@askexenow/exe-os 0.9.30 → 0.9.32

package/dist/bin/exe-session-cleanup.js

@@ -1128,8 +1128,8 @@ function findPackageRoot() {
 function getAvailableMemoryGB() {
   if (process.platform === "darwin") {
     try {
-      const { execSync: execSync10 } = __require("child_process");
-      const vmstat = execSync10("vm_stat", { encoding: "utf8" });
+      const { execSync: execSync11 } = __require("child_process");
+      const vmstat = execSync11("vm_stat", { encoding: "utf8" });
       const pageSize = 16384;
       const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
       const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
@@ -2813,6 +2813,7 @@ var init_database = __esm({
 // src/lib/keychain.ts
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
 import { existsSync as existsSync6 } from "fs";
+import { execSync as execSync2 } from "child_process";
 import path6 from "path";
 import os5 from "os";
 function getKeyDir() {
@@ -2821,6 +2822,59 @@ function getKeyDir() {
 function getKeyPath() {
   return path6.join(getKeyDir(), "master.key");
 }
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync2(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync2(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync2(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync2(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync2(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function tryKeytar() {
   try {
     return await import("keytar");
@@ -2828,13 +2882,63 @@ async function tryKeytar() {
     return null;
   }
 }
+function deriveMachineKey() {
+  try {
+    const crypto8 = __require("crypto");
+    const material = [
+      os5.hostname(),
+      os5.userInfo().username,
+      os5.arch(),
+      os5.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto8.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync14 } = __require("fs");
+    return readFileSync14("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto8 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto8.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
 async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
-      const stored = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (stored) {
-        return Buffer.from(stored, "base64");
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+        }
+        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
@@ -2848,8 +2952,31 @@ async function getMasterKey() {
     return null;
   }
   try {
-    const content = await readFile3(keyPath, "utf-8");
-    return Buffer.from(content.trim(), "base64");
+    const content = (await readFile3(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+    }
+    return key;
   } catch (err) {
     process.stderr.write(
       `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
@@ -2858,12 +2985,13 @@ async function getMasterKey() {
     return null;
   }
 }
-var SERVICE, ACCOUNT;
+var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
 var init_keychain = __esm({
   "src/lib/keychain.ts"() {
     "use strict";
     SERVICE = "exe-mem";
     ACCOUNT = "master-key";
+    ENCRYPTED_PREFIX = "enc:";
   }
 });
 
@@ -4129,7 +4257,7 @@ var init_session_registry = __esm({
 });
 
 // src/lib/session-key.ts
-import { execSync as execSync2 } from "child_process";
+import { execSync as execSync3 } from "child_process";
 function normalizeCommand(command) {
   const trimmed = command.trim().toLowerCase();
   const parts = trimmed.split(/[\\/]/);
@@ -4148,7 +4276,7 @@ function resolveRuntimeProcess() {
   let pid = process.ppid;
   for (let i = 0; i < 10; i++) {
     try {
-      const info = execSync2(`ps -p ${pid} -o ppid=,comm=`, {
+      const info = execSync3(`ps -p ${pid} -o ppid=,comm=`, {
         encoding: "utf8",
         timeout: 2e3
       }).trim();
@@ -4314,14 +4442,14 @@ var init_transport = __esm({
 });
 
 // src/lib/cc-agent-support.ts
-import { execSync as execSync3 } from "child_process";
+import { execSync as execSync4 } from "child_process";
 function _resetCcAgentSupportCache() {
   _cachedSupport = null;
 }
 function claudeSupportsAgentFlag() {
   if (_cachedSupport !== null) return _cachedSupport;
   try {
-    const helpOutput = execSync3("claude --help 2>&1", {
+    const helpOutput = execSync4("claude --help 2>&1", {
       encoding: "utf-8",
       timeout: 5e3
     });
@@ -4770,7 +4898,7 @@ var init_session_kill_telemetry = __esm({
 });
 
 // src/lib/project-name.ts
-import { execSync as execSync4 } from "child_process";
+import { execSync as execSync5 } from "child_process";
 import path14 from "path";
 function getProjectName(cwd) {
   const dir = cwd ?? process.cwd();
@@ -4778,7 +4906,7 @@ function getProjectName(cwd) {
   try {
     let repoRoot;
     try {
-      const gitCommonDir = execSync4("git rev-parse --path-format=absolute --git-common-dir", {
+      const gitCommonDir = execSync5("git rev-parse --path-format=absolute --git-common-dir", {
         cwd: dir,
         encoding: "utf8",
         timeout: 2e3,
@@ -4786,7 +4914,7 @@ function getProjectName(cwd) {
       }).trim();
       repoRoot = path14.dirname(gitCommonDir);
     } catch {
-      repoRoot = execSync4("git rev-parse --show-toplevel", {
+      repoRoot = execSync5("git rev-parse --show-toplevel", {
         cwd: dir,
         encoding: "utf8",
         timeout: 2e3,
@@ -4893,7 +5021,7 @@ __export(tasks_crud_exports, {
 import crypto4 from "crypto";
 import path15 from "path";
 import os10 from "os";
-import { execSync as execSync5 } from "child_process";
+import { execSync as execSync6 } from "child_process";
 import { mkdir as mkdir4, writeFile as writeFile4, appendFile } from "fs/promises";
 import { existsSync as existsSync14, readFileSync as readFileSync11 } from "fs";
 async function writeCheckpoint(input) {
@@ -5238,14 +5366,14 @@ function isTmuxSessionAlive(identifier) {
   if (!identifier || identifier === "unknown") return true;
   try {
     if (identifier.startsWith("%")) {
-      const output = execSync5("tmux list-panes -a -F '#{pane_id}'", {
+      const output = execSync6("tmux list-panes -a -F '#{pane_id}'", {
         timeout: 2e3,
         encoding: "utf8",
         stdio: ["pipe", "pipe", "pipe"]
       });
       return output.split("\n").some((l) => l.trim() === identifier);
     } else {
-      execSync5(`tmux has-session -t ${JSON.stringify(identifier)}`, {
+      execSync6(`tmux has-session -t ${JSON.stringify(identifier)}`, {
         timeout: 2e3,
         stdio: ["pipe", "pipe", "pipe"]
       });
@@ -5254,7 +5382,7 @@ function isTmuxSessionAlive(identifier) {
   } catch {
     if (identifier.startsWith("%")) return true;
     try {
-      execSync5("tmux list-sessions", {
+      execSync6("tmux list-sessions", {
         timeout: 2e3,
         stdio: ["pipe", "pipe", "pipe"]
       });
@@ -5269,12 +5397,12 @@ function checkStaleCompletion(taskContext, taskCreatedAt) {
   if (!DELEGATION_KEYWORDS.test(taskContext)) return null;
   try {
     const since = new Date(taskCreatedAt).toISOString();
-    const branch = execSync5(
+    const branch = execSync6(
       "git rev-parse --abbrev-ref HEAD 2>/dev/null",
       { encoding: "utf8", timeout: 3e3 }
     ).trim();
     const branchArg = branch && branch !== "HEAD" ? branch : "";
-    const commitCount = execSync5(
+    const commitCount = execSync6(
       `git log --oneline --since="${since}" ${branchArg} 2>/dev/null | wc -l`,
       { encoding: "utf8", timeout: 5e3 }
     ).trim();
@@ -6872,7 +7000,7 @@ __export(tmux_routing_exports, {
   spawnEmployee: () => spawnEmployee,
   verifyPaneAtCapacity: () => verifyPaneAtCapacity
 });
-import { execFileSync as execFileSync2, execSync as execSync6 } from "child_process";
+import { execFileSync as execFileSync2, execSync as execSync7 } from "child_process";
 import { readFileSync as readFileSync12, writeFileSync as writeFileSync8, mkdirSync as mkdirSync7, existsSync as existsSync16, appendFileSync, readdirSync as readdirSync4 } from "fs";
 import path19 from "path";
 import os11 from "os";
@@ -7582,7 +7710,7 @@ function spawnEmployee(employeeName, exeSession2, projectDir, opts) {
   let booted = false;
   for (let i = 0; i < 30; i++) {
     try {
-      execSync6("sleep 0.5");
+      execSync7("sleep 0.5");
     } catch {
     }
     try {
@@ -7699,7 +7827,7 @@ __export(git_task_sweep_exports, {
   matchScore: () => matchScore,
   sweepTasks: () => sweepTasks
 });
-import { execSync as execSync7 } from "child_process";
+import { execSync as execSync8 } from "child_process";
 function extractKeywords(text) {
   return text.toLowerCase().replace(/[^a-z0-9\s-]/g, " ").split(/\s+/).filter((w) => w.length >= 3 && !STOP_WORDS.has(w));
 }
@@ -7728,7 +7856,7 @@ function matchScore(task, commitMessage, changedFiles) {
 function getRecentCommits(limit = DEFAULT_COMMIT_LIMIT) {
   try {
     const SEPARATOR = "<<SEP>>";
-    const output = execSync7(
+    const output = execSync8(
       `git log --format="%h${SEPARATOR}%s${SEPARATOR}%aI" --name-only -n ${limit} -z`,
       { encoding: "utf8", timeout: 1e4 }
     );
@@ -7919,12 +8047,12 @@ __export(worktree_exports, {
   worktreeBranch: () => worktreeBranch,
   worktreePath: () => worktreePath
 });
-import { execSync as execSync8 } from "child_process";
+import { execSync as execSync9 } from "child_process";
 import { existsSync as existsSync17, readFileSync as readFileSync13, appendFileSync as appendFileSync2, mkdirSync as mkdirSync8, realpathSync } from "fs";
 import path20 from "path";
 function getGitRoot(dir) {
   try {
-    const root = execSync8("git rev-parse --show-toplevel", {
+    const root = execSync9("git rev-parse --show-toplevel", {
       cwd: dir,
       encoding: "utf-8",
       timeout: GIT_TIMEOUT_MS,
@@ -7937,7 +8065,7 @@ function getGitRoot(dir) {
 }
 function getMainRepoRoot(dir) {
   try {
-    const commonDir = execSync8(
+    const commonDir = execSync9(
       "git rev-parse --path-format=absolute --git-common-dir",
       { cwd: dir, encoding: "utf-8", timeout: GIT_TIMEOUT_MS, stdio: ["pipe", "pipe", "pipe"] }
     ).trim();
@@ -7968,7 +8096,7 @@ function ensureWorktree(projectDir, employeeName, instance) {
   mkdirSync8(worktreesDir, { recursive: true });
   ensureGitignoreEntry(repoRoot, "/.worktrees/");
   try {
-    execSync8("git worktree prune", {
+    execSync9("git worktree prune", {
       cwd: repoRoot,
       encoding: "utf-8",
       timeout: GIT_TIMEOUT_MS,
@@ -7979,14 +8107,14 @@ function ensureWorktree(projectDir, employeeName, instance) {
   const branchExists = branchExistsLocally(repoRoot, branch);
   try {
     if (branchExists) {
-      execSync8(`git worktree add "${wtPath}" "${branch}"`, {
+      execSync9(`git worktree add "${wtPath}" "${branch}"`, {
         cwd: repoRoot,
         encoding: "utf-8",
         timeout: GIT_TIMEOUT_MS,
         stdio: ["pipe", "pipe", "pipe"]
       });
     } else {
-      execSync8(`git worktree add "${wtPath}" -b "${branch}" HEAD`, {
+      execSync9(`git worktree add "${wtPath}" -b "${branch}" HEAD`, {
         cwd: repoRoot,
         encoding: "utf-8",
         timeout: GIT_TIMEOUT_MS,
@@ -8004,7 +8132,7 @@ function ensureWorktree(projectDir, employeeName, instance) {
 }
 function isWorktreeDirty(wtPath) {
   try {
-    const status = execSync8("git status --porcelain", {
+    const status = execSync9("git status --porcelain", {
       cwd: wtPath,
       encoding: "utf-8",
       timeout: GIT_TIMEOUT_MS,
@@ -8034,7 +8162,7 @@ function cleanupWorktree(projectDir, employeeName, instance) {
     return { cleaned: false, reason: `branch ${branch} not merged into ${mainBranch}` };
   }
   try {
-    execSync8(`git worktree remove "${wtPath}"`, {
+    execSync9(`git worktree remove "${wtPath}"`, {
       cwd: repoRoot,
       encoding: "utf-8",
       timeout: GIT_TIMEOUT_MS,
@@ -8047,7 +8175,7 @@ function cleanupWorktree(projectDir, employeeName, instance) {
     };
   }
   try {
-    execSync8(`git branch -d "${branch}"`, {
+    execSync9(`git branch -d "${branch}"`, {
       cwd: repoRoot,
       encoding: "utf-8",
       timeout: GIT_TIMEOUT_MS,
@@ -8059,7 +8187,7 @@ function cleanupWorktree(projectDir, employeeName, instance) {
 }
 function branchExistsLocally(repoRoot, branch) {
   try {
-    execSync8(`git rev-parse --verify "refs/heads/${branch}"`, {
+    execSync9(`git rev-parse --verify "refs/heads/${branch}"`, {
       cwd: repoRoot,
       encoding: "utf-8",
       timeout: GIT_TIMEOUT_MS,
@@ -8078,7 +8206,7 @@ function detectMainBranch(repoRoot) {
 }
 function isBranchMerged(repoRoot, branch, into) {
   try {
-    const merged = execSync8(`git branch --merged "${into}"`, {
+    const merged = execSync9(`git branch --merged "${into}"`, {
       cwd: repoRoot,
       encoding: "utf-8",
       timeout: GIT_TIMEOUT_MS,
@@ -8125,7 +8253,7 @@ init_database();
 init_task_scope();
 init_project_name();
 import crypto7 from "crypto";
-import { execSync as execSync9 } from "child_process";
+import { execSync as execSync10 } from "child_process";
 var agentName = process.argv[2];
 var exeSession = process.argv[3];
 if (!agentName) process.exit(0);
@@ -8298,7 +8426,7 @@ try {
     }
     const msg = `session-ended: ${agentName} session terminated. ${parts.join(". ")}`;
     try {
-      execSync9(`tmux send-keys -t ${JSON.stringify(exeSession)} ${JSON.stringify(msg)} Enter`, {
+      execSync10(`tmux send-keys -t ${JSON.stringify(exeSession)} ${JSON.stringify(msg)} Enter`, {
         timeout: 3e3
       });
     } catch {

package/dist/bin/exe-start-codex.js

@@ -1051,8 +1051,8 @@ function findPackageRoot() {
 function getAvailableMemoryGB() {
   if (process.platform === "darwin") {
     try {
-      const { execSync: execSync5 } = __require("child_process");
-      const vmstat = execSync5("vm_stat", { encoding: "utf8" });
+      const { execSync: execSync6 } = __require("child_process");
+      const vmstat = execSync6("vm_stat", { encoding: "utf8" });
       const pageSize = 16384;
       const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
       const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
@@ -3183,7 +3183,7 @@ var init_runtime_table = __esm({
 });
 
 // src/lib/session-key.ts
-import { execSync as execSync2 } from "child_process";
+import { execSync as execSync3 } from "child_process";
 function normalizeCommand(command) {
   const trimmed = command.trim().toLowerCase();
   const parts = trimmed.split(/[\\/]/);
@@ -3202,7 +3202,7 @@ function resolveRuntimeProcess() {
   let pid = process.ppid;
   for (let i = 0; i < 10; i++) {
     try {
-      const info = execSync2(`ps -p ${pid} -o ppid=,comm=`, {
+      const info = execSync3(`ps -p ${pid} -o ppid=,comm=`, {
         encoding: "utf8",
         timeout: 2e3
       }).trim();
@@ -3261,7 +3261,7 @@ __export(active_agent_exports, {
   writeActiveAgent: () => writeActiveAgent
 });
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4, unlinkSync as unlinkSync4, readdirSync as readdirSync3 } from "fs";
-import { execSync as execSync3 } from "child_process";
+import { execSync as execSync4 } from "child_process";
 import path9 from "path";
 function isNameWithOptionalInstance(candidate, baseName) {
   if (candidate === baseName) return true;
@@ -3353,7 +3353,7 @@ function getActiveAgent() {
   } catch {
   }
   try {
-    const sessionName = execSync3(
+    const sessionName = execSync4(
       "tmux display-message -p '#{session_name}' 2>/dev/null",
       { encoding: "utf8", timeout: 2e3 }
     ).trim();
@@ -3482,7 +3482,7 @@ import { readFile as readFile4, writeFile as writeFile4, mkdir as mkdir4, readdi
 import { existsSync as existsSync11, readFileSync as readFileSync7, writeFileSync as writeFileSync6, copyFileSync, mkdirSync as mkdirSync6 } from "fs";
 import path12 from "path";
 import os9 from "os";
-import { execSync as execSync4 } from "child_process";
+import { execSync as execSync5 } from "child_process";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function resolvePackageRoot() {
   const thisFile = fileURLToPath2(import.meta.url);
@@ -3946,6 +3946,7 @@ import { createHash } from "crypto";
 // src/lib/keychain.ts
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
 import { existsSync as existsSync6 } from "fs";
+import { execSync as execSync2 } from "child_process";
 import path6 from "path";
 import os5 from "os";
 var SERVICE = "exe-mem";
@@ -3956,6 +3957,59 @@ function getKeyDir() {
 function getKeyPath() {
   return path6.join(getKeyDir(), "master.key");
 }
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync2(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync2(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync2(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync2(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync2(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function tryKeytar() {
   try {
     return await import("keytar");
@@ -3963,13 +4017,64 @@ async function tryKeytar() {
     return null;
   }
 }
+var ENCRYPTED_PREFIX = "enc:";
+function deriveMachineKey() {
+  try {
+    const crypto3 = __require("crypto");
+    const material = [
+      os5.hostname(),
+      os5.userInfo().username,
+      os5.arch(),
+      os5.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto3.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync10 } = __require("fs");
+    return readFileSync10("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto3 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto3.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
 async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
-      const stored = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (stored) {
-        return Buffer.from(stored, "base64");
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+        }
+        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
@@ -3983,8 +4088,31 @@ async function getMasterKey() {
     return null;
   }
   try {
-    const content = await readFile3(keyPath, "utf-8");
-    return Buffer.from(content.trim(), "base64");
+    const content = (await readFile3(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+    }
+    return key;
   } catch (err) {
     process.stderr.write(
       `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
@@ -4538,8 +4666,8 @@ async function main() {
   }
   if (!process.env[CODEX.apiKeyEnv]) {
     try {
-      const { execSync: execSync5 } = await import("child_process");
-      const status = execSync5("codex login status 2>&1", { encoding: "utf8", timeout: 5e3 }).trim();
+      const { execSync: execSync6 } = await import("child_process");
+      const status = execSync6("codex login status 2>&1", { encoding: "utf8", timeout: 5e3 }).trim();
       if (!status.toLowerCase().includes("logged in")) {
         process.stderr.write(
           `exe-start-codex: not authenticated. Run \`codex login\` or set ${CODEX.apiKeyEnv}.