@askexenow/exe-os 0.9.297 → 0.9.299

package/deploy/compose/.env.customer.example

@@ -20,10 +20,15 @@ REDIS_PASSWORD=CHANGEME_REDIS_PASSWORD
 # --- GoTrue (shared auth) ---
 GOTRUE_JWT_SECRET=CHANGEME_GOTRUE_JWT_SECRET
 GOTRUE_API_PORT=9999
-GOTRUE_SITE_URL=https://crm.CHANGEME_DOMAIN
+# Bug dc99d78e: SITE_URL = auth gateway (not crm) so email links + GoTrue's
+# default redirect honor the originating product's ?redirect= via SPA /confirm.
+GOTRUE_SITE_URL=https://auth.CHANGEME_DOMAIN
 GOTRUE_EXTERNAL_URL=https://auth.CHANGEME_DOMAIN
 # SSO redirect allow-list (bug 66f8e10a) — app origins for unified SSO.
 GOTRUE_URI_ALLOW_LIST=https://crm.CHANGEME_DOMAIN,https://wiki.CHANGEME_DOMAIN,https://erp.CHANGEME_DOMAIN
+# Bug 0327b017: parent-domain session cookie → shared across all subdomains.
+GOTRUE_COOKIE_DOMAIN=.CHANGEME_DOMAIN
+GOTRUE_COOKIE_KEY=exe-auth
 GOTRUE_DISABLE_SIGNUP=true
 GOTRUE_MAILER_AUTOCONFIRM=false
 # Auth-email From address — customer domain, not askexe.com (bug 133c9d5b).

package/deploy/compose/.env.example

@@ -46,10 +46,15 @@ BACKUP_RETENTION_DAYS=7
 # --- GoTrue (shared auth) ---
 GOTRUE_JWT_SECRET=CHANGEME_GOTRUE_JWT_SECRET
 GOTRUE_API_PORT=9999
-GOTRUE_SITE_URL=https://crm.CHANGEME_DOMAIN
+# Bug dc99d78e: SITE_URL = auth gateway (not crm) so email links + GoTrue's
+# default redirect honor the originating product's ?redirect= via SPA /confirm.
+GOTRUE_SITE_URL=https://auth.CHANGEME_DOMAIN
 GOTRUE_EXTERNAL_URL=https://auth.CHANGEME_DOMAIN
 # SSO redirect allow-list (bug 66f8e10a) — app origins for unified SSO.
 GOTRUE_URI_ALLOW_LIST=https://crm.CHANGEME_DOMAIN,https://wiki.CHANGEME_DOMAIN,https://erp.CHANGEME_DOMAIN
+# Bug 0327b017: parent-domain session cookie → shared across all subdomains.
+GOTRUE_COOKIE_DOMAIN=.CHANGEME_DOMAIN
+GOTRUE_COOKIE_KEY=exe-auth
 GOTRUE_DISABLE_SIGNUP=true
 GOTRUE_MAILER_AUTOCONFIRM=false
 # From address for auth emails — customer domain, not askexe.com (bug 133c9d5b).

package/deploy/compose/docker-compose.yml

@@ -159,15 +159,34 @@ services:
       GOTRUE_DB_DRIVER: postgres
       GOTRUE_DB_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?sslmode=disable&search_path=auth
       # Bug ae113b23: never fall back to a hardcoded domain here.
-      # GOTRUE_SITE_URL must be set in .env by generate-env.ts (uses crm.${DOMAIN})
-      # or by the operator. An empty/missing value is intentionally rejected at
-      # runtime so misconfigured stacks fail loudly rather than silently redirect
-      # auth flows to crm.askexe.com.
-      GOTRUE_SITE_URL: ${GOTRUE_SITE_URL:?GOTRUE_SITE_URL is required — set to https://crm.<your-domain> in .env}
+      # GOTRUE_SITE_URL must be set in .env by generate-env.ts. An empty/missing
+      # value is intentionally rejected at runtime so misconfigured stacks fail
+      # loudly rather than silently redirect auth flows to crm.askexe.com.
+      #
+      # Bug dc99d78e: SITE_URL is now https://auth.<domain> (the auth gateway),
+      # NOT crm.<domain>. GoTrue builds email confirm/reset/magic-link URLs and
+      # its post-action default redirect against SITE_URL — pointing it at the
+      # auth gateway means those links land on the SPA's /confirm handler, which
+      # then honors the originating product's ?redirect= (allow-listed) instead
+      # of always bouncing to CRM. Per-product origins are authorized via
+      # GOTRUE_URI_ALLOW_LIST below, so ?redirect_to=https://wiki.<domain> works.
+      GOTRUE_SITE_URL: ${GOTRUE_SITE_URL:?GOTRUE_SITE_URL is required — set to https://auth.<your-domain> in .env}
       GOTRUE_URI_ALLOW_LIST: ${GOTRUE_URI_ALLOW_LIST:-}
+      # Bug 0327b017: scope the GoTrue session cookie to the PARENT apex domain
+      # (".<domain>", e.g. ".hygo.co") so the session is shared across the
+      # crm/wiki/erp/auth subdomains → true single sign-on. Without this the
+      # cookie defaults to the issuing host (auth.<domain>) and every other
+      # subdomain re-prompts for login. Templated from $DOMAIN — no hardcoding.
+      GOTRUE_COOKIE_KEY: ${GOTRUE_COOKIE_KEY:-exe-auth}
+      GOTRUE_COOKIE_DOMAIN: ${GOTRUE_COOKIE_DOMAIN:-.${DOMAIN}}
       GOTRUE_JWT_SECRET: ${GOTRUE_JWT_SECRET:?GOTRUE_JWT_SECRET is required}
       GOTRUE_JWT_EXP: ${GOTRUE_JWT_EXP:-3600}
       GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
+      # Bug 80a15e36: GoTrue defaults the JWT `aud` claim to an empty string
+      # unless GOTRUE_JWT_AUD is set. Apps (crm/wiki/erp) validating the audience
+      # reject empty-aud tokens. "authenticated" is GoTrue's standard audience and
+      # matches GOTRUE_JWT_DEFAULT_GROUP_NAME above.
+      GOTRUE_JWT_AUD: ${GOTRUE_JWT_AUD:-authenticated}
       # No hardcoded askexe.com fallback — GOTRUE_EXTERNAL_URL is set per-customer
       # in .env (https://auth.<domain>) and must be present (bug 47965144 class).
       API_EXTERNAL_URL: ${GOTRUE_EXTERNAL_URL:?GOTRUE_EXTERNAL_URL is required — set to https://auth.<your-domain> in .env}

package/deploy/compose/generate-env.ts

@@ -74,11 +74,22 @@ export function generateEnv(options: GenerateEnvOptions): string {
     "# --- GoTrue (shared auth) ---",
     `GOTRUE_JWT_SECRET=${randomSecret(RANDOM_SECRET_48)}`,
     "GOTRUE_API_PORT=9999",
-    `GOTRUE_SITE_URL=https://crm.${normalizedDomain}`,
+    "# Bug dc99d78e: SITE_URL points at the auth gateway (not crm). GoTrue builds",
+    "# email confirm/reset links + its post-action default redirect against",
+    "# SITE_URL; landing on auth.<domain>/confirm lets the SPA honor the",
+    "# originating product's ?redirect= (allow-listed) instead of forcing CRM.",
+    `GOTRUE_SITE_URL=https://auth.${normalizedDomain}`,
     `GOTRUE_EXTERNAL_URL=https://auth.${normalizedDomain}`,
     "# SSO redirect allow-list (bug 66f8e10a): app origins the gateway may bounce",
     "# users back to via ?redirect=. Required for unified SSO across crm/wiki/erp.",
     `GOTRUE_URI_ALLOW_LIST=https://crm.${normalizedDomain},https://wiki.${normalizedDomain},https://erp.${normalizedDomain}`,
+    "# Bug 0327b017: scope the session cookie to the PARENT apex domain so it is",
+    "# shared across crm/wiki/erp/auth subdomains → true SSO (no re-login).",
+    `GOTRUE_COOKIE_DOMAIN=.${normalizedDomain}`,
+    "GOTRUE_COOKIE_KEY=exe-auth",
+    "# Bug 80a15e36: pin the JWT audience so issued tokens carry aud=authenticated",
+    "# (GoTrue defaults aud to empty); apps validating aud reject empty-aud tokens.",
+    "GOTRUE_JWT_AUD=authenticated",
     "GOTRUE_DISABLE_SIGNUP=true",
     "GOTRUE_MAILER_AUTOCONFIRM=false",
     "# Auth emails (confirm/reset/magic-link) send From this customer-domain",
@@ -250,10 +261,17 @@ export function generateExampleEnv(): string {
     "# --- GoTrue (shared auth) ---",
     "GOTRUE_JWT_SECRET=CHANGEME_GOTRUE_JWT_SECRET",
     "GOTRUE_API_PORT=9999",
-    "GOTRUE_SITE_URL=https://crm.CHANGEME_DOMAIN",
+    "# Bug dc99d78e: SITE_URL = auth gateway (not crm) so email links + default",
+    "# redirect honor the originating product's ?redirect= via the SPA /confirm.",
+    "GOTRUE_SITE_URL=https://auth.CHANGEME_DOMAIN",
     "GOTRUE_EXTERNAL_URL=https://auth.CHANGEME_DOMAIN",
     "# SSO redirect allow-list (bug 66f8e10a) — app origins for unified SSO.",
     "GOTRUE_URI_ALLOW_LIST=https://crm.CHANGEME_DOMAIN,https://wiki.CHANGEME_DOMAIN,https://erp.CHANGEME_DOMAIN",
+    "# Bug 0327b017: parent-domain cookie → session shared across all subdomains.",
+    "GOTRUE_COOKIE_DOMAIN=.CHANGEME_DOMAIN",
+    "GOTRUE_COOKIE_KEY=exe-auth",
+    "# Bug 80a15e36: JWT audience pinned to authenticated (default is empty).",
+    "GOTRUE_JWT_AUD=authenticated",
     "GOTRUE_DISABLE_SIGNUP=true",
     "GOTRUE_MAILER_AUTOCONFIRM=false",
     "# From address for auth emails — customer domain, not askexe.com (bug 133c9d5b).",

package/deploy/compose/setup.sh

@@ -64,8 +64,17 @@ CLICKHOUSE_USER=exe
 CLICKHOUSE_PASSWORD=$(gen 32)
 REDIS_PASSWORD=$(gen 32)
 GOTRUE_JWT_SECRET=$(gen 48)
-GOTRUE_SITE_URL=https://crm.${DOMAIN}
+# Bug dc99d78e: SITE_URL = auth gateway (not crm) so email links + GoTrue's
+# default redirect honor the originating product's ?redirect= via SPA /confirm.
+GOTRUE_SITE_URL=https://auth.${DOMAIN}
 GOTRUE_EXTERNAL_URL=https://auth.${DOMAIN}
+# SSO redirect allow-list (bug 66f8e10a): app origins the gateway may bounce
+# users back to via ?redirect=. Required for unified SSO across crm/wiki/erp.
+GOTRUE_URI_ALLOW_LIST=https://crm.${DOMAIN},https://wiki.${DOMAIN},https://erp.${DOMAIN}
+# Bug 0327b017: scope the session cookie to the PARENT apex domain so it is
+# shared across crm/wiki/erp/auth subdomains → true SSO (no re-login).
+GOTRUE_COOKIE_DOMAIN=.${DOMAIN}
+GOTRUE_COOKIE_KEY=exe-auth
 # Invite-only by default; never autoconfirm without an SMTP round-trip (bug 36c04fe3).
 # Configure SMTP_HOST below and keep MAILER_AUTOCONFIRM=false to verify email ownership.
 GOTRUE_DISABLE_SIGNUP=true

package/deploy/stack-manifests/v0.9.json

@@ -1346,7 +1346,7 @@
       "breakingChanges": [],
       "services": {
         "exe-os": {
-          "image": "update.askexe.com/askexe/exe-os:v0.9.294@sha256:cb89b04278beafc1596dd7b7c0012cbb75ce58a8e4c0ea2c1ffa5efffd5a03d7",
+          "image": "update.askexe.com/askexe/exe-os:v0.9.297@sha256:9fb38b3972202c410bb03d437a7fbaaf34a474f123285f45cbd9ceb039d276c1",
           "env": "EXE_OS_IMAGE_TAG",
           "composeService": "exe-os",
           "healthUrl": "http://127.0.0.1:8765/health",
@@ -1355,7 +1355,7 @@
           "description": "Exe OS Daemon \u2014 memory, orchestration, MCP server"
         },
         "crm": {
-          "image": "update.askexe.com/askexe/exe-crm:v0.9.48@sha256:f7fa8e1b8f7fbdc29c77b60461da0cfbda52cdd479ab1ffc25d8a618c94d1c82",
+          "image": "update.askexe.com/askexe/exe-crm:v0.9.49@sha256:656512528d2cecc7c0424f917a9b3d0a999f91b160c7b7e7e05778dd8b1319cc",
           "env": "CRM_IMAGE_TAG",
           "composeService": "exe-crm",
           "healthUrl": "http://127.0.0.1:3000/healthz",
@@ -1364,7 +1364,7 @@
           "description": "Customer Relationship Management"
         },
         "wiki": {
-          "image": "update.askexe.com/askexe/exe-wiki:v0.9.23@sha256:9e1ab889c902e641e2fe37910d85ed39ddfd7c728eceb40f25402d1abb734ea8",
+          "image": "update.askexe.com/askexe/exe-wiki:v0.9.24@sha256:3acf72b992d34ce1e802b075cef8e4e1dd5e4b5681a4681398545f1f7e13e331",
           "env": "WIKI_IMAGE_TAG",
           "composeService": "exe-wiki",
           "healthUrl": "http://127.0.0.1:3001/api/ping",
@@ -1373,7 +1373,7 @@
           "description": "Knowledge Base & Documentation"
         },
         "erp": {
-          "image": "update.askexe.com/askexe/exe-erp:v0.2.1@sha256:2d55a7c30bc6c5240b516de00e75e7384d0e6ec2580691e31cf3cb32ec012b4e",
+          "image": "update.askexe.com/askexe/exe-erp:v0.2.2@sha256:00fecc790ff848bfd4b7d87f42f859edfeb6090a7ca26bf2359dc6cb96767afb",
           "env": "ERP_IMAGE_TAG",
           "composeService": "exe-erp",
           "healthUrl": "http://127.0.0.1:8069/api/method/ping",
@@ -1382,7 +1382,7 @@
           "description": "Enterprise Resource Planning"
         },
         "gateway": {
-          "image": "update.askexe.com/askexe/exe-gateway:v0.9.21@sha256:c07baf4d57a9c3f4db04a31efba3e37da5fefc459b12189220ec99d8d648a018",
+          "image": "update.askexe.com/askexe/exe-gateway:v0.9.22@sha256:4d0b545699f2a38d1b6bbc2f81e4360e96d2b27e9b565da9fcd0ba1eac82f7c8",
           "env": "GATEWAY_IMAGE_TAG",
           "composeService": "exe-gateway",
           "healthUrl": "http://127.0.0.1:3100/health",
@@ -1391,7 +1391,7 @@
           "description": "WhatsApp, Telegram & API Gateway"
         },
         "monitorAgent": {
-          "image": "update.askexe.com/askexe/exe-monitor-agent:v0.9.4@sha256:9ca4e75577b2ff2abb754140ccfaf8df19161bcef601faf37d1fce743fe814fc",
+          "image": "update.askexe.com/askexe/exe-monitor-agent:v0.9.5@sha256:d442170bb0d7411beb4195e7888377cee2013a0c2adb194d4e44cdab41886d2d",
           "env": "MONITOR_AGENT_IMAGE_TAG",
           "composeService": "exe-monitor-agent",
           "required": false,
@@ -1399,7 +1399,7 @@
           "description": "System Monitoring Agent"
         },
         "monitorHub": {
-          "image": "update.askexe.com/askexe/exe-monitor-hub:v0.9.4@sha256:d593bec5a4b248388d0d85353fae1ba8f93cab628a03833aa79acd0632fd11cb",
+          "image": "update.askexe.com/askexe/exe-monitor-hub:v0.9.5@sha256:e9a406d1be7efe59cec38db1ace4beef728afa713781675cb30d33fe06b2ed08",
           "env": "MONITOR_HUB_IMAGE_TAG",
           "composeService": "exe-monitor-hub",
           "healthUrl": "http://127.0.0.1:8090/api/health",

package/dist/active-agent-3JXJQ2GZ.js

@@ -0,0 +1,27 @@
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-AAFTYJ5R.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-I3IW6AAX.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-2DWYR2LJ.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-7HLWBYH7.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-R36FAN53.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/active-agent-XK54VI3S.js

@@ -0,0 +1,28 @@
+import "./chunk-SH45SJQW.js";
+import {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+} from "./chunk-AAFTYJ5R.js";
+import "./chunk-CVYC6DUW.js";
+import "./chunk-GJV3WDWM.js";
+import "./chunk-I3IW6AAX.js";
+import "./chunk-2I23RPSI.js";
+import "./chunk-2DWYR2LJ.js";
+import "./chunk-PNQDP3OA.js";
+import "./chunk-7HLWBYH7.js";
+import "./chunk-FXU7JOXK.js";
+import "./chunk-R36FAN53.js";
+import "./chunk-LYH5HE24.js";
+import "./chunk-MLKGABMK.js";
+export {
+  cleanupSessionMarkers,
+  clearActiveAgent,
+  getActiveAgent,
+  getAllActiveAgents,
+  resolveActiveAgentFromTmuxSession,
+  writeActiveAgent
+};

package/dist/agentic-ontology-BPJOT2H2.js

@@ -0,0 +1,25 @@
+import {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+} from "./chunk-7C4K7HSF.js";
+import "./chunk-MLKGABMK.js";
+export {
+  clean,
+  extractGoalCandidates,
+  inferIntention,
+  inferOntologyEventType,
+  inferOutcome,
+  inferSemanticLabel,
+  insertOntologyForBatch,
+  insertOntologyForMemory,
+  ontologyPayload,
+  stableId
+};