@askexenow/exe-os 0.9.30 → 0.9.32

package/dist/lib/hybrid-search.js

@@ -1083,8 +1083,8 @@ function findPackageRoot() {
 function getAvailableMemoryGB() {
   if (process.platform === "darwin") {
     try {
-      const { execSync: execSync4 } = __require("child_process");
-      const vmstat = execSync4("vm_stat", { encoding: "utf8" });
+      const { execSync: execSync5 } = __require("child_process");
+      const vmstat = execSync5("vm_stat", { encoding: "utf8" });
       const pageSize = 16384;
       const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
       const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
@@ -2768,6 +2768,7 @@ var init_database = __esm({
 // src/lib/keychain.ts
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
 import { existsSync as existsSync6 } from "fs";
+import { execSync as execSync2 } from "child_process";
 import path6 from "path";
 import os5 from "os";
 function getKeyDir() {
@@ -2776,6 +2777,59 @@ function getKeyDir() {
 function getKeyPath() {
   return path6.join(getKeyDir(), "master.key");
 }
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync2(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync2(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync2(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync2(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync2(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function tryKeytar() {
   try {
     return await import("keytar");
@@ -2783,13 +2837,63 @@ async function tryKeytar() {
     return null;
   }
 }
+function deriveMachineKey() {
+  try {
+    const crypto3 = __require("crypto");
+    const material = [
+      os5.hostname(),
+      os5.userInfo().username,
+      os5.arch(),
+      os5.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto3.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync6 } = __require("fs");
+    return readFileSync6("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto3 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto3.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
 async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
-      const stored = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (stored) {
-        return Buffer.from(stored, "base64");
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+        }
+        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
@@ -2803,8 +2907,31 @@ async function getMasterKey() {
     return null;
   }
   try {
-    const content = await readFile3(keyPath, "utf-8");
-    return Buffer.from(content.trim(), "base64");
+    const content = (await readFile3(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+    }
+    return key;
   } catch (err) {
     process.stderr.write(
       `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
@@ -2813,12 +2940,13 @@ async function getMasterKey() {
     return null;
   }
 }
-var SERVICE, ACCOUNT;
+var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
 var init_keychain = __esm({
   "src/lib/keychain.ts"() {
     "use strict";
     SERVICE = "exe-mem";
     ACCOUNT = "master-key";
+    ENCRYPTED_PREFIX = "enc:";
   }
 });
 
@@ -4341,7 +4469,7 @@ __export(project_name_exports, {
   _resetCache: () => _resetCache,
   getProjectName: () => getProjectName
 });
-import { execSync as execSync2 } from "child_process";
+import { execSync as execSync3 } from "child_process";
 import path9 from "path";
 function getProjectName(cwd) {
   const dir = cwd ?? process.cwd();
@@ -4349,7 +4477,7 @@ function getProjectName(cwd) {
   try {
     let repoRoot;
     try {
-      const gitCommonDir = execSync2("git rev-parse --path-format=absolute --git-common-dir", {
+      const gitCommonDir = execSync3("git rev-parse --path-format=absolute --git-common-dir", {
         cwd: dir,
         encoding: "utf8",
         timeout: 2e3,
@@ -4357,7 +4485,7 @@ function getProjectName(cwd) {
       }).trim();
       repoRoot = path9.dirname(gitCommonDir);
     } catch {
-      repoRoot = execSync2("git rev-parse --show-toplevel", {
+      repoRoot = execSync3("git rev-parse --show-toplevel", {
         cwd: dir,
         encoding: "utf8",
         timeout: 2e3,
@@ -4391,14 +4519,14 @@ var file_grep_exports = {};
 __export(file_grep_exports, {
   grepProjectFiles: () => grepProjectFiles
 });
-import { execSync as execSync3 } from "child_process";
+import { execSync as execSync4 } from "child_process";
 import { readFileSync as readFileSync5, readdirSync as readdirSync2, statSync as statSync2, existsSync as existsSync9 } from "fs";
 import path10 from "path";
 import crypto2 from "crypto";
 function hasRipgrep() {
   if (_hasRg === null) {
     try {
-      execSync3("rg --version", { stdio: "ignore", timeout: 2e3 });
+      execSync4("rg --version", { stdio: "ignore", timeout: 2e3 });
       _hasRg = true;
     } catch {
       _hasRg = false;
@@ -4464,7 +4592,7 @@ function grepWithRipgrep(pattern, projectRoot, patterns) {
   const globs = (patterns ?? DEFAULT_PATTERNS).map((p) => `--glob '${p}'`).join(" ");
   const excludes = EXCLUDE_DIRS.map((d) => `--glob '!${d}'`).join(" ");
   const cmd = `rg -i -c --hidden --no-config --no-ignore '${pattern.replace(/'/g, "\\'")}' . ${globs} ${excludes} --max-filesize ${MAX_FILE_SIZE} 2>/dev/null || true`;
-  const output = execSync3(cmd, {
+  const output = execSync4(cmd, {
     cwd: projectRoot,
     encoding: "utf8",
     timeout: 3e3,
@@ -4479,12 +4607,12 @@ function grepWithRipgrep(pattern, projectRoot, patterns) {
     const matchCount = parseInt(line.slice(colonIdx + 1));
     if (isNaN(matchCount) || matchCount === 0) continue;
     try {
-      const firstMatch = execSync3(
+      const firstMatch = execSync4(
         `rg -i -n --hidden '${pattern.replace(/'/g, "\\'")}' '${filePath}' --max-count 1 2>/dev/null | head -1`,
         { cwd: projectRoot, encoding: "utf8", timeout: 1e3 }
       ).trim();
       const lineNum = parseInt(firstMatch.split(":")[0] ?? "1");
-      const totalLines = execSync3(`wc -l < '${filePath}'`, {
+      const totalLines = execSync4(`wc -l < '${filePath}'`, {
         cwd: projectRoot,
         encoding: "utf8",
         timeout: 1e3
@@ -5113,10 +5241,17 @@ async function applyEntityBoost(results, query, client) {
   if (ENTITY_BOOST_WEIGHT === 0 || results.length === 0) {
     return emptyResult;
   }
-  console.time("entity-boost");
+  const debugStart = process.env.EXE_DEBUG_HOOKS ? performance.now() : 0;
+  const debugEnd = () => {
+    if (!process.env.EXE_DEBUG_HOOKS) return;
+    process.stderr.write(
+      `[entity-boost] ${(performance.now() - debugStart).toFixed(3)}ms
+`
+    );
+  };
   const entities = await matchEntities(query, client);
   if (entities.length === 0) {
-    console.timeEnd("entity-boost");
+    debugEnd();
     return emptyResult;
   }
   const boostMap = /* @__PURE__ */ new Map();
@@ -5138,7 +5273,7 @@ async function applyEntityBoost(results, query, client) {
   await traverseAndScore(entities, client, boostMap, resultIds, graphContextMap);
   await applyHyperedgeBoost(entities, client, boostMap, resultIds);
   if (boostMap.size === 0) {
-    console.timeEnd("entity-boost");
+    debugEnd();
     return emptyResult;
   }
   const scored = results.map((r, i) => ({
@@ -5149,7 +5284,7 @@ async function applyEntityBoost(results, query, client) {
   scored.sort(
     (a, b) => b.baseScore + b.entityBoost - (a.baseScore + a.entityBoost)
   );
-  console.timeEnd("entity-boost");
+  debugEnd();
   return {
     results: scored.map((s) => s.record),
     graphContext: graphContextMap

package/dist/lib/keychain.js

@@ -1,6 +1,14 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
 // src/lib/keychain.ts
 import { readFile, writeFile, unlink, mkdir, chmod } from "fs/promises";
 import { existsSync } from "fs";
+import { execSync } from "child_process";
 import path from "path";
 import os from "os";
 var SERVICE = "exe-mem";
@@ -11,6 +19,83 @@ function getKeyDir() {
 function getKeyPath() {
   return path.join(getKeyDir(), "master.key");
 }
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function macKeychainDelete() {
+  if (process.platform !== "darwin") return false;
+  try {
+    execSync(
+      `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretDelete() {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync(
+      `secret-tool clear service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function tryKeytar() {
   try {
     return await import("keytar");
@@ -18,13 +103,73 @@ async function tryKeytar() {
     return null;
   }
 }
+var ENCRYPTED_PREFIX = "enc:";
+function deriveMachineKey() {
+  try {
+    const crypto = __require("crypto");
+    const material = [
+      os.hostname(),
+      os.userInfo().username,
+      os.arch(),
+      os.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync } = __require("fs");
+    return readFileSync("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto = __require("crypto");
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
 async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
-      const stored = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (stored) {
-        return Buffer.from(stored, "base64");
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+        }
+        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
@@ -38,8 +183,31 @@ async function getMasterKey() {
     return null;
   }
   try {
-    const content = await readFile(keyPath, "utf-8");
-    return Buffer.from(content.trim(), "base64");
+    const content = (await readFile(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+    }
+    return key;
   } catch (err) {
     process.stderr.write(
       `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
@@ -50,6 +218,9 @@ async function getMasterKey() {
 }
 async function setMasterKey(key) {
   const b64 = key.toString("base64");
+  if (macKeychainSet(b64) || linuxSecretSet(b64)) {
+    return;
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
@@ -61,10 +232,23 @@ async function setMasterKey(key) {
   const dir = getKeyDir();
   await mkdir(dir, { recursive: true });
   const keyPath = getKeyPath();
-  await writeFile(keyPath, b64 + "\n", "utf-8");
-  await chmod(keyPath, 384);
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile(keyPath, encrypted + "\n", "utf-8");
+    await chmod(keyPath, 384);
+    process.stderr.write("[keychain] Key stored encrypted (machine-bound).\n");
+  } else {
+    await writeFile(keyPath, b64 + "\n", "utf-8");
+    await chmod(keyPath, 384);
+    process.stderr.write(
+      "[keychain] WARNING: Key stored in plaintext file \u2014 no OS keychain available.\n"
+    );
+  }
 }
 async function deleteMasterKey() {
+  macKeychainDelete();
+  linuxSecretDelete();
   const keytar = await tryKeytar();
   if (keytar) {
     try {