@askexenow/exe-os 0.9.30 → 0.9.32

package/dist/lib/cloud-sync.js

@@ -977,8 +977,8 @@ function findPackageRoot() {
 function getAvailableMemoryGB() {
   if (process.platform === "darwin") {
     try {
-      const { execSync: execSync2 } = __require("child_process");
-      const vmstat = execSync2("vm_stat", { encoding: "utf8" });
+      const { execSync: execSync3 } = __require("child_process");
+      const vmstat = execSync3("vm_stat", { encoding: "utf8" });
       const pageSize = 16384;
       const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
       const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
@@ -2747,6 +2747,7 @@ __export(keychain_exports, {
 });
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
 import { existsSync as existsSync8 } from "fs";
+import { execSync as execSync2 } from "child_process";
 import path8 from "path";
 import os6 from "os";
 function getKeyDir() {
@@ -2755,6 +2756,83 @@ function getKeyDir() {
 function getKeyPath() {
   return path8.join(getKeyDir(), "master.key");
 }
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync2(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync2(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync2(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function macKeychainDelete() {
+  if (process.platform !== "darwin") return false;
+  try {
+    execSync2(
+      `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync2(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync2(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretDelete() {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync2(
+      `secret-tool clear service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function tryKeytar() {
   try {
     return await import("keytar");
@@ -2762,13 +2840,72 @@ async function tryKeytar() {
     return null;
   }
 }
+function deriveMachineKey() {
+  try {
+    const crypto4 = __require("crypto");
+    const material = [
+      os6.hostname(),
+      os6.userInfo().username,
+      os6.arch(),
+      os6.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto4.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync8 } = __require("fs");
+    return readFileSync8("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto4 = __require("crypto");
+  const iv = crypto4.randomBytes(12);
+  const cipher = crypto4.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto4 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto4.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
 async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
-      const stored = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (stored) {
-        return Buffer.from(stored, "base64");
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+        }
+        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
@@ -2782,8 +2919,31 @@ async function getMasterKey() {
     return null;
   }
   try {
-    const content = await readFile3(keyPath, "utf-8");
-    return Buffer.from(content.trim(), "base64");
+    const content = (await readFile3(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+    }
+    return key;
   } catch (err) {
     process.stderr.write(
       `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
@@ -2794,6 +2954,9 @@ async function getMasterKey() {
 }
 async function setMasterKey(key) {
   const b64 = key.toString("base64");
+  if (macKeychainSet(b64) || linuxSecretSet(b64)) {
+    return;
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
@@ -2805,10 +2968,23 @@ async function setMasterKey(key) {
   const dir = getKeyDir();
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    process.stderr.write("[keychain] Key stored encrypted (machine-bound).\n");
+  } else {
+    await writeFile3(keyPath, b64 + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    process.stderr.write(
+      "[keychain] WARNING: Key stored in plaintext file \u2014 no OS keychain available.\n"
+    );
+  }
 }
 async function deleteMasterKey() {
+  macKeychainDelete();
+  linuxSecretDelete();
   const keytar = await tryKeytar();
   if (keytar) {
     try {
@@ -2850,20 +3026,124 @@ async function importMnemonic(mnemonic) {
   const entropy = mnemonicToEntropy(trimmed);
   return Buffer.from(entropy, "hex");
 }
-var SERVICE, ACCOUNT;
+var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
 var init_keychain = __esm({
   "src/lib/keychain.ts"() {
     "use strict";
     SERVICE = "exe-mem";
     ACCOUNT = "master-key";
+    ENCRYPTED_PREFIX = "enc:";
+  }
+});
+
+// src/lib/db-backup.ts
+var db_backup_exports = {};
+__export(db_backup_exports, {
+  createBackup: () => createBackup,
+  findActiveDb: () => findActiveDb,
+  getBackupDir: () => getBackupDir,
+  getLatestBackup: () => getLatestBackup,
+  hasBackupToday: () => hasBackupToday,
+  listBackups: () => listBackups,
+  rotateBackups: () => rotateBackups
+});
+import { copyFileSync, existsSync as existsSync9, mkdirSync as mkdirSync4, readdirSync, unlinkSync as unlinkSync4, statSync as statSync2 } from "fs";
+import path9 from "path";
+function findActiveDb() {
+  for (const name of DB_NAMES) {
+    const p = path9.join(EXE_AI_DIR, name);
+    if (existsSync9(p)) return p;
+  }
+  return null;
+}
+function createBackup(reason = "manual") {
+  const dbPath = findActiveDb();
+  if (!dbPath) return null;
+  mkdirSync4(BACKUP_DIR, { recursive: true });
+  const dbName = path9.basename(dbPath, ".db");
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
+  const backupName = `${dbName}-${reason}-${timestamp}.db`;
+  const backupPath = path9.join(BACKUP_DIR, backupName);
+  copyFileSync(dbPath, backupPath);
+  const walPath = dbPath + "-wal";
+  if (existsSync9(walPath)) {
+    try {
+      copyFileSync(walPath, backupPath + "-wal");
+    } catch {
+    }
+  }
+  const shmPath = dbPath + "-shm";
+  if (existsSync9(shmPath)) {
+    try {
+      copyFileSync(shmPath, backupPath + "-shm");
+    } catch {
+    }
+  }
+  return backupPath;
+}
+function rotateBackups(keepDays = DEFAULT_KEEP_DAYS) {
+  if (!existsSync9(BACKUP_DIR)) return 0;
+  const cutoff = Date.now() - keepDays * 24 * 60 * 60 * 1e3;
+  let deleted = 0;
+  try {
+    const files = readdirSync(BACKUP_DIR);
+    for (const file of files) {
+      if (!file.endsWith(".db") && !file.endsWith(".db-wal") && !file.endsWith(".db-shm")) continue;
+      const filePath = path9.join(BACKUP_DIR, file);
+      try {
+        const stat = statSync2(filePath);
+        if (stat.mtimeMs < cutoff) {
+          unlinkSync4(filePath);
+          deleted++;
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return deleted;
+}
+function listBackups() {
+  if (!existsSync9(BACKUP_DIR)) return [];
+  try {
+    const files = readdirSync(BACKUP_DIR).filter((f) => f.endsWith(".db") && !f.endsWith("-wal") && !f.endsWith("-shm"));
+    return files.map((name) => {
+      const p = path9.join(BACKUP_DIR, name);
+      const stat = statSync2(p);
+      return { path: p, name, size: stat.size, date: stat.mtime };
+    }).sort((a, b) => b.date.getTime() - a.date.getTime());
+  } catch {
+    return [];
+  }
+}
+function hasBackupToday(reason) {
+  const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  const backups = listBackups();
+  return backups.some((b) => b.name.includes(reason) && b.name.includes(today.replace(/-/g, "-")));
+}
+function getLatestBackup() {
+  const backups = listBackups();
+  return backups.length > 0 ? backups[0].path : null;
+}
+function getBackupDir() {
+  return BACKUP_DIR;
+}
+var BACKUP_DIR, DEFAULT_KEEP_DAYS, DB_NAMES;
+var init_db_backup = __esm({
+  "src/lib/db-backup.ts"() {
+    "use strict";
+    init_config();
+    BACKUP_DIR = path9.join(EXE_AI_DIR, "backups");
+    DEFAULT_KEEP_DAYS = 3;
+    DB_NAMES = ["memories.db", "exe-mem.db", "exe-os.db", "exe.db"];
   }
 });
 
 // src/lib/cloud-sync.ts
 init_database();
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, existsSync as existsSync9, readdirSync, mkdirSync as mkdirSync4, appendFileSync, unlinkSync as unlinkSync4, openSync as openSync2, closeSync as closeSync2 } from "fs";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, existsSync as existsSync10, readdirSync as readdirSync2, mkdirSync as mkdirSync5, appendFileSync, unlinkSync as unlinkSync5, openSync as openSync2, closeSync as closeSync2 } from "fs";
 import crypto3 from "crypto";
-import path9 from "path";
+import path10 from "path";
 import { homedir as homedir2 } from "os";
 
 // src/lib/crypto.ts
@@ -2971,7 +3251,7 @@ function sqlSafe(v) {
 }
 function logError(msg) {
   try {
-    const logPath = path9.join(homedir2(), ".exe-os", "workers.log");
+    const logPath = path10.join(homedir2(), ".exe-os", "workers.log");
     appendFileSync(logPath, `${(/* @__PURE__ */ new Date()).toISOString()} ${msg}
 `);
   } catch {
@@ -2980,17 +3260,17 @@ function logError(msg) {
 var LOCALHOST_PATTERNS = /^(localhost|127\.0\.0\.1|\[::1\])$/i;
 var FETCH_TIMEOUT_MS = 3e4;
 var PUSH_BATCH_SIZE = 5e3;
-var ROSTER_LOCK_PATH = path9.join(EXE_AI_DIR, "roster-merge.lock");
+var ROSTER_LOCK_PATH = path10.join(EXE_AI_DIR, "roster-merge.lock");
 var LOCK_STALE_MS = 3e4;
 var _pgPromise = null;
 var _pgFailed = false;
 function loadPgClient() {
   if (_pgFailed) return null;
   const postgresUrl = process.env.DATABASE_URL;
-  const configPath = path9.join(EXE_AI_DIR, "config.json");
+  const configPath = path10.join(EXE_AI_DIR, "config.json");
   let cloudPostgresUrl;
   try {
-    if (existsSync9(configPath)) {
+    if (existsSync10(configPath)) {
       const cfg = JSON.parse(readFileSync7(configPath, "utf8"));
       cloudPostgresUrl = cfg.cloud?.postgresUrl;
       if (cfg.cloud?.syncToPostgres === false) {
@@ -3009,8 +3289,8 @@ function loadPgClient() {
     _pgPromise = (async () => {
       const { createRequire: createRequire3 } = await import("module");
       const { pathToFileURL: pathToFileURL3 } = await import("url");
-      const exeDbRoot = process.env.EXE_DB_ROOT ?? path9.join(homedir2(), "exe-db");
-      const req = createRequire3(path9.join(exeDbRoot, "package.json"));
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path10.join(homedir2(), "exe-db");
+      const req = createRequire3(path10.join(exeDbRoot, "package.json"));
       const entry = req.resolve("@prisma/client");
       const mod = await import(pathToFileURL3(entry).href);
       const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
@@ -3063,7 +3343,7 @@ async function withRosterLock(fn) {
         if (Date.now() - ts < LOCK_STALE_MS) {
           throw new Error("Roster merge already in progress \u2014 another sync is running");
         }
-        unlinkSync4(ROSTER_LOCK_PATH);
+        unlinkSync5(ROSTER_LOCK_PATH);
         const fd = openSync2(ROSTER_LOCK_PATH, "wx");
         closeSync2(fd);
         writeFileSync5(ROSTER_LOCK_PATH, String(Date.now()));
@@ -3079,7 +3359,7 @@ async function withRosterLock(fn) {
     return await fn();
   } finally {
     try {
-      unlinkSync4(ROSTER_LOCK_PATH);
+      unlinkSync5(ROSTER_LOCK_PATH);
     } catch {
     }
   }
@@ -3450,13 +3730,42 @@ async function cloudSync(config) {
   try {
     const employees = await loadEmployees();
     rosterResult.employees = employees.length;
-    const idDir = path9.join(EXE_AI_DIR, "identity");
-    if (existsSync9(idDir)) {
-      rosterResult.identities = readdirSync(idDir).filter((f) => f.endsWith(".md")).length;
+    const idDir = path10.join(EXE_AI_DIR, "identity");
+    if (existsSync10(idDir)) {
+      rosterResult.identities = readdirSync2(idDir).filter((f) => f.endsWith(".md")).length;
     }
   } catch {
   }
   const totalMemories = await countRows("SELECT COUNT(*) as cnt FROM memories WHERE status = 'active' OR status IS NULL");
+  try {
+    const { getLatestBackup: getLatestBackup2 } = await Promise.resolve().then(() => (init_db_backup(), db_backup_exports));
+    const { statSync: statFile } = await import("fs");
+    const latestBackup = getLatestBackup2();
+    if (latestBackup) {
+      const backupSize = statFile(latestBackup).size;
+      const MAX_CLOUD_BACKUP_BYTES = 50 * 1024 * 1024;
+      if (backupSize <= MAX_CLOUD_BACKUP_BYTES) {
+        const backupData = readFileSync7(latestBackup);
+        const deviceId = loadDeviceId() ?? "unknown";
+        const encrypted = encryptSyncBlob(backupData);
+        const backupRes = await fetchWithRetry(`${config.endpoint}/sync/push-db-backup`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json", Authorization: `Bearer ${config.apiKey}` },
+          body: JSON.stringify({
+            device_id: deviceId,
+            filename: path10.basename(latestBackup),
+            blob: encrypted,
+            size: backupData.length
+          })
+        });
+        if (backupRes && !backupRes.ok) {
+          logError(`[cloud-sync] DB backup upload failed: ${backupRes.status}`);
+        }
+      }
+    }
+  } catch (err) {
+    logError(`[cloud-sync] DB backup upload error: ${err instanceof Error ? err.message : String(err)}`);
+  }
   return {
     pushed,
     pulled,
@@ -3469,11 +3778,11 @@ async function cloudSync(config) {
     roster: rosterResult
   };
 }
-var ROSTER_DELETIONS_PATH = path9.join(EXE_AI_DIR, "roster-deletions.json");
+var ROSTER_DELETIONS_PATH = path10.join(EXE_AI_DIR, "roster-deletions.json");
 function recordRosterDeletion(name) {
   let deletions = [];
   try {
-    if (existsSync9(ROSTER_DELETIONS_PATH)) {
+    if (existsSync10(ROSTER_DELETIONS_PATH)) {
       deletions = JSON.parse(readFileSync7(ROSTER_DELETIONS_PATH, "utf-8"));
     }
   } catch {
@@ -3483,7 +3792,7 @@ function recordRosterDeletion(name) {
 }
 function consumeRosterDeletions() {
   try {
-    if (!existsSync9(ROSTER_DELETIONS_PATH)) return [];
+    if (!existsSync10(ROSTER_DELETIONS_PATH)) return [];
     const deletions = JSON.parse(readFileSync7(ROSTER_DELETIONS_PATH, "utf-8"));
     writeFileSync5(ROSTER_DELETIONS_PATH, "[]");
     return deletions;
@@ -3492,35 +3801,35 @@ function consumeRosterDeletions() {
   }
 }
 function buildRosterBlob(paths) {
-  const rosterPath = paths?.rosterPath ?? path9.join(EXE_AI_DIR, "exe-employees.json");
-  const identityDir = paths?.identityDir ?? path9.join(EXE_AI_DIR, "identity");
-  const configPath = paths?.configPath ?? path9.join(EXE_AI_DIR, "config.json");
+  const rosterPath = paths?.rosterPath ?? path10.join(EXE_AI_DIR, "exe-employees.json");
+  const identityDir = paths?.identityDir ?? path10.join(EXE_AI_DIR, "identity");
+  const configPath = paths?.configPath ?? path10.join(EXE_AI_DIR, "config.json");
   let roster = [];
-  if (existsSync9(rosterPath)) {
+  if (existsSync10(rosterPath)) {
     try {
       roster = JSON.parse(readFileSync7(rosterPath, "utf-8"));
     } catch {
     }
   }
   const identities = {};
-  if (existsSync9(identityDir)) {
-    for (const file of readdirSync(identityDir).filter((f) => f.endsWith(".md"))) {
+  if (existsSync10(identityDir)) {
+    for (const file of readdirSync2(identityDir).filter((f) => f.endsWith(".md"))) {
       try {
-        identities[file] = readFileSync7(path9.join(identityDir, file), "utf-8");
+        identities[file] = readFileSync7(path10.join(identityDir, file), "utf-8");
       } catch {
       }
     }
   }
   let config;
-  if (existsSync9(configPath)) {
+  if (existsSync10(configPath)) {
     try {
       config = JSON.parse(readFileSync7(configPath, "utf-8"));
     } catch {
     }
   }
   let agentConfig;
-  const agentConfigPath = path9.join(EXE_AI_DIR, "agent-config.json");
-  if (existsSync9(agentConfigPath)) {
+  const agentConfigPath = path10.join(EXE_AI_DIR, "agent-config.json");
+  if (existsSync10(agentConfigPath)) {
     try {
       agentConfig = JSON.parse(readFileSync7(agentConfigPath, "utf-8"));
     } catch {
@@ -3598,16 +3907,16 @@ async function cloudPullRoster(config) {
   }
 }
 function mergeConfig(remoteConfig, configPath) {
-  const cfgPath = configPath ?? path9.join(EXE_AI_DIR, "config.json");
+  const cfgPath = configPath ?? path10.join(EXE_AI_DIR, "config.json");
   let local = {};
-  if (existsSync9(cfgPath)) {
+  if (existsSync10(cfgPath)) {
     try {
       local = JSON.parse(readFileSync7(cfgPath, "utf-8"));
     } catch {
     }
   }
   const merged = { ...remoteConfig, ...local };
-  const dir = path9.dirname(cfgPath);
+  const dir = path10.dirname(cfgPath);
   ensurePrivateDirSync(dir);
   writeFileSync5(cfgPath, JSON.stringify(merged, null, 2), "utf-8");
   enforcePrivateFileSync(cfgPath);
@@ -3615,7 +3924,7 @@ function mergeConfig(remoteConfig, configPath) {
 async function mergeRosterFromRemote(remote, paths) {
   return withRosterLock(async () => {
     const rosterPath = paths?.rosterPath ?? void 0;
-    const identityDir = paths?.identityDir ?? path9.join(EXE_AI_DIR, "identity");
+    const identityDir = paths?.identityDir ?? path10.join(EXE_AI_DIR, "identity");
     const localEmployees = await loadEmployees(rosterPath);
     const localNames = new Set(localEmployees.map((e) => e.name));
     let added = 0;
@@ -3636,11 +3945,11 @@ async function mergeRosterFromRemote(remote, paths) {
       ) ?? lookupKey;
       const remoteIdentity = remote.identities[matchedKey];
       if (remoteIdentity) {
-        if (!existsSync9(identityDir)) mkdirSync4(identityDir, { recursive: true });
-        const idPath = path9.join(identityDir, `${remoteEmp.name}.md`);
+        if (!existsSync10(identityDir)) mkdirSync5(identityDir, { recursive: true });
+        const idPath = path10.join(identityDir, `${remoteEmp.name}.md`);
         let localIdentity = null;
         try {
-          localIdentity = existsSync9(idPath) ? readFileSync7(idPath, "utf-8") : null;
+          localIdentity = existsSync10(idPath) ? readFileSync7(idPath, "utf-8") : null;
         } catch {
         }
         if (localIdentity !== remoteIdentity) {
@@ -3670,16 +3979,16 @@ async function mergeRosterFromRemote(remote, paths) {
     }
     if (remote.agentConfig && Object.keys(remote.agentConfig).length > 0) {
       try {
-        const agentConfigPath = path9.join(EXE_AI_DIR, "agent-config.json");
+        const agentConfigPath = path10.join(EXE_AI_DIR, "agent-config.json");
         let local = {};
-        if (existsSync9(agentConfigPath)) {
+        if (existsSync10(agentConfigPath)) {
           try {
             local = JSON.parse(readFileSync7(agentConfigPath, "utf-8"));
           } catch {
           }
         }
         const merged = { ...remote.agentConfig, ...local };
-        ensurePrivateDirSync(path9.dirname(agentConfigPath));
+        ensurePrivateDirSync(path10.dirname(agentConfigPath));
         writeFileSync5(agentConfigPath, JSON.stringify(merged, null, 2) + "\n", "utf-8");
         enforcePrivateFileSync(agentConfigPath);
       } catch {

package/dist/lib/consolidation.js

@@ -555,6 +555,7 @@ import { createHash } from "crypto";
 // src/lib/keychain.ts
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
 import { existsSync as existsSync5 } from "fs";
+import { execSync as execSync2 } from "child_process";
 import path5 from "path";
 import os4 from "os";