js +11 -11
package/dist/bin/exe-start-opencode.js +8 -8
package/dist/bin/exe-status.js +10 -10
package/dist/bin/exe-team.js +3 -3
package/dist/bin/git-sweep.js +10 -10
package/dist/bin/graph-backfill.js +4 -4
package/dist/bin/graph-export.js +5 -5
package/dist/bin/import-history.js +7 -7
package/dist/bin/install-launchd.js +10 -124
package/dist/bin/install.js +21 -12
package/dist/bin/intercom-check.js +4 -4
package/dist/bin/mcp-sessions.js +2 -2
package/dist/bin/orchestration-metrics.js +4 -4
package/dist/bin/postgres-agentic-reflection-backfill.js +2 -2
package/dist/bin/postgres-agentic-semantic-backfill.js +1 -1
package/dist/bin/scan-tasks.js +9 -9
package/dist/bin/setup.js +1 -1
package/dist/bin/shard-migrate.js +4 -4
package/dist/bin/stack-update.js +27 -3
package/dist/capability-cards-KR7BOS2H.js +89 -0
package/dist/capacity-monitor-CQFYTU45.js +51 -0
package/dist/catchup-brief-HNT2CYJQ.js +175 -0
package/dist/cc-binary-detect-4B25R3TO.js +15 -0
package/dist/chunk-2DQIQXHX.js +204 -0
package/dist/chunk-2DWYR2LJ.js +395 -0
package/dist/chunk-2MSLUPJA.js +70 -0
package/dist/chunk-2P5KBHJH.js +362 -0
package/dist/chunk-2QGG6GG3.js +4388 -0
package/dist/chunk-2XR6OX3M.js +181 -0
package/dist/chunk-3REXR56D.js +98 -0
package/dist/chunk-4FEZF2HJ.js +184 -0
package/dist/chunk-54PQ35JV.js +244 -0
package/dist/chunk-5ALR7GCX.js +33 -0
package/dist/chunk-5GJ5MHC3.js +1094 -0
package/dist/chunk-5IIJUSVD.js +240 -0
package/dist/chunk-5XM7CTLK.js +199 -0
package/dist/chunk-6GQMQJE2.js +331 -0
package/dist/chunk-7C4K7HSF.js +262 -0
package/dist/chunk-AAFTYJ5R.js +185 -0
package/dist/chunk-ANIZN35L.js +284 -0
package/dist/chunk-AOXVDJ7W.js +150 -0
package/dist/chunk-AR3HN5SA.js +76 -0
package/dist/chunk-BFFM7FF4.js +214 -0
package/dist/chunk-CVJYNRYF.js +50 -0
package/dist/chunk-CXEY5CE2.js +81 -0
package/dist/chunk-CY4IRJ2I.js +381 -0
package/dist/chunk-DBNTPP7Q.js +1079 -0
package/dist/chunk-DTLYO26W.js +402 -0
package/dist/chunk-EESPF5VS.js +1350 -0
package/dist/chunk-EN4D3BCA.js +2135 -0
package/dist/chunk-EYDBWKYI.js +304 -0
package/dist/chunk-FCSS3YHS.js +348 -0
package/dist/chunk-G4VSF4DA.js +630 -0
package/dist/chunk-GEF6EHCW.js +197 -0
package/dist/chunk-GXDV35ZN.js +735 -0
package/dist/chunk-HJWT6TFU.js +97 -0
package/dist/chunk-HQD3IPZA.js +14597 -0
package/dist/chunk-I3IW6AAX.js +3342 -0
package/dist/chunk-I4JYP7CK.js +535 -0
package/dist/chunk-J2VWNIYC.js +167 -0
package/dist/chunk-JK5OLEM6.js +227 -0
package/dist/chunk-JVMP77TZ.js +1186 -0
package/dist/chunk-KJ5DAVIP.js +122 -0
package/dist/chunk-KPP2AYJV.js +333 -0
package/dist/chunk-L2WWAOQF.js +455 -0
package/dist/chunk-L3STXXCO.js +731 -0
package/dist/chunk-LMX434DW.js +38 -0
package/dist/chunk-LP4NNUZN.js +58 -0
package/dist/chunk-MN7Q23PF.js +157 -0
package/dist/chunk-O4QLYWMC.js +668 -0
package/dist/chunk-OP5W524C.js +85 -0
package/dist/chunk-OQ336FHE.js +836 -0
package/dist/chunk-P7WAPK6X.js +54 -0
package/dist/chunk-PLM4JJHE.js +128 -0
package/dist/chunk-POTMDICN.js +1352 -0
package/dist/chunk-POZYABJT.js +567 -0
package/dist/chunk-PQG2IQNN.js +280 -0
package/dist/chunk-PUGKVPCC.js +210 -0
package/dist/chunk-QE6AI57N.js +1158 -0
package/dist/chunk-QNCZDDVW.js +448 -0
package/dist/chunk-QZIYE2QV.js +456 -0
package/dist/chunk-RXOHALES.js +345 -0
package/dist/chunk-SGUSCL3H.js +129 -0
package/dist/chunk-SWOGQD57.js +85 -0
package/dist/chunk-SZLIO4SL.js +128 -0
package/dist/chunk-T2USDSC2.js +221 -0
package/dist/chunk-UKE7MZVO.js +382 -0
package/dist/chunk-VSRJPOZD.js +290 -0
package/dist/chunk-WCQ3Y5LB.js +2162 -0
package/dist/chunk-WHBT6M3P.js +30 -0
package/dist/chunk-WR6ANODF.js +57 -0
package/dist/chunk-X7ADWEZ7.js +171 -0
package/dist/chunk-Y4QZXMCD.js +123 -0
package/dist/chunk-Y4WA4CUW.js +377 -0
package/dist/chunk-YUOUHUAJ.js +127 -0
package/dist/chunk-YXC3OWWW.js +128 -0
package/dist/co-activation-EN7HT734.js +74 -0
package/dist/co-occurrence-TRPHUCSC.js +95 -0
package/dist/core-memory-TVMGLIJ7.js +110 -0
package/dist/crdt-sync-WOMERQIS.js +33 -0
package/dist/crm-webhook-Q5Z74FDJ.js +10 -0
package/dist/cto-delegation-gate-NEMNMLXB.js +280 -0
package/dist/daemon-orchestration-RYDUCL24.js +143 -0
package/dist/db-backup-Z3E3LHZK.js +43 -0
package/dist/doc-graph-extractor-TSCKGSB5.js +133 -0
package/dist/dreaming-42LRG6AO.js +34 -0
package/dist/exe-drift-SJ6OTCQV.js +70 -0
package/dist/exe-export-SRDDONTU.js +77 -0
package/dist/exe-import-PWHXRFLN.js +80 -0
package/dist/exe-key-GH6ITI5C.js +673 -0
package/dist/exe-snapshot-RVLH5PJZ.js +338 -0
package/dist/fast-db-init-CM4XPET2.js +7 -0
package/dist/gateway/index.js +14 -14
package/dist/git-staleness-7EFCUGT2.js +112 -0
package/dist/git-task-sweep-6DR24G3Y.js +42 -0
package/dist/global-procedures-NXLOLU7Y.js +22 -0
package/dist/graph-auto-extract-5F3PLBCK.js +183 -0
package/dist/hooks/bug-report-worker.js +11 -11
package/dist/hooks/codex-stop-task-finalizer.js +11 -11
package/dist/hooks/commit-complete.js +11 -11
package/dist/hooks/error-recall.js +10 -7
package/dist/hooks/exe-heartbeat-hook.js +3 -3
package/dist/hooks/ingest.js +6 -6
package/dist/hooks/instructions-loaded.js +4 -4
package/dist/hooks/manifest.json +19 -19
package/dist/hooks/notification.js +4 -4
package/dist/hooks/post-compact.js +10 -10
package/dist/hooks/post-tool-combined.js +5 -5
package/dist/hooks/pre-compact.js +11 -11
package/dist/hooks/pre-tool-use.js +14 -14
package/dist/hooks/prompt-submit.js +26 -22
package/dist/hooks/session-end.js +15 -15
package/dist/hooks/session-start.js +12 -12
package/dist/hooks/stop.js +14 -14
package/dist/hooks/subagent-stop.js +10 -10
package/dist/hooks/summary-worker.js +14 -14
package/dist/index.js +19 -19
package/dist/installer-5WBAZKSI.js +344 -0
package/dist/installer-ENK2QYTC.js +298 -0
package/dist/installer-TUO7KCRN.js +40 -0
package/dist/lib/cloud-sync.js +7 -7
package/dist/lib/consolidation.js +5 -5
package/dist/lib/database.js +4 -2
package/dist/lib/db-read-worker-client.js +121 -0
package/dist/lib/db-read-worker.js +73 -0
package/dist/lib/db.js +4 -2
package/dist/lib/employee-templates.js +4 -4
package/dist/lib/employees.js +2 -2
package/dist/lib/exe-daemon.js +110 -87
package/dist/lib/hybrid-search.js +5 -5
package/dist/lib/identity.js +2 -2
package/dist/lib/messaging.js +9 -9
package/dist/lib/reminders.js +3 -3
package/dist/lib/schedules.js +5 -5
package/dist/lib/session-registry.js +4 -4
package/dist/lib/skill-learning.js +6 -6
package/dist/lib/store.js +4 -4
package/dist/lib/task-router.js +3 -3
package/dist/lib/tasks.js +10 -10
package/dist/lib/tmux-routing.js +8 -8
package/dist/lib/token-spend.js +3 -3
package/dist/mcp/register-tools.js +56 -55
package/dist/mcp/server.js +58 -57
package/dist/mcp/tools/complete-reminder.js +4 -4
package/dist/mcp/tools/create-reminder.js +4 -4
package/dist/mcp/tools/create-task.js +12 -12
package/dist/mcp/tools/deactivate-behavior.js +7 -7
package/dist/mcp/tools/list-reminders.js +4 -4
package/dist/mcp/tools/list-tasks.js +12 -12
package/dist/mcp/tools/send-message.js +11 -11
package/dist/mcp/tools/update-task.js +11 -11
package/dist/mcp-http-config-FA6LWCTD.js +31 -0
package/dist/memory-cards-4QRWCJ54.js +180 -0
package/dist/memory-graph-extractor-HCS4XTQK.js +22 -0
package/dist/memory-poisoning-defense-7I4LY4VL.js +224 -0
package/dist/memory-reflection-ZSSO6RFR.js +244 -0
package/dist/notifications-VQJCTOMC.js +47 -0
package/dist/orchestration-events-UFRQWTRS.js +27 -0
package/dist/orchestrator-ZSSTRMDC.js +35 -0
package/dist/pipeline-router-U7WWUVKV.js +15 -0
package/dist/plan-limits-KVFTHSQU.js +28 -0
package/dist/project-boot-KOGUVIQ4.js +299 -0
package/dist/projection-worker-OMUSXRHO.js +1084 -0
package/dist/prospective-memory-PC72YWLY.js +232 -0
package/dist/reranker-E3MOR2MC.js +19 -0
package/dist/retrieval-health-OEHPZH65.js +12 -0
package/dist/review-polling-4GWZSSSQ.js +126 -0
package/dist/runtime/index.js +11 -11
package/dist/session-events-A3L5KUHB.js +38 -0
package/dist/session-kill-telemetry-UFJY57N2.js +31 -0
package/dist/session-scope-5MT6U7CR.js +88 -0
package/dist/setup-wizard-NZE2I7M5.js +12 -0
package/dist/skill-refinement-Q6USTB35.js +159 -0
package/dist/steward-gate-XOYAMKNY.js +15 -0
package/dist/task-enforcement-MQ4TKLAN.js +506 -0
package/dist/task-scope-AWFGZWPM.js +37 -0
package/dist/tasks-crud-LMPAYXKS.js +79 -0
package/dist/tasks-notify-6DZOY3MH.js +40 -0
package/dist/tasks-review-TMBMXNUJ.js +49 -0
package/dist/telemetry-upload-C2PKRA26.js +741 -0
package/dist/token-budget-HOOQPFKR.js +86 -0
package/dist/tool-telemetry-EJVBIKOS.js +17 -0
package/dist/tui/App.js +16 -16
package/dist/tui-data-6HIDQFN7.js +260 -0
package/dist/wiki-acl-DOBVII5N.js +111 -0
package/dist/worker-gate-ZH5PK25Z.js +21 -0
package/dist/workflow-engine-SGU6WUWF.js +28 -0
package/dist/worktree-NRQVJ2M4.js +28 -0
package/dist/worktree-sweep-FBEHEPZO.js +21 -0
package/package.json +1 -1
package/release-notes.json +15 -15

package/deploy/compose/.env.customer.example CHANGED Viewed

@@ -20,10 +20,15 @@ REDIS_PASSWORD=CHANGEME_REDIS_PASSWORD
 # --- GoTrue (shared auth) ---
 GOTRUE_JWT_SECRET=CHANGEME_GOTRUE_JWT_SECRET
 GOTRUE_API_PORT=9999
-GOTRUE_SITE_URL=https://crm.CHANGEME_DOMAIN
+# Bug dc99d78e: SITE_URL = auth gateway (not crm) so email links + GoTrue's
+# default redirect honor the originating product's ?redirect= via SPA /confirm.
+GOTRUE_SITE_URL=https://auth.CHANGEME_DOMAIN
 GOTRUE_EXTERNAL_URL=https://auth.CHANGEME_DOMAIN
 # SSO redirect allow-list (bug 66f8e10a) — app origins for unified SSO.
 GOTRUE_URI_ALLOW_LIST=https://crm.CHANGEME_DOMAIN,https://wiki.CHANGEME_DOMAIN,https://erp.CHANGEME_DOMAIN
+# Bug 0327b017: parent-domain session cookie → shared across all subdomains.
+GOTRUE_COOKIE_DOMAIN=.CHANGEME_DOMAIN
+GOTRUE_COOKIE_KEY=exe-auth
 GOTRUE_DISABLE_SIGNUP=true
 GOTRUE_MAILER_AUTOCONFIRM=false
 # Auth-email From address — customer domain, not askexe.com (bug 133c9d5b).

package/deploy/compose/.env.example CHANGED Viewed

@@ -46,10 +46,15 @@ BACKUP_RETENTION_DAYS=7
 # --- GoTrue (shared auth) ---
 GOTRUE_JWT_SECRET=CHANGEME_GOTRUE_JWT_SECRET
 GOTRUE_API_PORT=9999
-GOTRUE_SITE_URL=https://crm.CHANGEME_DOMAIN
+# Bug dc99d78e: SITE_URL = auth gateway (not crm) so email links + GoTrue's
+# default redirect honor the originating product's ?redirect= via SPA /confirm.
+GOTRUE_SITE_URL=https://auth.CHANGEME_DOMAIN
 GOTRUE_EXTERNAL_URL=https://auth.CHANGEME_DOMAIN
 # SSO redirect allow-list (bug 66f8e10a) — app origins for unified SSO.
 GOTRUE_URI_ALLOW_LIST=https://crm.CHANGEME_DOMAIN,https://wiki.CHANGEME_DOMAIN,https://erp.CHANGEME_DOMAIN
+# Bug 0327b017: parent-domain session cookie → shared across all subdomains.
+GOTRUE_COOKIE_DOMAIN=.CHANGEME_DOMAIN
+GOTRUE_COOKIE_KEY=exe-auth
 GOTRUE_DISABLE_SIGNUP=true
 GOTRUE_MAILER_AUTOCONFIRM=false
 # From address for auth emails — customer domain, not askexe.com (bug 133c9d5b).

package/deploy/compose/docker-compose.yml CHANGED Viewed

@@ -159,15 +159,34 @@ services:
       GOTRUE_DB_DRIVER: postgres
       GOTRUE_DB_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?sslmode=disable&search_path=auth
       # Bug ae113b23: never fall back to a hardcoded domain here.
-      # GOTRUE_SITE_URL must be set in .env by generate-env.ts (uses crm.${DOMAIN})
-      # or by the operator. An empty/missing value is intentionally rejected at
-      # runtime so misconfigured stacks fail loudly rather than silently redirect
-      # auth flows to crm.askexe.com.
-      GOTRUE_SITE_URL: ${GOTRUE_SITE_URL:?GOTRUE_SITE_URL is required — set to https://crm.<your-domain> in .env}
+      # GOTRUE_SITE_URL must be set in .env by generate-env.ts. An empty/missing
+      # value is intentionally rejected at runtime so misconfigured stacks fail
+      # loudly rather than silently redirect auth flows to crm.askexe.com.
+      #
+      # Bug dc99d78e: SITE_URL is now https://auth.<domain> (the auth gateway),
+      # NOT crm.<domain>. GoTrue builds email confirm/reset/magic-link URLs and
+      # its post-action default redirect against SITE_URL — pointing it at the
+      # auth gateway means those links land on the SPA's /confirm handler, which
+      # then honors the originating product's ?redirect= (allow-listed) instead
+      # of always bouncing to CRM. Per-product origins are authorized via
+      # GOTRUE_URI_ALLOW_LIST below, so ?redirect_to=https://wiki.<domain> works.
+      GOTRUE_SITE_URL: ${GOTRUE_SITE_URL:?GOTRUE_SITE_URL is required — set to https://auth.<your-domain> in .env}
       GOTRUE_URI_ALLOW_LIST: ${GOTRUE_URI_ALLOW_LIST:-}
+      # Bug 0327b017: scope the GoTrue session cookie to the PARENT apex domain
+      # (".<domain>", e.g. ".hygo.co") so the session is shared across the
+      # crm/wiki/erp/auth subdomains → true single sign-on. Without this the
+      # cookie defaults to the issuing host (auth.<domain>) and every other
+      # subdomain re-prompts for login. Templated from $DOMAIN — no hardcoding.
+      GOTRUE_COOKIE_KEY: ${GOTRUE_COOKIE_KEY:-exe-auth}
+      GOTRUE_COOKIE_DOMAIN: ${GOTRUE_COOKIE_DOMAIN:-.${DOMAIN}}
       GOTRUE_JWT_SECRET: ${GOTRUE_JWT_SECRET:?GOTRUE_JWT_SECRET is required}
       GOTRUE_JWT_EXP: ${GOTRUE_JWT_EXP:-3600}
       GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
+      # Bug 80a15e36: GoTrue defaults the JWT `aud` claim to an empty string
+      # unless GOTRUE_JWT_AUD is set. Apps (crm/wiki/erp) validating the audience
+      # reject empty-aud tokens. "authenticated" is GoTrue's standard audience and
+      # matches GOTRUE_JWT_DEFAULT_GROUP_NAME above.
+      GOTRUE_JWT_AUD: ${GOTRUE_JWT_AUD:-authenticated}
       # No hardcoded askexe.com fallback — GOTRUE_EXTERNAL_URL is set per-customer
       # in .env (https://auth.<domain>) and must be present (bug 47965144 class).
       API_EXTERNAL_URL: ${GOTRUE_EXTERNAL_URL:?GOTRUE_EXTERNAL_URL is required — set to https://auth.<your-domain> in .env}

package/deploy/compose/generate-env.ts CHANGED Viewed

@@ -74,11 +74,22 @@ export function generateEnv(options: GenerateEnvOptions): string {
     "# --- GoTrue (shared auth) ---",
     `GOTRUE_JWT_SECRET=${randomSecret(RANDOM_SECRET_48)}`,
     "GOTRUE_API_PORT=9999",
-    `GOTRUE_SITE_URL=https://crm.${normalizedDomain}`,
+    "# Bug dc99d78e: SITE_URL points at the auth gateway (not crm). GoTrue builds",
+    "# email confirm/reset links + its post-action default redirect against",
+    "# SITE_URL; landing on auth.<domain>/confirm lets the SPA honor the",
+    "# originating product's ?redirect= (allow-listed) instead of forcing CRM.",
+    `GOTRUE_SITE_URL=https://auth.${normalizedDomain}`,
     `GOTRUE_EXTERNAL_URL=https://auth.${normalizedDomain}`,
     "# SSO redirect allow-list (bug 66f8e10a): app origins the gateway may bounce",
     "# users back to via ?redirect=. Required for unified SSO across crm/wiki/erp.",
     `GOTRUE_URI_ALLOW_LIST=https://crm.${normalizedDomain},https://wiki.${normalizedDomain},https://erp.${normalizedDomain}`,
+    "# Bug 0327b017: scope the session cookie to the PARENT apex domain so it is",
+    "# shared across crm/wiki/erp/auth subdomains → true SSO (no re-login).",
+    `GOTRUE_COOKIE_DOMAIN=.${normalizedDomain}`,
+    "GOTRUE_COOKIE_KEY=exe-auth",
+    "# Bug 80a15e36: pin the JWT audience so issued tokens carry aud=authenticated",
+    "# (GoTrue defaults aud to empty); apps validating aud reject empty-aud tokens.",
+    "GOTRUE_JWT_AUD=authenticated",
     "GOTRUE_DISABLE_SIGNUP=true",
     "GOTRUE_MAILER_AUTOCONFIRM=false",
     "# Auth emails (confirm/reset/magic-link) send From this customer-domain",
@@ -250,10 +261,17 @@ export function generateExampleEnv(): string {
     "# --- GoTrue (shared auth) ---",
     "GOTRUE_JWT_SECRET=CHANGEME_GOTRUE_JWT_SECRET",
     "GOTRUE_API_PORT=9999",
-    "GOTRUE_SITE_URL=https://crm.CHANGEME_DOMAIN",
+    "# Bug dc99d78e: SITE_URL = auth gateway (not crm) so email links + default",
+    "# redirect honor the originating product's ?redirect= via the SPA /confirm.",
+    "GOTRUE_SITE_URL=https://auth.CHANGEME_DOMAIN",
     "GOTRUE_EXTERNAL_URL=https://auth.CHANGEME_DOMAIN",
     "# SSO redirect allow-list (bug 66f8e10a) — app origins for unified SSO.",
     "GOTRUE_URI_ALLOW_LIST=https://crm.CHANGEME_DOMAIN,https://wiki.CHANGEME_DOMAIN,https://erp.CHANGEME_DOMAIN",
+    "# Bug 0327b017: parent-domain cookie → session shared across all subdomains.",
+    "GOTRUE_COOKIE_DOMAIN=.CHANGEME_DOMAIN",
+    "GOTRUE_COOKIE_KEY=exe-auth",
+    "# Bug 80a15e36: JWT audience pinned to authenticated (default is empty).",
+    "GOTRUE_JWT_AUD=authenticated",
     "GOTRUE_DISABLE_SIGNUP=true",
     "GOTRUE_MAILER_AUTOCONFIRM=false",
     "# From address for auth emails — customer domain, not askexe.com (bug 133c9d5b).",

package/deploy/compose/setup.sh CHANGED Viewed

@@ -64,8 +64,17 @@ CLICKHOUSE_USER=exe
 CLICKHOUSE_PASSWORD=$(gen 32)
 REDIS_PASSWORD=$(gen 32)
 GOTRUE_JWT_SECRET=$(gen 48)
-GOTRUE_SITE_URL=https://crm.${DOMAIN}
+# Bug dc99d78e: SITE_URL = auth gateway (not crm) so email links + GoTrue's
+# default redirect honor the originating product's ?redirect= via SPA /confirm.
+GOTRUE_SITE_URL=https://auth.${DOMAIN}
 GOTRUE_EXTERNAL_URL=https://auth.${DOMAIN}
+# SSO redirect allow-list (bug 66f8e10a): app origins the gateway may bounce
+# users back to via ?redirect=. Required for unified SSO across crm/wiki/erp.
+GOTRUE_URI_ALLOW_LIST=https://crm.${DOMAIN},https://wiki.${DOMAIN},https://erp.${DOMAIN}
+# Bug 0327b017: scope the session cookie to the PARENT apex domain so it is
+# shared across crm/wiki/erp/auth subdomains → true SSO (no re-login).
+GOTRUE_COOKIE_DOMAIN=.${DOMAIN}
+GOTRUE_COOKIE_KEY=exe-auth
 # Invite-only by default; never autoconfirm without an SMTP round-trip (bug 36c04fe3).
 # Configure SMTP_HOST below and keep MAILER_AUTOCONFIRM=false to verify email ownership.
 GOTRUE_DISABLE_SIGNUP=true

package/dist/active-agent-3JXJQ2GZ.js ADDED Viewed

@@ -0,0 +1,27 @@
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-AAFTYJ5R.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-I3IW6AAX.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-2DWYR2LJ.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-7HLWBYH7.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-R36FAN53.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-XK54VI3S.js ADDED Viewed

@@ -0,0 +1,28 @@
+import "./chunk-SH45SJQW.js";
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-AAFTYJ5R.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-I3IW6AAX.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-2DWYR2LJ.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-7HLWBYH7.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-R36FAN53.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/agentic-ontology-BPJOT2H2.js ADDED Viewed

@@ -0,0 +1,25 @@
+import {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+} from "./chunk-7C4K7HSF.js";
+import "./chunk-MLKGABMK.js";
+export {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+};