@askexenow/exe-os 0.9.30 → 0.9.32

package/dist/runtime/index.js

@@ -1654,8 +1654,8 @@ function findPackageRoot() {
 function getAvailableMemoryGB() {
   if (process.platform === "darwin") {
     try {
-      const { execSync: execSync8 } = __require("child_process");
-      const vmstat = execSync8("vm_stat", { encoding: "utf8" });
+      const { execSync: execSync9 } = __require("child_process");
+      const vmstat = execSync9("vm_stat", { encoding: "utf8" });
       const pageSize = 16384;
       const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
       const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
@@ -6564,6 +6564,7 @@ var init_tmux_routing = __esm({
 // src/lib/keychain.ts
 import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
 import { existsSync as existsSync15 } from "fs";
+import { execSync as execSync8 } from "child_process";
 import path19 from "path";
 import os12 from "os";
 function getKeyDir() {
@@ -6572,6 +6573,59 @@ function getKeyDir() {
 function getKeyPath() {
   return path19.join(getKeyDir(), "master.key");
 }
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync8(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync8(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync8(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync8(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync8(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function tryKeytar() {
   try {
     return await import("keytar");
@@ -6579,13 +6633,63 @@ async function tryKeytar() {
     return null;
   }
 }
+function deriveMachineKey() {
+  try {
+    const crypto8 = __require("crypto");
+    const material = [
+      os12.hostname(),
+      os12.userInfo().username,
+      os12.arch(),
+      os12.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto8.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync13 } = __require("fs");
+    return readFileSync13("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto8 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto8.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
 async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
-      const stored = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (stored) {
-        return Buffer.from(stored, "base64");
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+        }
+        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
@@ -6599,8 +6703,31 @@ async function getMasterKey() {
     return null;
   }
   try {
-    const content = await readFile4(keyPath, "utf-8");
-    return Buffer.from(content.trim(), "base64");
+    const content = (await readFile4(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+    }
+    return key;
   } catch (err) {
     process.stderr.write(
       `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
@@ -6609,12 +6736,13 @@ async function getMasterKey() {
     return null;
   }
 }
-var SERVICE, ACCOUNT;
+var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
 var init_keychain = __esm({
   "src/lib/keychain.ts"() {
     "use strict";
     SERVICE = "exe-mem";
     ACCOUNT = "master-key";
+    ENCRYPTED_PREFIX = "enc:";
   }
 });
 

package/dist/tui/App.js

@@ -1905,8 +1905,8 @@ function findPackageRoot() {
 function getAvailableMemoryGB() {
   if (process.platform === "darwin") {
     try {
-      const { execSync: execSync10 } = __require("child_process");
-      const vmstat = execSync10("vm_stat", { encoding: "utf8" });
+      const { execSync: execSync11 } = __require("child_process");
+      const vmstat = execSync11("vm_stat", { encoding: "utf8" });
       const pageSize = 16384;
       const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
       const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
@@ -10375,6 +10375,7 @@ __export(keychain_exports, {
 });
 import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
 import { existsSync as existsSync16 } from "fs";
+import { execSync as execSync9 } from "child_process";
 import path26 from "path";
 import os12 from "os";
 function getKeyDir() {
@@ -10383,6 +10384,83 @@ function getKeyDir() {
 function getKeyPath() {
   return path26.join(getKeyDir(), "master.key");
 }
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync9(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync9(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync9(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function macKeychainDelete() {
+  if (process.platform !== "darwin") return false;
+  try {
+    execSync9(
+      `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync9(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync9(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretDelete() {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync9(
+      `secret-tool clear service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function tryKeytar() {
   try {
     return await import("keytar");
@@ -10390,13 +10468,72 @@ async function tryKeytar() {
     return null;
   }
 }
+function deriveMachineKey() {
+  try {
+    const crypto8 = __require("crypto");
+    const material = [
+      os12.hostname(),
+      os12.userInfo().username,
+      os12.arch(),
+      os12.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto8.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync14 } = __require("fs");
+    return readFileSync14("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto8 = __require("crypto");
+  const iv = crypto8.randomBytes(12);
+  const cipher = crypto8.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto8 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto8.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
 async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
-      const stored = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (stored) {
-        return Buffer.from(stored, "base64");
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+        }
+        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
@@ -10410,8 +10547,31 @@ async function getMasterKey() {
     return null;
   }
   try {
-    const content = await readFile4(keyPath, "utf-8");
-    return Buffer.from(content.trim(), "base64");
+    const content = (await readFile4(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+    }
+    return key;
   } catch (err) {
     process.stderr.write(
       `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
@@ -10422,6 +10582,9 @@ async function getMasterKey() {
 }
 async function setMasterKey(key) {
   const b64 = key.toString("base64");
+  if (macKeychainSet(b64) || linuxSecretSet(b64)) {
+    return;
+  }
   const keytar = await tryKeytar();
   if (keytar) {
     try {
@@ -10433,10 +10596,23 @@ async function setMasterKey(key) {
   const dir = getKeyDir();
   await mkdir4(dir, { recursive: true });
   const keyPath = getKeyPath();
-  await writeFile5(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile5(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    process.stderr.write("[keychain] Key stored encrypted (machine-bound).\n");
+  } else {
+    await writeFile5(keyPath, b64 + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    process.stderr.write(
+      "[keychain] WARNING: Key stored in plaintext file \u2014 no OS keychain available.\n"
+    );
+  }
 }
 async function deleteMasterKey() {
+  macKeychainDelete();
+  linuxSecretDelete();
   const keytar = await tryKeytar();
   if (keytar) {
     try {
@@ -10478,12 +10654,13 @@ async function importMnemonic(mnemonic) {
   const entropy = mnemonicToEntropy(trimmed);
   return Buffer.from(entropy, "hex");
 }
-var SERVICE, ACCOUNT;
+var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
 var init_keychain = __esm({
   "src/lib/keychain.ts"() {
     "use strict";
     SERVICE = "exe-mem";
     ACCOUNT = "master-key";
+    ENCRYPTED_PREFIX = "enc:";
   }
 });
 
@@ -17751,8 +17928,8 @@ function Footer() {
           setSessions(allSessions.length);
           if (!currentSession) {
             try {
-              const { execSync: execSync10 } = await import("child_process");
-              const name = execSync10("tmux display-message -p '#{session_name}' 2>/dev/null", {
+              const { execSync: execSync11 } = await import("child_process");
+              const name = execSync11("tmux display-message -p '#{session_name}' 2>/dev/null", {
                 encoding: "utf8",
                 timeout: 2e3
               }).trim();
@@ -19186,8 +19363,8 @@ function TmuxPane({ sessionName, employeeName, employeeRole, projectName, onDeta
     }
     const capture = () => {
       try {
-        const { execSync: execSync10 } = __require("child_process");
-        const output = execSync10(
+        const { execSync: execSync11 } = __require("child_process");
+        const output = execSync11(
           `tmux capture-pane -t ${JSON.stringify(sessionName)} -p -e 2>/dev/null | tail -${CAPTURE_LINES}`,
           { encoding: "utf8", timeout: 3e3 }
         );
@@ -19211,8 +19388,8 @@ function TmuxPane({ sessionName, employeeName, employeeRole, projectName, onDeta
     if (key.return) {
       if (!demo && inputBuffer.trim()) {
         try {
-          const { execSync: execSync10 } = __require("child_process");
-          execSync10(
+          const { execSync: execSync11 } = __require("child_process");
+          execSync11(
             `tmux send-keys -t ${JSON.stringify(sessionName)} ${JSON.stringify(inputBuffer)} Enter`,
             { timeout: 2e3 }
           );
@@ -19220,8 +19397,8 @@ function TmuxPane({ sessionName, employeeName, employeeRole, projectName, onDeta
         }
       } else if (!demo) {
         try {
-          const { execSync: execSync10 } = __require("child_process");
-          execSync10(`tmux send-keys -t ${JSON.stringify(sessionName)} Enter`, { timeout: 2e3 });
+          const { execSync: execSync11 } = __require("child_process");
+          execSync11(`tmux send-keys -t ${JSON.stringify(sessionName)} Enter`, { timeout: 2e3 });
         } catch {
         }
       }
@@ -19524,12 +19701,12 @@ function SessionsView({
           return;
         }
       } else {
-        const { execSync: execSync10 } = await import("child_process");
+        const { execSync: execSync11 } = await import("child_process");
         const dir = projectDir || process.cwd();
-        execSync10(`tmux new-session -d -s ${JSON.stringify(entry.sessionName)} -c ${JSON.stringify(dir)}`, { timeout: 5e3 });
-        execSync10(`tmux send-keys -t ${JSON.stringify(entry.sessionName)} "claude --dangerously-skip-permissions" Enter`, { timeout: 3e3 });
+        execSync11(`tmux new-session -d -s ${JSON.stringify(entry.sessionName)} -c ${JSON.stringify(dir)}`, { timeout: 5e3 });
+        execSync11(`tmux send-keys -t ${JSON.stringify(entry.sessionName)} "claude --dangerously-skip-permissions" Enter`, { timeout: 3e3 });
         await new Promise((r) => setTimeout(r, 3e3));
-        execSync10(`tmux send-keys -t ${JSON.stringify(entry.sessionName)} "/exe" Enter`, { timeout: 3e3 });
+        execSync11(`tmux send-keys -t ${JSON.stringify(entry.sessionName)} "/exe" Enter`, { timeout: 3e3 });
       }
       const updated = { ...entry, status: "active", activity: "Starting...", attached: false };
       setViewingEmployee(updated);
@@ -19632,7 +19809,7 @@ function SessionsView({
         const { listTmuxSessions: listTmuxSessions2, inTmux: inTmux2, capturePaneLines: capturePaneLines2, parseActivity: parseActivity2 } = await Promise.resolve().then(() => (init_tmux_status(), tmux_status_exports));
         const { getCoordinatorName: getCoordinatorName2, isCoordinatorRole: isCoordinatorRole2, loadEmployees: loadEmployees2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
         const { isExeSession: isExeSession2 } = await Promise.resolve().then(() => (init_tmux_routing(), tmux_routing_exports));
-        const { execSync: execSync10 } = await import("child_process");
+        const { execSync: execSync11 } = await import("child_process");
         if (!inTmux2()) {
           setTmuxAvailable(false);
           setProjects([]);
@@ -19641,7 +19818,7 @@ function SessionsView({
         setTmuxAvailable(true);
         const attachedMap = /* @__PURE__ */ new Map();
         try {
-          const out = execSync10("tmux list-sessions -F '#{session_name}:#{session_attached}' 2>/dev/null", {
+          const out = execSync11("tmux list-sessions -F '#{session_name}:#{session_attached}' 2>/dev/null", {
             encoding: "utf8",
             timeout: 3e3
           });
@@ -20343,8 +20520,8 @@ function upsertConversation(conversations, platform, senderId, message) {
 async function loadGatewayConfig() {
   const state = { running: false, port: 3100, adapters: [], agents: [], gatewayUrl: "" };
   try {
-    const { execSync: execSync10 } = await import("child_process");
-    const ps = execSync10("pgrep -f exe-gateway 2>/dev/null", { encoding: "utf8", timeout: 3e3 });
+    const { execSync: execSync11 } = await import("child_process");
+    const ps = execSync11("pgrep -f exe-gateway 2>/dev/null", { encoding: "utf8", timeout: 3e3 });
     state.running = ps.trim().length > 0;
   } catch {
     state.running = false;
@@ -20728,10 +20905,10 @@ function GatewayView({ onBack }) {
 import React22, { useState as useState12, useEffect as useEffect14 } from "react";
 
 // src/tui/utils/agent-status.ts
-import { execSync as execSync9 } from "child_process";
+import { execSync as execSync10 } from "child_process";
 function getAgentStatus(agentId) {
   try {
-    const sessions = execSync9("tmux list-sessions -F '#{session_name}' 2>/dev/null", {
+    const sessions = execSync10("tmux list-sessions -F '#{session_name}' 2>/dev/null", {
       encoding: "utf8",
       timeout: 2e3
     }).trim().split("\n");
@@ -20742,7 +20919,7 @@ function getAgentStatus(agentId) {
       return /^\d?-/.test(suffix) || /^\d+$/.test(suffix);
     });
     if (!agentSession) return { label: "offline", color: "gray" };
-    const pane = execSync9(`tmux capture-pane -t "${agentSession}" -p 2>/dev/null | tail -3`, {
+    const pane = execSync10(`tmux capture-pane -t "${agentSession}" -p 2>/dev/null | tail -3`, {
       encoding: "utf8",
       timeout: 2e3
     });
@@ -21500,8 +21677,8 @@ function SettingsView({ onBack }) {
       };
     });
     try {
-      const { execSync: execSync10 } = await import("child_process");
-      execSync10("curl -s --max-time 1 http://localhost:11434/api/tags", { timeout: 2e3 });
+      const { execSync: execSync11 } = await import("child_process");
+      execSync11("curl -s --max-time 1 http://localhost:11434/api/tags", { timeout: 2e3 });
       providerList.push({ name: "Ollama", configured: true, detail: "localhost:11434" });
     } catch {
       providerList.push({ name: "Ollama", configured: false, detail: "not running" });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askexenow/exe-os",
-  "version": "0.9.30",
+  "version": "0.9.32",
   "description": "AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",