@askexenow/exe-os 0.9.30 → 0.9.32

package/dist/hooks/pre-compact.js

@@ -1618,8 +1618,8 @@ function findPackageRoot() {
 function getAvailableMemoryGB() {
   if (process.platform === "darwin") {
     try {
-      const { execSync: execSync8 } = __require("child_process");
-      const vmstat = execSync8("vm_stat", { encoding: "utf8" });
+      const { execSync: execSync9 } = __require("child_process");
+      const vmstat = execSync9("vm_stat", { encoding: "utf8" });
       const pageSize = 16384;
       const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
       const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
@@ -6513,6 +6513,7 @@ var init_task_scope = __esm({
 // src/lib/keychain.ts
 import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
 import { existsSync as existsSync15 } from "fs";
+import { execSync as execSync8 } from "child_process";
 import path19 from "path";
 import os11 from "os";
 function getKeyDir() {
@@ -6521,6 +6522,59 @@ function getKeyDir() {
 function getKeyPath() {
   return path19.join(getKeyDir(), "master.key");
 }
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync8(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync8(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync8(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync8(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync8(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function tryKeytar() {
   try {
     return await import("keytar");
@@ -6528,13 +6582,63 @@ async function tryKeytar() {
     return null;
   }
 }
+function deriveMachineKey() {
+  try {
+    const crypto7 = __require("crypto");
+    const material = [
+      os11.hostname(),
+      os11.userInfo().username,
+      os11.arch(),
+      os11.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto7.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync15 } = __require("fs");
+    return readFileSync15("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto7 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto7.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
 async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
-      const stored = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (stored) {
-        return Buffer.from(stored, "base64");
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+        }
+        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
@@ -6548,8 +6652,31 @@ async function getMasterKey() {
     return null;
   }
   try {
-    const content = await readFile4(keyPath, "utf-8");
-    return Buffer.from(content.trim(), "base64");
+    const content = (await readFile4(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+    }
+    return key;
   } catch (err) {
     process.stderr.write(
       `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
@@ -6558,12 +6685,13 @@ async function getMasterKey() {
     return null;
   }
 }
-var SERVICE, ACCOUNT;
+var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
 var init_keychain = __esm({
   "src/lib/keychain.ts"() {
     "use strict";
     SERVICE = "exe-mem";
     ACCOUNT = "master-key";
+    ENCRYPTED_PREFIX = "enc:";
   }
 });
 

package/dist/hooks/pre-tool-use.js

@@ -1623,8 +1623,8 @@ function findPackageRoot() {
 function getAvailableMemoryGB() {
   if (process.platform === "darwin") {
     try {
-      const { execSync: execSync7 } = __require("child_process");
-      const vmstat = execSync7("vm_stat", { encoding: "utf8" });
+      const { execSync: execSync8 } = __require("child_process");
+      const vmstat = execSync8("vm_stat", { encoding: "utf8" });
       const pageSize = 16384;
       const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
       const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
@@ -3669,6 +3669,7 @@ var init_cto_delegation_gate = __esm({
 // src/lib/keychain.ts
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
 import { existsSync as existsSync12 } from "fs";
+import { execSync as execSync5 } from "child_process";
 import path14 from "path";
 import os10 from "os";
 function getKeyDir() {
@@ -3677,6 +3678,59 @@ function getKeyDir() {
 function getKeyPath() {
   return path14.join(getKeyDir(), "master.key");
 }
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync5(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync5(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync5(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync5(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync5(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function tryKeytar() {
   try {
     return await import("keytar");
@@ -3684,13 +3738,63 @@ async function tryKeytar() {
     return null;
   }
 }
+function deriveMachineKey() {
+  try {
+    const crypto2 = __require("crypto");
+    const material = [
+      os10.hostname(),
+      os10.userInfo().username,
+      os10.arch(),
+      os10.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto2.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync12 } = __require("fs");
+    return readFileSync12("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto2 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto2.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
 async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
-      const stored = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (stored) {
-        return Buffer.from(stored, "base64");
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+        }
+        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
@@ -3704,8 +3808,31 @@ async function getMasterKey() {
     return null;
   }
   try {
-    const content = await readFile3(keyPath, "utf-8");
-    return Buffer.from(content.trim(), "base64");
+    const content = (await readFile3(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+    }
+    return key;
   } catch (err) {
     process.stderr.write(
       `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
@@ -3714,12 +3841,13 @@ async function getMasterKey() {
     return null;
   }
 }
-var SERVICE, ACCOUNT;
+var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
 var init_keychain = __esm({
   "src/lib/keychain.ts"() {
     "use strict";
     SERVICE = "exe-mem";
     ACCOUNT = "master-key";
+    ENCRYPTED_PREFIX = "enc:";
   }
 });
 
@@ -5031,12 +5159,12 @@ __export(review_gate_exports, {
   checkTestCoverage: () => checkTestCoverage,
   runReviewGate: () => runReviewGate
 });
-import { execSync as execSync5 } from "child_process";
+import { execSync as execSync6 } from "child_process";
 import { existsSync as existsSync14 } from "fs";
 function checkCommitsExist(taskCreatedAt) {
   try {
     const since = new Date(taskCreatedAt).toISOString();
-    const output = execSync5(
+    const output = execSync6(
       `git log --oneline --since="${since}" --no-merges 2>/dev/null`,
       { encoding: "utf8", timeout: 5e3 }
     ).trim();
@@ -5053,7 +5181,7 @@ function checkLayerBoundaries(taskCreatedAt) {
   const violations = [];
   try {
     const since = new Date(taskCreatedAt).toISOString();
-    const filesOutput = execSync5(
+    const filesOutput = execSync6(
       `git log --since="${since}" --no-merges --name-only --pretty=format: 2>/dev/null`,
       { encoding: "utf8", timeout: 5e3 }
     ).trim();
@@ -5062,7 +5190,7 @@ function checkLayerBoundaries(taskCreatedAt) {
     const libFiles = changedFiles.filter((f) => f.startsWith("src/lib/"));
     for (const file of libFiles) {
       try {
-        const grepResult = execSync5(
+        const grepResult = execSync6(
           `grep -nE "from ['"]\\.\\./(adapters|tui|runtime)/" "${file}" 2>/dev/null`,
           { encoding: "utf8", timeout: 3e3 }
         ).trim();
@@ -5082,7 +5210,7 @@ function checkTestCoverage(taskCreatedAt) {
   const warnings = [];
   try {
     const since = new Date(taskCreatedAt).toISOString();
-    const output = execSync5(
+    const output = execSync6(
       `git log --since="${since}" --no-merges --diff-filter=A --name-only --pretty=format: 2>/dev/null`,
       { encoding: "utf8", timeout: 5e3 }
     ).trim();
@@ -5098,7 +5226,7 @@ function checkTestCoverage(taskCreatedAt) {
       const hasDirectTest = existsSync14(testPath);
       let hasRelatedTest = false;
       try {
-        const related = execSync5(
+        const related = execSync6(
           `find "${testDir}" -name "*${baseName}*" -name "*.test.ts" 2>/dev/null`,
           { encoding: "utf8", timeout: 3e3 }
         ).trim();
@@ -5150,7 +5278,7 @@ var init_review_gate = __esm({
 
 // src/adapters/claude/hooks/pre-tool-use.ts
 import { existsSync as existsSync15, writeFileSync as writeFileSync8, mkdirSync as mkdirSync7 } from "fs";
-import { execSync as execSync6 } from "child_process";
+import { execSync as execSync7 } from "child_process";
 import path16 from "path";
 
 // src/lib/active-agent.ts
@@ -5289,7 +5417,7 @@ function markDelegationFired() {
 }
 function countEngineerSessions() {
   try {
-    const output = execSync6("tmux list-sessions 2>/dev/null", {
+    const output = execSync7("tmux list-sessions 2>/dev/null", {
       encoding: "utf8",
       timeout: 2e3
     });