@askexenow/exe-os 0.9.311 → 0.9.313

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (344) hide show
  1. package/deploy/compose/.env.askexe-control-plane.example +1 -1
  2. package/deploy/compose/.env.customer.example +11 -7
  3. package/deploy/compose/.env.default +4 -4
  4. package/deploy/compose/.env.example +7 -7
  5. package/deploy/compose/docker-compose.yml +43 -19
  6. package/deploy/compose/gateway.json +2 -2
  7. package/deploy/compose/init-db.sql +6 -20
  8. package/deploy/compose/setup.sh +74 -132
  9. package/deploy/compose/status.sh +5 -0
  10. package/deploy/stack-manifests/v0.9.json +25 -4
  11. package/dist/{active-agent-ORX47ZKW.js → active-agent-EWF2HJ3W.js} +6 -6
  12. package/dist/{active-agent-S5T2YMOR.js → active-agent-FFN5ARMC.js} +6 -6
  13. package/dist/{agentic-ontology-6KBAXLSJ.js → agentic-ontology-AAUATKUS.js} +1 -1
  14. package/dist/{backfill-metadata-FV7GX6AS.js → backfill-metadata-FBYFDOTH.js} +7 -7
  15. package/dist/{background-jobs-A2LV36UX.js → background-jobs-2QZ5IQKE.js} +5 -3
  16. package/dist/{behaviors-47CPEKJ7.js → behaviors-PQ77IPJR.js} +8 -8
  17. package/dist/bin/age-ontology-load.js +3 -3
  18. package/dist/bin/agentic-ontology-backfill.js +9 -9
  19. package/dist/bin/agentic-reflection-backfill.js +10 -10
  20. package/dist/bin/agentic-semantic-label.js +9 -9
  21. package/dist/bin/backfill-conversations.js +10 -10
  22. package/dist/bin/backfill-responses.js +10 -10
  23. package/dist/bin/backfill-vectors.js +13 -13
  24. package/dist/bin/bulk-sync-postgres.js +16 -16
  25. package/dist/bin/cc-doctor.js +9 -9
  26. package/dist/bin/cleanup-stale-review-tasks.js +15 -15
  27. package/dist/bin/cli.js +21 -21
  28. package/dist/bin/deferred-daemon-restart.js +1 -1
  29. package/dist/bin/exe-agent-config.js +6 -6
  30. package/dist/bin/exe-agent.js +14 -14
  31. package/dist/bin/exe-assign.js +12 -12
  32. package/dist/bin/exe-boot.js +78 -57
  33. package/dist/bin/exe-call.js +7 -7
  34. package/dist/bin/exe-cloud.js +17 -17
  35. package/dist/bin/exe-config-dump.js +7 -7
  36. package/dist/bin/exe-dispatch.js +15 -15
  37. package/dist/bin/exe-doctor.js +11 -2
  38. package/dist/bin/exe-export-behaviors.js +10 -10
  39. package/dist/bin/exe-forget.js +9 -9
  40. package/dist/bin/exe-gateway.js +10 -10
  41. package/dist/bin/exe-healthcheck.js +9 -9
  42. package/dist/bin/exe-heartbeat.js +15 -15
  43. package/dist/bin/exe-kill.js +18 -18
  44. package/dist/bin/exe-launch-agent.js +30 -28
  45. package/dist/bin/exe-new-employee.js +36 -15
  46. package/dist/bin/exe-pending-messages.js +16 -16
  47. package/dist/bin/exe-pending-notifications.js +15 -15
  48. package/dist/bin/exe-pending-reviews.js +15 -15
  49. package/dist/bin/exe-preflight.js +1 -1
  50. package/dist/bin/exe-rename.js +19 -29
  51. package/dist/bin/exe-review.js +17 -17
  52. package/dist/bin/exe-search.js +8 -8
  53. package/dist/bin/exe-session-cleanup.js +41 -20
  54. package/dist/bin/exe-settings.js +18 -18
  55. package/dist/bin/exe-start-codex.js +15 -15
  56. package/dist/bin/exe-start-opencode.js +11 -11
  57. package/dist/bin/exe-status.js +16 -16
  58. package/dist/bin/exe-support.js +5 -5
  59. package/dist/bin/exe-team.js +6 -6
  60. package/dist/bin/exe-watchdog.js +33 -4
  61. package/dist/bin/git-sweep.js +16 -16
  62. package/dist/bin/graph-backfill.js +8 -8
  63. package/dist/bin/graph-export.js +8 -8
  64. package/dist/bin/import-history.js +10 -10
  65. package/dist/bin/install-launchd.js +2 -2
  66. package/dist/bin/install.js +15 -15
  67. package/dist/bin/intercom-check.js +4 -4
  68. package/dist/bin/mcp-sessions.js +2 -2
  69. package/dist/bin/orchestration-metrics.js +7 -7
  70. package/dist/bin/postgres-agentic-reflection-backfill.js +5 -5
  71. package/dist/bin/postgres-agentic-semantic-backfill.js +4 -4
  72. package/dist/bin/pre-build-guard.js +12 -1
  73. package/dist/bin/scan-tasks.js +15 -15
  74. package/dist/bin/setup.js +3 -3
  75. package/dist/bin/shard-migrate.js +8 -8
  76. package/dist/bin/stack-update.js +8 -8
  77. package/dist/bin/verify-stack.js +3 -1
  78. package/dist/bin/vps-health-gate.js +1 -1
  79. package/dist/{branding-SC4BOPUY.js → branding-EDUC7TUP.js} +2 -2
  80. package/dist/{browser-session-store-DV5TDXXD.js → browser-session-store-CXQMOSEC.js} +1 -1
  81. package/dist/{capability-cards-WQVY7WSS.js → capability-cards-2U3XWCDP.js} +5 -5
  82. package/dist/{capacity-monitor-BUKYPSWR.js → capacity-monitor-ZRLW7TVL.js} +16 -16
  83. package/dist/{catchup-brief-X5IVQAOH.js → catchup-brief-FSBZVYPL.js} +18 -18
  84. package/dist/{chunk-PMEOSD6S.js → chunk-24BUDF3J.js} +9 -6
  85. package/dist/{chunk-2NVEKSSP.js → chunk-2FULKRDO.js} +56 -38
  86. package/dist/{chunk-QB5JOGPK.js → chunk-2PI6JBJL.js} +5 -4
  87. package/dist/{chunk-MTIJ2NXY.js → chunk-2PWRUIKZ.js} +1 -1
  88. package/dist/{chunk-NIZQ3CIS.js → chunk-3AMGSCRH.js} +1 -1
  89. package/dist/{chunk-7ODTYODO.js → chunk-3LGID56M.js} +10 -7
  90. package/dist/{chunk-GSY6HL3T.js → chunk-4JI54RHR.js} +5 -5
  91. package/dist/{chunk-ISILDO7P.js → chunk-4THK7IA4.js} +1 -1
  92. package/dist/{chunk-IRIPGGGL.js → chunk-4UHQYBMQ.js} +1 -1
  93. package/dist/{chunk-HQODUV3G.js → chunk-552IGUBB.js} +2 -2
  94. package/dist/{chunk-IRHNV4GY.js → chunk-5KLQCGI5.js} +72 -18
  95. package/dist/{chunk-SOT23KWW.js → chunk-63UEWYM3.js} +4 -4
  96. package/dist/{chunk-QE7UVQDP.js → chunk-6PR2RAKM.js} +1 -1
  97. package/dist/{chunk-ZZXADKAP.js → chunk-6SPUK67A.js} +2 -2
  98. package/dist/{chunk-RVXWGPD3.js → chunk-75TM3APG.js} +29 -6
  99. package/dist/{chunk-IZPO6IOZ.js → chunk-7QSXARI3.js} +1 -1
  100. package/dist/{chunk-A2YZG4AD.js → chunk-AIUXE3ZJ.js} +6 -6
  101. package/dist/{chunk-U63BZI2B.js → chunk-AJERMFD6.js} +3 -3
  102. package/dist/{chunk-BUOMSIXH.js → chunk-BMNX3YWX.js} +2 -2
  103. package/dist/{chunk-YUBTHJVV.js → chunk-BRSMAFBN.js} +1 -1
  104. package/dist/{chunk-JZW5AOWI.js → chunk-BSPALHIR.js} +2 -2
  105. package/dist/{chunk-VDYUKTNS.js → chunk-CLAYNAXC.js} +4 -5
  106. package/dist/{chunk-J3QZPDNH.js → chunk-CNQ25C4C.js} +1 -1
  107. package/dist/{chunk-GWPICNSO.js → chunk-CSTL7BMK.js} +49 -4
  108. package/dist/{chunk-5DPE7B7K.js → chunk-CTYHSVHP.js} +1 -1
  109. package/dist/{chunk-EM4EYF3P.js → chunk-CVTWQZOR.js} +13 -5
  110. package/dist/{chunk-JNARUXDC.js → chunk-CW3FPWUW.js} +2 -2
  111. package/dist/{chunk-V42BSVX6.js → chunk-CWACO2D4.js} +51 -4
  112. package/dist/{chunk-RPBTYQKJ.js → chunk-CWUCD7C7.js} +1 -1
  113. package/dist/{chunk-DFUCFLZH.js → chunk-D4EMVYI7.js} +2 -2
  114. package/dist/{chunk-W2J2RF5N.js → chunk-DIHMGQGV.js} +3 -3
  115. package/dist/{chunk-YB7U4WTY.js → chunk-DJ4RG3RK.js} +2 -2
  116. package/dist/{chunk-KSMITUGY.js → chunk-DR7QPGX4.js} +3 -3
  117. package/dist/{chunk-QNXM2HXW.js → chunk-ELFFRVNL.js} +1 -1
  118. package/dist/{chunk-QEGXNJGR.js → chunk-EV2SMRLF.js} +4 -4
  119. package/dist/{chunk-VFSYVQX4.js → chunk-F3QMXKKJ.js} +8 -2
  120. package/dist/{chunk-NCC3F6GM.js → chunk-F5XPKUPK.js} +2 -2
  121. package/dist/{chunk-43R2GILO.js → chunk-FIBL4JRZ.js} +2 -2
  122. package/dist/{chunk-B2J3BBJC.js → chunk-FQH4R6UG.js} +2 -2
  123. package/dist/{chunk-AC6DKMVS.js → chunk-FSAKWKWU.js} +1 -1
  124. package/dist/{chunk-GL5NU6IK.js → chunk-FXS5OFGH.js} +1 -1
  125. package/dist/{chunk-K7KBAJQL.js → chunk-GHJRLETI.js} +10 -10
  126. package/dist/{chunk-VQRTO7IS.js → chunk-H73TUI4Y.js} +9 -2
  127. package/dist/{chunk-IIHE3FNC.js → chunk-HSXWUZOD.js} +3 -3
  128. package/dist/{chunk-JV225JBX.js → chunk-I6RHLHVW.js} +2 -2
  129. package/dist/{chunk-S6HVQF27.js → chunk-IEDCQRGG.js} +88 -4
  130. package/dist/{chunk-4Q5VNQTV.js → chunk-IFSOVXGN.js} +3 -3
  131. package/dist/{chunk-JDYO76PI.js → chunk-ITVMRPCQ.js} +17 -9
  132. package/dist/{chunk-VT6P7FV4.js → chunk-IU44MPY3.js} +1 -1
  133. package/dist/{chunk-6OD2RVIA.js → chunk-IXTDBQYU.js} +273 -397
  134. package/dist/{chunk-2NGPZCWX.js → chunk-JB7QUK3D.js} +3 -3
  135. package/dist/{chunk-VT2B5BHM.js → chunk-JBSCL2XT.js} +2 -1
  136. package/dist/{chunk-MPX3TRMQ.js → chunk-JD5S5AAV.js} +1 -1
  137. package/dist/{chunk-XYG722JW.js → chunk-JIJKUZIO.js} +3 -3
  138. package/dist/{chunk-DKHBMIVE.js → chunk-K5C6LC2G.js} +244 -45
  139. package/dist/{chunk-DAOHCXM2.js → chunk-KH6BCYLC.js} +1 -1
  140. package/dist/{chunk-4L4R6AQJ.js → chunk-KMI4TUTW.js} +1 -1
  141. package/dist/{chunk-PHFPIUWU.js → chunk-KWOAM7TA.js} +3 -0
  142. package/dist/{chunk-RZJ6DXVE.js → chunk-L6QI2NNG.js} +1 -1
  143. package/dist/{chunk-HED6D5KR.js → chunk-MMNMQNLD.js} +43 -29
  144. package/dist/{chunk-KAVUTP5G.js → chunk-N3CRJ2VW.js} +3 -3
  145. package/dist/{chunk-OBJXZII2.js → chunk-N7LBAQGK.js} +3 -3
  146. package/dist/{chunk-LMX7UKGX.js → chunk-OUAGTQC4.js} +17 -11
  147. package/dist/{chunk-WZBUKC5N.js → chunk-OUJI2ZTY.js} +2 -2
  148. package/dist/{chunk-YUGLOZOR.js → chunk-OXTZEKVA.js} +1 -1
  149. package/dist/{chunk-OR3TAZL3.js → chunk-P4ULFI2N.js} +1 -1
  150. package/dist/{chunk-6LNSZADA.js → chunk-PVC4RNHQ.js} +50 -11
  151. package/dist/{chunk-FM7XZDZI.js → chunk-R2WP3XIN.js} +1 -1
  152. package/dist/{chunk-IBDPPBFK.js → chunk-R5IPZ5ZC.js} +1 -1
  153. package/dist/{chunk-7WDIGRSO.js → chunk-R5TZ2FC3.js} +1 -1
  154. package/dist/{chunk-2UVN2NBN.js → chunk-RICNNGYH.js} +3 -3
  155. package/dist/{chunk-WBJXJ2R4.js → chunk-RLBVY5FE.js} +17 -14
  156. package/dist/{chunk-XXJRZ75E.js → chunk-RV634O2W.js} +5 -2
  157. package/dist/{chunk-3KH6GXXX.js → chunk-RYPFOZQH.js} +2 -2
  158. package/dist/{chunk-DNFU56ZS.js → chunk-SB7W6XI4.js} +1 -1
  159. package/dist/{chunk-PPXQE7AS.js → chunk-SE6MLUOK.js} +33 -34
  160. package/dist/{chunk-65DBIEM2.js → chunk-SHIICYJW.js} +7 -1
  161. package/dist/{chunk-KPVVTHPK.js → chunk-SRMNWAHN.js} +15 -10
  162. package/dist/chunk-T2DJR7ND.js +367 -0
  163. package/dist/{chunk-Z6H6Y4BS.js → chunk-TA22MGGN.js} +1 -1
  164. package/dist/{chunk-ZOVHXTGC.js → chunk-TN7SC2ZQ.js} +1 -1
  165. package/dist/{chunk-XV5HRIXG.js → chunk-TRPGNCVB.js} +8 -8
  166. package/dist/{chunk-4BANMHJ5.js → chunk-UDZP2SHJ.js} +3 -3
  167. package/dist/{chunk-GMZMBLHT.js → chunk-UM6WUSQ7.js} +2 -2
  168. package/dist/{chunk-2EJ636HI.js → chunk-UST3MKK7.js} +1 -1
  169. package/dist/{chunk-RQ7OVXUZ.js → chunk-V2CZVZUO.js} +2 -2
  170. package/dist/{chunk-4RJJ5FJ2.js → chunk-V4UKBUUA.js} +1 -1
  171. package/dist/{chunk-EOS7VPVT.js → chunk-VA2MDALR.js} +8 -8
  172. package/dist/{chunk-SCYWCWKY.js → chunk-VG4ZH2Z3.js} +24 -10
  173. package/dist/{chunk-255DIG4B.js → chunk-VHLI6CTD.js} +1 -1
  174. package/dist/{chunk-DFIOOK5R.js → chunk-WCES22KG.js} +4 -3
  175. package/dist/{chunk-5A6KTWQL.js → chunk-WOTKNUKK.js} +126 -2
  176. package/dist/{chunk-62UZWGFX.js → chunk-WZZBGGSD.js} +63 -2
  177. package/dist/{chunk-ELXR65AN.js → chunk-X2FHTDIU.js} +6 -3
  178. package/dist/{chunk-V4BW5HFQ.js → chunk-X5I5QRC2.js} +3 -3
  179. package/dist/{chunk-X4AFBL4N.js → chunk-XCORXJ3M.js} +1 -1
  180. package/dist/{chunk-66JPZELX.js → chunk-Y5CNGG4F.js} +24 -16
  181. package/dist/{chunk-SPOXL7HF.js → chunk-YEWNIBNA.js} +9 -9
  182. package/dist/{chunk-WJ2PZGRV.js → chunk-ZAA344BL.js} +29 -2
  183. package/dist/{chunk-TN2YCFQE.js → chunk-ZGLJ2VD7.js} +5 -5
  184. package/dist/{co-activation-WN25AJOC.js → co-activation-RH46OQ3N.js} +5 -5
  185. package/dist/{co-occurrence-YP2Q3OEA.js → co-occurrence-MJWERUWY.js} +5 -5
  186. package/dist/{code-context-index-ZWONKBKX.js → code-context-index-WFUBYGQT.js} +6 -6
  187. package/dist/{content-extractor-EYRVGD6O.js → content-extractor-RHITF2KM.js} +1 -1
  188. package/dist/{conversation-wiki-populator-XFUC7S5P.js → conversation-wiki-populator-SK233TL4.js} +1 -1
  189. package/dist/{crdt-sync-ZFIFL2QM.js → crdt-sync-4R7SXTNB.js} +1 -1
  190. package/dist/{crm-webhook-DGPHULOO.js → crm-webhook-YDXX5FDK.js} +2 -2
  191. package/dist/{cto-delegation-gate-OF2A3TSS.js → cto-delegation-gate-ZJHLPK4Y.js} +14 -14
  192. package/dist/{daemon-auth-N6P2MZAV.js → daemon-auth-5FCYVQIZ.js} +3 -3
  193. package/dist/{daemon-orchestration-G4RRTPP7.js → daemon-orchestration-NBU5RZ2O.js} +18 -18
  194. package/dist/{daemon-ready-signal-3L2MJT7C.js → daemon-ready-signal-KXLL6ZFL.js} +1 -1
  195. package/dist/{db-backup-EORG4LBO.js → db-backup-BTL2FBBL.js} +9 -3
  196. package/dist/{db-restore-events-3R7G4FP4.js → db-restore-events-3A57GMLW.js} +2 -2
  197. package/dist/{doc-graph-extractor-APZS3DFD.js → doc-graph-extractor-ADYRG7DB.js} +5 -5
  198. package/dist/documents-VWPZTDFA.js +56 -0
  199. package/dist/{dreaming-Q4E3WBGY.js → dreaming-76WKGTL6.js} +15 -15
  200. package/dist/embeddings-config-FANLORDH.js +21 -0
  201. package/dist/{exe-drift-CI5R6GUT.js → exe-drift-T3IO2SPX.js} +6 -6
  202. package/dist/{exe-export-HQIQASIT.js → exe-export-6YEHSJMP.js} +9 -9
  203. package/dist/{exe-import-ULZK56WC.js → exe-import-3NERK63O.js} +9 -9
  204. package/dist/{exe-key-ILNSBGRN.js → exe-key-RCMBMLSQ.js} +8 -8
  205. package/dist/{exe-org-WQWQZRLR.js → exe-org-KCOOLUTW.js} +3 -3
  206. package/dist/{exe-snapshot-RUZTWZOF.js → exe-snapshot-JIY7MNRI.js} +18 -18
  207. package/dist/{fast-db-init-KNJRL7T3.js → fast-db-init-PVJ72264.js} +1 -1
  208. package/dist/{founder-context-QCTMEK66.js → founder-context-A4VUEKDH.js} +4 -4
  209. package/dist/gateway/index.js +17 -17
  210. package/dist/{git-staleness-KIA5YI4H.js → git-staleness-IOAHAGBI.js} +5 -5
  211. package/dist/{git-task-sweep-WH6QE7HL.js → git-task-sweep-IGM5RILF.js} +17 -15
  212. package/dist/{global-procedures-SYZZCGDS.js → global-procedures-VZL2X4RK.js} +6 -6
  213. package/dist/{graph-auto-extract-J2TIWZEE.js → graph-auto-extract-TIXRGBC5.js} +5 -5
  214. package/dist/{hook-integrity-I6PWJQER.js → hook-integrity-XNPNCMAS.js} +1 -1
  215. package/dist/hooks/bug-report-worker.js +47 -17
  216. package/dist/hooks/codex-stop-task-finalizer.js +47 -17
  217. package/dist/hooks/commit-complete.js +18 -18
  218. package/dist/hooks/error-recall.js +11 -11
  219. package/dist/hooks/exe-heartbeat-hook.js +7 -7
  220. package/dist/hooks/ingest-worker.js +39 -9
  221. package/dist/hooks/ingest.js +17 -17
  222. package/dist/hooks/instructions-loaded.js +8 -8
  223. package/dist/hooks/manifest.json +20 -20
  224. package/dist/hooks/notification.js +8 -8
  225. package/dist/hooks/post-compact.js +17 -17
  226. package/dist/hooks/post-tool-combined.js +60 -7
  227. package/dist/hooks/pre-compact.js +23 -23
  228. package/dist/hooks/pre-tool-use.js +64 -34
  229. package/dist/hooks/prompt-submit.js +40 -32
  230. package/dist/hooks/session-end.js +29 -29
  231. package/dist/hooks/session-start.js +17 -17
  232. package/dist/hooks/stop.js +24 -24
  233. package/dist/hooks/subagent-stop.js +17 -17
  234. package/dist/hooks/summary-worker.js +55 -25
  235. package/dist/index.js +27 -27
  236. package/dist/{installer-PSDYMGN7.js → installer-D7D5O4KL.js} +10 -10
  237. package/dist/{installer-3NB3IBHF.js → installer-EQP2EMNZ.js} +10 -10
  238. package/dist/{installer-IIJFCTMH.js → installer-IWRYH55Z.js} +10 -10
  239. package/dist/{key-backup-status-FNSN3NXH.js → key-backup-status-ZNGDSPLT.js} +2 -2
  240. package/dist/lib/agent-config.js +3 -3
  241. package/dist/lib/cloud-sync.js +16 -16
  242. package/dist/lib/config.js +2 -2
  243. package/dist/lib/consolidation.js +8 -8
  244. package/dist/lib/database.js +7 -5
  245. package/dist/lib/db-daemon-client.js +6 -6
  246. package/dist/lib/db.js +7 -5
  247. package/dist/lib/device-registry.js +3 -3
  248. package/dist/lib/embed-worker.js +2 -2
  249. package/dist/lib/embedder.js +6 -6
  250. package/dist/lib/employee-templates.js +7 -7
  251. package/dist/lib/employees.js +5 -5
  252. package/dist/lib/exe-daemon-client.js +5 -5
  253. package/dist/lib/exe-daemon.js +449 -89
  254. package/dist/lib/hybrid-search.js +8 -8
  255. package/dist/lib/identity.js +5 -5
  256. package/dist/lib/license.js +4 -4
  257. package/dist/lib/messaging.js +15 -15
  258. package/dist/lib/post-tool-memory.js +2 -2
  259. package/dist/lib/reminders.js +6 -6
  260. package/dist/lib/schedules.js +8 -8
  261. package/dist/lib/session-registry.js +9 -7
  262. package/dist/lib/session-wrappers.js +1 -1
  263. package/dist/lib/skill-learning.js +9 -9
  264. package/dist/lib/store.js +7 -7
  265. package/dist/lib/task-router.js +6 -6
  266. package/dist/lib/tasks.js +16 -16
  267. package/dist/lib/tmux-routing.js +14 -14
  268. package/dist/lib/token-spend.js +6 -6
  269. package/dist/{license-gate-7SDHCJUO.js → license-gate-PZOP7S2S.js} +5 -5
  270. package/dist/mcp/register-tools.js +73 -72
  271. package/dist/mcp/server.js +74 -73
  272. package/dist/mcp/tools/complete-reminder.js +7 -7
  273. package/dist/mcp/tools/create-reminder.js +7 -7
  274. package/dist/mcp/tools/create-task.js +18 -18
  275. package/dist/mcp/tools/deactivate-behavior.js +10 -10
  276. package/dist/mcp/tools/list-reminders.js +7 -7
  277. package/dist/mcp/tools/list-tasks.js +18 -18
  278. package/dist/mcp/tools/send-message.js +17 -17
  279. package/dist/mcp/tools/update-task.js +17 -17
  280. package/dist/{mcp-http-config-QSOVFXHW.js → mcp-http-config-23DHJAU4.js} +7 -7
  281. package/dist/{mcp-port-config-AWWRZA22.js → mcp-port-config-FFAMMLLE.js} +2 -1
  282. package/dist/{memory-cards-II67WFL2.js → memory-cards-CNLMHSZC.js} +5 -5
  283. package/dist/{memory-graph-extractor-PM4Q2KJG.js → memory-graph-extractor-HIXP2BQS.js} +6 -6
  284. package/dist/{memory-poisoning-defense-ECXSX7HK.js → memory-poisoning-defense-YL53IBBF.js} +5 -5
  285. package/dist/{memory-queue-VAE6WMSS.js → memory-queue-3Q5P43AM.js} +3 -3
  286. package/dist/memory-queue-client-YP2QKX6J.js +16 -0
  287. package/dist/{memory-reflection-PXF6YFDU.js → memory-reflection-VHQRUZWK.js} +5 -5
  288. package/dist/{notifications-UP7WQGG4.js → notifications-Q5NEAP6K.js} +14 -14
  289. package/dist/{orchestration-events-PZLLPCKY.js → orchestration-events-7SNWRJYE.js} +6 -6
  290. package/dist/{orchestration-phase-SJOXDB7X.js → orchestration-phase-U45T4VG3.js} +3 -3
  291. package/dist/{orchestrator-PUT45J4O.js → orchestrator-XWLKNWUG.js} +16 -16
  292. package/dist/{pipeline-router-5CRWKESM.js → pipeline-router-5IBJBH7P.js} +6 -6
  293. package/dist/{plan-limits-SH2NDFNX.js → plan-limits-PBEZVHRQ.js} +8 -8
  294. package/dist/{preferences-YWBTKW3M.js → preferences-TYTGDXQZ.js} +2 -2
  295. package/dist/{project-boot-2TCPDZ4S.js → project-boot-OHEGJD2L.js} +2 -2
  296. package/dist/{projection-worker-HWY37MNC.js → projection-worker-HELRBNDR.js} +5 -5
  297. package/dist/{prospective-memory-FQSVMCGG.js → prospective-memory-N55XRGJP.js} +5 -5
  298. package/dist/{push-notifications-DK6XA5B3.js → push-notifications-PAFNP3EC.js} +3 -3
  299. package/dist/{reranker-AALRMGMM.js → reranker-MNJSTOPR.js} +3 -3
  300. package/dist/{retrieval-health-PNWJSJNG.js → retrieval-health-W4HNR3WX.js} +1 -1
  301. package/dist/{review-polling-65JZUE3T.js → review-polling-SRYZU2PI.js} +15 -15
  302. package/dist/runtime/index.js +22 -22
  303. package/dist/{session-events-EJ3OSAA6.js → session-events-L4DK5J6J.js} +15 -15
  304. package/dist/{session-kill-telemetry-3HGM7SNQ.js → session-kill-telemetry-U2YHKHCB.js} +15 -15
  305. package/dist/{session-scope-JGDYAMJO.js → session-scope-JTPHECAU.js} +14 -14
  306. package/dist/{setup-wizard-44LMFM2C.js → setup-wizard-IP5R66LR.js} +3 -3
  307. package/dist/{shard-manager-KUCJPLC6.js → shard-manager-RASGFMGS.js} +3 -3
  308. package/dist/{skill-refinement-DUOO6B7V.js → skill-refinement-VTYL4OMJ.js} +5 -5
  309. package/dist/{stack-release-XYMKU7NT.js → stack-release-TOCCJQOF.js} +244 -45
  310. package/dist/{stack-update-XHQJRJEP.js → stack-update-MRNVHUZZ.js} +15 -5
  311. package/dist/{steward-gate-6NWRDLX2.js → steward-gate-JEVUDTBI.js} +6 -6
  312. package/dist/{task-enforcement-UOULTGFB.js → task-enforcement-VFSAAZUN.js} +14 -14
  313. package/dist/{task-scope-P5STKYAC.js → task-scope-P4VLIQNP.js} +14 -14
  314. package/dist/{tasks-crud-24HMTULR.js → tasks-crud-SC3ERIUR.js} +14 -14
  315. package/dist/{tasks-notify-LAIU7UUI.js → tasks-notify-WJYBUCIB.js} +15 -15
  316. package/dist/{tasks-review-AFJAU2DY.js → tasks-review-XPVPHCGD.js} +14 -14
  317. package/dist/{telemetry-upload-DWFGC2XJ.js → telemetry-upload-4QEYQROW.js} +10 -10
  318. package/dist/{token-budget-4RFZKWGH.js → token-budget-UBOP3HVE.js} +6 -6
  319. package/dist/{tool-capability-index-ZEXBWKUZ.js → tool-capability-index-SHYCBE2Z.js} +1 -1
  320. package/dist/{tool-telemetry-BS5JXM5M.js → tool-telemetry-CDNPES5B.js} +1 -1
  321. package/dist/tui/App.js +27 -27
  322. package/dist/{tui-data-UNO5B7PU.js → tui-data-HVYY7GRK.js} +14 -14
  323. package/dist/{worker-gate-C6CTTYMD.js → worker-gate-KQTODSUQ.js} +3 -3
  324. package/dist/{workflow-engine-4W2KYCDV.js → workflow-engine-OP2DQISD.js} +2 -2
  325. package/dist/{working-memory-FXHQCJJE.js → working-memory-PY4AG577.js} +22 -2
  326. package/dist/{worktree-2CXY6NEB.js → worktree-Z2G4CP4Z.js} +7 -7
  327. package/dist/{worktree-sweep-K3CJFSUL.js → worktree-sweep-LWSCAZW6.js} +8 -8
  328. package/package.json +2 -2
  329. package/release-notes.json +40 -88
  330. package/stack.release.json +11 -11
  331. package/dist/memory-queue-client-HLURQEV6.js +0 -16
  332. /package/dist/{chunk-J3SR5MGG.js → chunk-GIS4GBZE.js} +0 -0
  333. /package/dist/{chunk-AE74NOE6.js → chunk-NAPBIDGH.js} +0 -0
  334. /package/dist/{chunk-I3DPCSDG.js → chunk-OJS2H5HR.js} +0 -0
  335. /package/dist/{chunk-K4BKJJ4F.js → chunk-PCRRDXGL.js} +0 -0
  336. /package/dist/{chunk-MQCTK6EF.js → chunk-RRYJTPVW.js} +0 -0
  337. /package/dist/{chunk-2NS3QRMJ.js → chunk-ZIVUMDHA.js} +0 -0
  338. /package/dist/{core-memory-OC5ITKKV.js → core-memory-4JWCAGJI.js} +0 -0
  339. /package/dist/{entity-boost-NF3LE6OJ.js → entity-boost-AU342QRK.js} +0 -0
  340. /package/dist/{message-queue-client-4VDU6BZY.js → message-queue-client-IXYLJJVJ.js} +0 -0
  341. /package/dist/{oauth-server-EWUL7DMD.js → oauth-server-F4QWESK2.js} +0 -0
  342. /package/dist/{webhook-pipe-DHIGZHPW.js → webhook-pipe-S4CWK6H5.js} +0 -0
  343. /package/dist/{wiki-acl-CONNF6ES.js → wiki-acl-6GZHUA44.js} +0 -0
  344. /package/dist/{wiki-client-N6PT5P7W.js → wiki-client-CIJXRMKL.js} +0 -0
@@ -2,7 +2,7 @@
2
2
  # This file is for AskExe-owned infrastructure only. Do NOT use for Hygo/customer VPSs.
3
3
 
4
4
  # --- Central monitor hub (AskExe-owned: monitor.askexe.com) ---
5
- MONITOR_HUB_IMAGE_TAG=ghcr.io/askexe/exe-monitor-hub:v0.9.2
5
+ MONITOR_HUB_IMAGE_TAG=ghcr.io/askexe/exe-monitor-hub:v0.9.5
6
6
  MONITOR_HUB_PUBLIC_URL=https://monitor.askexe.com
7
7
  MONITOR_HUB_SOURCE_DIR=/opt/exe-monitor
8
8
  MONITOR_HUB_HOST_PORT=8090
@@ -7,6 +7,10 @@
7
7
  DOMAIN=CHANGEME_DOMAIN
8
8
 
9
9
  # --- Data Layer ---
10
+ # bug 8dc31733: EXE_DB_IMAGE overrides the Postgres image tag in compose.
11
+ # The manifest declares env: "EXE_DB_IMAGE" — keep this in sync with the
12
+ # stack manifest pin. Defaults to pgvector/pgvector:0.8.0-pg16 in compose.
13
+ # EXE_DB_IMAGE=pgvector/pgvector:0.8.0-pg16
10
14
  POSTGRES_USER=exe
11
15
  POSTGRES_PASSWORD=CHANGEME_POSTGRES_PASSWORD
12
16
  POSTGRES_DB=exedb
@@ -57,13 +61,13 @@ AUTH_DEFAULT_PRODUCT=AUTH
57
61
  AUTH_DISABLE_SIGNUP=true
58
62
 
59
63
  # --- CRM ---
60
- CRM_IMAGE_TAG=update.askexe.com/askexe/exe-crm:v0.9.47
64
+ CRM_IMAGE_TAG=update.askexe.com/askexe/exe-crm:v0.9.51
61
65
  CRM_SERVER_URL=https://crm.CHANGEME_DOMAIN
62
66
  CRM_APP_SECRET=CHANGEME_CRM_APP_SECRET
63
67
  CRM_HOST_PORT=3000
64
68
 
65
69
  # --- Wiki ---
66
- WIKI_IMAGE_TAG=update.askexe.com/askexe/exe-wiki:v0.9.21
70
+ WIKI_IMAGE_TAG=update.askexe.com/askexe/exe-wiki:v0.9.26
67
71
  WIKI_DB_SCHEMA=wiki
68
72
  WIKI_VECTOR_DB=exeOsMcp
69
73
  WIKI_AUTH_TOKEN=CHANGEME_WIKI_AUTH_TOKEN
@@ -77,7 +81,7 @@ WIKI_HOST_PORT=3001
77
81
  EXE_SSO_COOKIE_NAME=exe_access_token
78
82
 
79
83
  # --- exe-os ---
80
- EXE_OS_IMAGE_TAG=update.askexe.com/askexe/exe-os:v0.9.256
84
+ EXE_OS_IMAGE_TAG=update.askexe.com/askexe/exe-os:v0.9.311
81
85
  EXED_MCP_TOKEN=CHANGEME_EXED_MCP_TOKEN
82
86
  EXED_DEVICE_ID=CHANGEME_DEVICE_ID
83
87
  EXE_MCP_HOST_BIND=127.0.0.1
@@ -87,7 +91,7 @@ EXE_MCP_HOST_PORT=48739
87
91
  EXE_CLOUD_SYNC_TO_POSTGRES=true
88
92
 
89
93
  # --- ERP (Frappe/ERPNext fork) ---
90
- ERP_IMAGE_TAG=update.askexe.com/askexe/exe-erp:v0.2.0-final8
94
+ ERP_IMAGE_TAG=update.askexe.com/askexe/exe-erp:v0.2.2
91
95
  # Administrator password for the ERPNext site (created on first boot).
92
96
  # bug 43854b31: this only applies at FIRST boot. To rotate it later you must also
93
97
  # run `bench --site $ERP_SITE_NAME set-admin-password <new>` inside exe-erp —
@@ -103,7 +107,7 @@ ERP_WS_PORT=9069
103
107
  ERP_SENTRY_DSN=
104
108
 
105
109
  # --- Gateway ---
106
- GATEWAY_IMAGE_TAG=update.askexe.com/askexe/exe-gateway:v0.9.16
110
+ GATEWAY_IMAGE_TAG=update.askexe.com/askexe/exe-gateway:v0.9.24
107
111
  EXE_GATEWAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_AUTH_TOKEN
108
112
  EXE_GATEWAY_WS_RELAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_WS_RELAY_AUTH_TOKEN
109
113
  EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN=CHANGEME_EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN
@@ -121,7 +125,7 @@ GATEWAY_WS_HOST_PORT=3101
121
125
  CRM_GRAPHQL_URL=http://exe-crm:3000/graphql
122
126
 
123
127
  # --- Monitoring hub (PocketBase — local per-customer instance) ---
124
- MONITOR_HUB_IMAGE_TAG=update.askexe.com/askexe/exe-monitor-hub:v0.9.4
128
+ MONITOR_HUB_IMAGE_TAG=update.askexe.com/askexe/exe-monitor-hub:v0.9.5
125
129
  MONITOR_HUB_PORT=8090
126
130
  # Bootstrap superuser created on first start. Use your admin email + a strong password.
127
131
  # After first boot these values are no longer used (stored in pb_data volume).
@@ -154,7 +158,7 @@ GATEWAY_ALERT_URL=http://exe-gateway:3100/api/alerts/error-spike
154
158
  # host-access prompt, or uncomment COMPOSE_PROFILES below.
155
159
  # Full scope details: deploy/monitor/HOST-ACCESS-CONSENT.md
156
160
  # COMPOSE_PROFILES=monitor-agent
157
- MONITOR_AGENT_IMAGE_TAG=update.askexe.com/askexe/exe-monitor-agent:v0.9.4
161
+ MONITOR_AGENT_IMAGE_TAG=update.askexe.com/askexe/exe-monitor-agent:v0.9.5
158
162
  # Reports to the local hub. Auto-populated by `exe-os stack-update` during bootstrap.
159
163
  MONITOR_HUB_URL=http://exe-monitor-hub:8090
160
164
  # bug dacf0042: TOKEN and KEY MUST start EMPTY (the safe "unpaired" state) — NOT a
@@ -13,10 +13,10 @@ EXE_LICENSE_KEY=CHANGEME_EXE_LICENSE_KEY
13
13
  # ------------------------------------------------------------------
14
14
  # Image tags (per-client pinning — never use :latest in production)
15
15
  # ------------------------------------------------------------------
16
- CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.1
17
- WIKI_IMAGE_TAG=ghcr.io/askexe/exe-wiki:v0.9.1
18
- EXE_OS_IMAGE_TAG=ghcr.io/askexe/exe-os:v0.9.66
19
- GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.1
16
+ CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.51
17
+ WIKI_IMAGE_TAG=ghcr.io/askexe/exe-wiki:v0.9.26
18
+ EXE_OS_IMAGE_TAG=ghcr.io/askexe/exe-os:v0.9.311
19
+ GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.24
20
20
 
21
21
  # ------------------------------------------------------------------
22
22
  # Postgres (shared by CRM + wiki)
@@ -84,14 +84,14 @@ AUTH_DEFAULT_PRODUCT=AUTH
84
84
  AUTH_DISABLE_SIGNUP=true
85
85
 
86
86
  # --- CRM ---
87
- CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.47
87
+ CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.51
88
88
  CRM_SERVER_URL=https://crm.CHANGEME_DOMAIN
89
89
  CRM_APP_SECRET=CHANGEME_CRM_APP_SECRET
90
90
  EXE_CRM_ADMIN_TOKEN=CHANGEME_EXE_CRM_ADMIN_TOKEN
91
91
  CRM_HOST_PORT=3000
92
92
 
93
93
  # --- Wiki ---
94
- WIKI_IMAGE_TAG=ghcr.io/askexe/exe-wiki:v0.9.21
94
+ WIKI_IMAGE_TAG=ghcr.io/askexe/exe-wiki:v0.9.26
95
95
  WIKI_DB_SCHEMA=wiki
96
96
  WIKI_VECTOR_DB=exeOsMcp
97
97
  WIKI_AUTH_TOKEN=CHANGEME_WIKI_AUTH_TOKEN
@@ -105,7 +105,7 @@ WIKI_HOST_PORT=3001
105
105
  EXE_SSO_COOKIE_NAME=exe_access_token
106
106
 
107
107
  # --- exe-os ---
108
- EXE_OS_IMAGE_TAG=ghcr.io/askexe/exe-os:v0.9.258
108
+ EXE_OS_IMAGE_TAG=ghcr.io/askexe/exe-os:v0.9.311
109
109
  EXED_MCP_TOKEN=CHANGEME_EXED_MCP_TOKEN
110
110
  EXED_DEVICE_ID=vps-default
111
111
  EXE_MCP_HOST_BIND=127.0.0.1
@@ -115,7 +115,7 @@ EXE_MCP_HOST_PORT=48739
115
115
  EXE_CLOUD_SYNC_TO_POSTGRES=true
116
116
 
117
117
  # --- Gateway ---
118
- GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.17
118
+ GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.24
119
119
  EXE_GATEWAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_AUTH_TOKEN
120
120
  EXE_GATEWAY_WS_RELAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_WS_RELAY_AUTH_TOKEN
121
121
  EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN=CHANGEME_EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN
@@ -144,7 +144,7 @@ ERROR_REPORTING_ENABLED=true
144
144
  MONITOR_ERROR_URL=http://exe-monitor-hub:8090/api/exe-monitor/errors
145
145
 
146
146
  # --- ERP (optional — Exe ERP, Frappe/ERPNext fork) ---
147
- ERP_IMAGE_TAG=ghcr.io/askexe/exe-erp:v0.2.0-final8
147
+ ERP_IMAGE_TAG=ghcr.io/askexe/exe-erp:v0.2.2
148
148
  ERP_ADMIN_PASSWORD=CHANGEME_ERP_ADMIN_PASSWORD
149
149
  EXE_ERP_ADMIN_TOKEN=CHANGEME_EXE_ERP_ADMIN_TOKEN
150
150
  # Frappe site name — must match the erp.<domain> the customer serves (bug e61ad373).
@@ -162,7 +162,7 @@ EXE_BUILD_WS_PORT=7643
162
162
  EXE_BUILD_HTTP_PORT=9222
163
163
 
164
164
  # --- Monitoring hub (PocketBase — local per-customer instance) ---
165
- MONITOR_HUB_IMAGE_TAG=ghcr.io/askexe/exe-monitor-hub:v0.9.4
165
+ MONITOR_HUB_IMAGE_TAG=ghcr.io/askexe/exe-monitor-hub:v0.9.5
166
166
  MONITOR_HUB_PORT=8090
167
167
  # Bootstrap superuser created on first start. Use your admin email + a strong password.
168
168
  # After first boot these values are no longer used (stored in pb_data volume).
@@ -180,7 +180,7 @@ MONITOR_HUB_ADMIN_PASSWORD=CHANGEME_MONITOR_HUB_ADMIN_PASSWORD
180
180
  # To enable: run setup.sh and acknowledge the host-access prompt, or add
181
181
  # "monitor-agent" to COMPOSE_PROFILES below. Scope: deploy/monitor/HOST-ACCESS-CONSENT.md.
182
182
  # COMPOSE_PROFILES=monitor-agent
183
- MONITOR_AGENT_IMAGE_TAG=ghcr.io/askexe/exe-monitor-agent:v0.9.4
183
+ MONITOR_AGENT_IMAGE_TAG=ghcr.io/askexe/exe-monitor-agent:v0.9.5
184
184
  # Reports to the local hub. Auto-populated by `exe-os stack-update` during bootstrap.
185
185
  MONITOR_HUB_URL=http://exe-monitor-hub:8090
186
186
  # bug dacf0042: TOKEN and KEY MUST start EMPTY (the safe "unpaired" state) —
@@ -236,7 +236,7 @@ services:
236
236
  options: { max-size: "10m", max-file: "3" }
237
237
 
238
238
  exe-monitor-hub:
239
- image: ${MONITOR_HUB_IMAGE_TAG:-ghcr.io/askexe/exe-monitor-hub:v0.9.4}
239
+ image: ${MONITOR_HUB_IMAGE_TAG:-ghcr.io/askexe/exe-monitor-hub:v0.9.5}
240
240
  container_name: exe-monitor-hub
241
241
  restart: unless-stopped
242
242
  # bug d3d49101 / 1fdb8be9: PocketBase's data dir for this hub is a RELATIVE
@@ -311,7 +311,7 @@ services:
311
311
  # ------------------------------------------------------------------
312
312
 
313
313
  exe-crm:
314
- image: ${CRM_IMAGE_TAG:-ghcr.io/askexe/exe-crm:v0.9.48}
314
+ image: ${CRM_IMAGE_TAG:-ghcr.io/askexe/exe-crm:v0.9.51}
315
315
  container_name: exe-crm
316
316
  restart: unless-stopped
317
317
  # bug ad4471ad: NO compose `command` override. The image entrypoint
@@ -380,7 +380,7 @@ services:
380
380
  options: { max-size: "10m", max-file: "3" }
381
381
 
382
382
  exe-crm-worker:
383
- image: ${CRM_IMAGE_TAG:-ghcr.io/askexe/exe-crm:v0.9.48}
383
+ image: ${CRM_IMAGE_TAG:-ghcr.io/askexe/exe-crm:v0.9.51}
384
384
  container_name: exe-crm-worker
385
385
  restart: unless-stopped
386
386
  command: ["yarn", "worker:prod"]
@@ -440,7 +440,7 @@ services:
440
440
  options: { max-size: "10m", max-file: "3" }
441
441
 
442
442
  exe-wiki:
443
- image: ${WIKI_IMAGE_TAG:-ghcr.io/askexe/exe-wiki:v0.9.23}
443
+ image: ${WIKI_IMAGE_TAG:-ghcr.io/askexe/exe-wiki:v0.9.26}
444
444
  container_name: exe-wiki
445
445
  restart: unless-stopped
446
446
  # Wiki uses Prisma — runs migrate on boot via built-in entrypoint.
@@ -507,7 +507,7 @@ services:
507
507
  # offline boots fail). WIKI_EXE_OS_NPM_VERSION defaults to the stack's
508
508
  # pinned exe-os npm version and is threaded into the spawn args.
509
509
  EXE_OS_MCP_COMMAND: ${WIKI_EXE_OS_MCP_COMMAND:-npx}
510
- EXE_OS_MCP_ARGS: ${WIKI_EXE_OS_MCP_ARGS:--y @askexenow/exe-os@${WIKI_EXE_OS_NPM_VERSION:-0.9.278} mcp}
510
+ EXE_OS_MCP_ARGS: ${WIKI_EXE_OS_MCP_ARGS:--y @askexenow/exe-os@${WIKI_EXE_OS_NPM_VERSION:-0.9.312} mcp}
511
511
  BRANDING_CONFIG_PATH: /app/branding.json
512
512
  ports:
513
513
  - "127.0.0.1:${WIKI_HOST_PORT:-3001}:3001"
@@ -531,7 +531,7 @@ services:
531
531
  # to pin the split server image; falls back to the combined EXE_OS_IMAGE_TAG
532
532
  # for backward compatibility with existing manifests.
533
533
  exe-os:
534
- image: ${EXE_OS_SERVER_IMAGE_TAG:-${EXE_OS_IMAGE_TAG:-${EXED_IMAGE_TAG:-ghcr.io/askexe/exe-os:v0.9.270}}}
534
+ image: ${EXE_OS_SERVER_IMAGE_TAG:-${EXE_OS_IMAGE_TAG:-${EXED_IMAGE_TAG:-ghcr.io/askexe/exe-os:v0.9.311}}}
535
535
  container_name: exe-os
536
536
  restart: unless-stopped
537
537
  # bug debf4a39 / 93ddfa27: the daemon connects to exe-db at boot
@@ -596,7 +596,7 @@ services:
596
596
  # the GGUF model files at /home/exed/.exe-os/models/.
597
597
  # ------------------------------------------------------------------
598
598
  exe-os-worker:
599
- image: ${EXE_OS_WORKER_IMAGE_TAG:-ghcr.io/askexe/exe-os-worker:v0.9.270}
599
+ image: ${EXE_OS_WORKER_IMAGE_TAG:-ghcr.io/askexe/exe-os-worker:v0.9.311}
600
600
  container_name: exe-os-worker
601
601
  profiles: ["embeddings"]
602
602
  restart: unless-stopped
@@ -635,7 +635,7 @@ services:
635
635
  options: { max-size: "10m", max-file: "3" }
636
636
 
637
637
  exe-gateway:
638
- image: ${GATEWAY_IMAGE_TAG:-ghcr.io/askexe/exe-gateway:v0.9.21}
638
+ image: ${GATEWAY_IMAGE_TAG:-ghcr.io/askexe/exe-gateway:v0.9.24}
639
639
  container_name: exe-gateway
640
640
  restart: unless-stopped
641
641
  # Gateway needs 45s to flush outbound queues + disconnect Baileys adapters.
@@ -716,7 +716,11 @@ services:
716
716
  - "127.0.0.1:${GATEWAY_WS_HOST_PORT:-3101}:3101"
717
717
  volumes:
718
718
  - gateway_data:/data
719
- - gateway_whatsapp_auth:/app/auth_info
719
+ # bug 99281cd8: mount the WhatsApp auth volume under EXE_GATEWAY_HOME
720
+ # (/data), NOT /app/auth_info. The gateway resolves authDir relative to
721
+ # EXE_GATEWAY_HOME; the old /app/auth_info mount was unreachable when the
722
+ # gateway used its default path. gateway.json authDir updated to match.
723
+ - gateway_whatsapp_auth:/data/auth_info
720
724
  - ./gateway.json:/data/gateway.json:ro
721
725
  # bug 02bc1bb8: PERSISTENT customer-overlay bind-mount. Anything the
722
726
  # customer drops in the host ./overlay dir (e.g. po-intake.js) is exposed
@@ -758,7 +762,7 @@ services:
758
762
  # include "monitor-agent". See deploy/monitor/HOST-ACCESS-CONSENT.md.
759
763
  # ------------------------------------------------------------------
760
764
  exe-monitor-agent:
761
- image: ${MONITOR_AGENT_IMAGE_TAG:-ghcr.io/askexe/exe-monitor-agent:v0.9.4}
765
+ image: ${MONITOR_AGENT_IMAGE_TAG:-ghcr.io/askexe/exe-monitor-agent:v0.9.5}
762
766
  container_name: exe-monitor-agent
763
767
  # Host-access consent gate: only starts when the operator has
764
768
  # acknowledged the host-access scope (COMPOSE_PROFILES=monitor-agent).
@@ -838,7 +842,7 @@ services:
838
842
  # Without a token the binary exits 0 (no crash-loop). (bug 3416cead)
839
843
  # ------------------------------------------------------------------
840
844
  exe-update:
841
- image: ${EXE_OS_IMAGE_TAG:-${EXED_IMAGE_TAG:-ghcr.io/askexe/exe-os:v0.9.270}}
845
+ image: ${EXE_OS_IMAGE_TAG:-${EXED_IMAGE_TAG:-ghcr.io/askexe/exe-os:v0.9.311}}
842
846
  container_name: exe-update
843
847
  profiles: ["registry-proxy", "askexe-control-plane"]
844
848
  restart: unless-stopped
@@ -968,11 +972,14 @@ services:
968
972
  # Token mode: `tunnel run --token <TOKEN>` — no local credentials file needed.
969
973
  # The token embeds the tunnel ID + credentials; routes are managed in the CF dashboard.
970
974
  # --metrics exposes a local HTTP endpoint used by the healthcheck.
975
+ # bug 820c6473: CLOUDFLARE_TUNNEL_TOKEN must be required (:?) so a missing
976
+ # token fails at `docker compose up` parse time instead of silently starting
977
+ # cloudflared with an empty --token (which connects to nothing).
971
978
  command: >
972
979
  tunnel
973
980
  --metrics localhost:2000
974
981
  run
975
- --token ${CLOUDFLARE_TUNNEL_TOKEN}
982
+ --token ${CLOUDFLARE_TUNNEL_TOKEN:?CLOUDFLARE_TUNNEL_TOKEN is required — create a tunnel in the Cloudflare dashboard and paste the token in .env}
976
983
  depends_on:
977
984
  # App subdomains (crm/wiki/erp) are fronted by exe-sso-edge for the unified
978
985
  # SSO redirect (bug 96f8b2b2); gateway is routed directly.
@@ -981,7 +988,7 @@ services:
981
988
  exe-gateway:
982
989
  condition: service_healthy
983
990
  environment:
984
- TUNNEL_TOKEN: ${CLOUDFLARE_TUNNEL_TOKEN}
991
+ TUNNEL_TOKEN: ${CLOUDFLARE_TUNNEL_TOKEN:?CLOUDFLARE_TUNNEL_TOKEN is required — create a tunnel in the Cloudflare dashboard and paste the token in .env}
985
992
  networks:
986
993
  - backend
987
994
  - frontend
@@ -1336,11 +1343,23 @@ services:
1336
1343
  - "127.0.0.1:${OTEL_HEALTH_PORT:-13133}:13133" # Health check
1337
1344
  networks:
1338
1345
  - backend
1339
- # otel-contrib is a scratch image (no shell/wget/curl). Health is monitored
1340
- # externally via curl http://127.0.0.1:13133/ from health-monitor.sh.
1341
- # The health_check extension inside the collector still runs on :13133.
1342
- healthcheck:
1343
- test: ["NONE"]
1346
+ # Bug 2e8ef511: otel-contrib is a distroless image only the /otelcol-contrib
1347
+ # binary is present (no shell/wget/curl/nc, and the binary has no probe
1348
+ # subcommand), so a Docker `healthcheck.test` CMD that runs INSIDE the
1349
+ # container cannot be implemented for this upstream, pull-only image. The old
1350
+ # `test: ["NONE"]` actively DISABLED health, so a broken collector still
1351
+ # reported "running" — a silent observability gap.
1352
+ #
1353
+ # The collector's health_check extension serves HTTP 200 on :13133, and that
1354
+ # port is published to 127.0.0.1 above. Health is therefore verified
1355
+ # EXTERNALLY: status.sh now probes http://127.0.0.1:${OTEL_HEALTH_PORT}/
1356
+ # alongside every other service endpoint, so a down/unhealthy collector is
1357
+ # surfaced by the stack health tooling instead of hiding behind "running".
1358
+ # Keep that probe in lockstep with the OTEL_HEALTH_PORT mapping above.
1359
+ #
1360
+ # NOTE: we intentionally do NOT set `test: ["NONE"]`. Leaving healthcheck
1361
+ # unset inherits the upstream image's own HEALTHCHECK if one is ever added,
1362
+ # whereas ["NONE"] would permanently suppress it.
1344
1363
  deploy:
1345
1364
  resources:
1346
1365
  limits:
@@ -1398,6 +1417,10 @@ services:
1398
1417
  gotrue:
1399
1418
  condition: service_healthy
1400
1419
  healthcheck:
1420
+ # bug 0da060e5: exe-auth is a static nginx site — use --spider to verify the
1421
+ # server answers without downloading the full page body. Previous probe used
1422
+ # -qO- (downloaded content to stdout, no start_period). --spider exits 0 on
1423
+ # any 2xx/3xx and avoids wasting bandwidth.
1401
1424
  # bug 2976868a: this probes the exe-auth nginx ("/" serves the login SPA),
1402
1425
  # which proves the gateway UI is up but NOT that the GoTrue login backend is
1403
1426
  # reachable. The stack-level SSO/login gate is enforced separately by the
@@ -1406,9 +1429,10 @@ services:
1406
1429
  # while this static page stays green. (Strengthening THIS probe to the
1407
1430
  # GoTrue-proxied path lives in the exe-auth image, which owns the nginx
1408
1431
  # /api/ rewrite — not this compose file.)
1409
- test: ["CMD", "wget", "-qO-", "http://127.0.0.1:80/"]
1432
+ test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:80/"]
1410
1433
  interval: 30s
1411
1434
  timeout: 5s
1435
+ start_period: 10s
1412
1436
  retries: 3
1413
1437
  deploy:
1414
1438
  resources:
@@ -8,12 +8,12 @@
8
8
  "whatsapp": {
9
9
  "enabled": true,
10
10
  "credentials": {
11
- "authDir": "/app/auth_info/default"
11
+ "authDir": "/data/auth_info/default"
12
12
  },
13
13
  "accounts": [
14
14
  {
15
15
  "name": "default",
16
- "authDir": "/app/auth_info/default"
16
+ "authDir": "/data/auth_info/default"
17
17
  }
18
18
  ]
19
19
  }
@@ -164,26 +164,12 @@ DO $$ DECLARE s text; BEGIN
164
164
  END LOOP;
165
165
  END $$;
166
166
 
167
- -- Create raw.raw_events landing pad
168
- CREATE TABLE IF NOT EXISTS raw.raw_events (
169
- id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
170
- source TEXT NOT NULL,
171
- source_id TEXT,
172
- event_type TEXT NOT NULL,
173
- payload JSONB NOT NULL,
174
- metadata JSONB,
175
- timestamp TIMESTAMPTZ DEFAULT now(),
176
- created_at TIMESTAMPTZ DEFAULT now(),
177
- processed_at TIMESTAMPTZ,
178
- failed_at TIMESTAMPTZ,
179
- retry_count INT NOT NULL DEFAULT 0,
180
- error TEXT,
181
- projections JSONB DEFAULT '{}'::jsonb
182
- );
183
-
184
- SELECT pg_temp.exe_create_index_if_columns_exist('idx_raw_events_unprocessed', 'raw', 'raw_events', ARRAY['created_at', 'processed_at'], 'CREATE INDEX IF NOT EXISTS idx_raw_events_unprocessed ON raw.raw_events (created_at) WHERE processed_at IS NULL');
185
- SELECT pg_temp.exe_create_index_if_columns_exist('idx_raw_events_retryable', 'raw', 'raw_events', ARRAY['failed_at', 'processed_at', 'retry_count'], 'CREATE INDEX IF NOT EXISTS idx_raw_events_retryable ON raw.raw_events (failed_at) WHERE processed_at IS NULL AND failed_at IS NOT NULL AND retry_count < 5');
186
- SELECT pg_temp.exe_create_index_if_columns_exist('uq_raw_events_dedup', 'raw', 'raw_events', ARRAY['source', 'source_id', 'event_type'], 'CREATE UNIQUE INDEX IF NOT EXISTS uq_raw_events_dedup ON raw.raw_events (source, source_id, event_type)');
167
+ -- raw.raw_events SCHEMA OWNER: exe-db Prisma migrations (bug dc149875).
168
+ -- DO NOT create this table here. exe-db owns the raw_events schema via Prisma
169
+ -- migrations (20260504083822_add_raw_landing_pad + subsequent ALTERs). Creating
170
+ -- the table here with different column types (UUID vs TEXT id, TIMESTAMPTZ vs
171
+ -- TIMESTAMP) caused conflicts when Prisma migrations ran afterwards.
172
+ -- The projection-worker self-heals missing columns via ADD COLUMN IF NOT EXISTS.
187
173
 
188
174
  -- ---------------------------------------------------------------------------
189
175
  -- Graph schema — Company Brain memory + GraphRAG projection targets.
@@ -52,118 +52,27 @@ info "Step 2: Generating .env file"
52
52
  if [[ -f .env ]]; then
53
53
  warn ".env already exists — skipping generation. Delete .env to regenerate."
54
54
  else
55
+ # generate-env.ts is the SINGLE SOURCE OF TRUTH for image tags + secrets — its
56
+ # image-tag constants are kept in lockstep with deploy/stack-manifests/v0.9.json.
57
+ # Bug 716c0f6e: the previous inline shell fallback hardcoded STALE tag-only refs
58
+ # (exe-os:v0.9.155, exe-crm:v0.9.3, gateway:v0.9.3, …) far behind the manifest,
59
+ # so any failure of the generator silently deployed ancient images that bypass
60
+ # the manifest's digest-pinning entirely. There is NO safe inline fallback for
61
+ # image tags — fail loudly instead and let the operator install node/npx.
55
62
  if command -v node >/dev/null 2>&1 && command -v npx >/dev/null 2>&1; then
56
- # generate-env.ts is a TypeScript ESM file shipped at deploy/compose/generate-env.ts.
57
- # Run it via npx tsx (the project is pure ESM require() is forbidden).
58
- npx --yes tsx "$SCRIPT_DIR/generate-env.ts" "$CLIENT" "$DOMAIN" "${LICENSE:-}" > .env 2>/dev/null || {
59
- # Fallback: generate inline
60
- info "Generating secrets inline..."
61
- gen() { openssl rand -hex "$1"; }
62
- cat > .env << ENVEOF
63
- DOMAIN=${DOMAIN}
64
- POSTGRES_USER=exe
65
- POSTGRES_PASSWORD=$(gen 32)
66
- POSTGRES_DB=exedb
67
- CLICKHOUSE_DB=default
68
- CLICKHOUSE_USER=exe
69
- CLICKHOUSE_PASSWORD=$(gen 32)
70
- REDIS_PASSWORD=$(gen 32)
71
- GOTRUE_JWT_SECRET=$(gen 48)
72
- # Bug dc99d78e: SITE_URL = auth gateway (not crm) so email links + GoTrue's
73
- # default redirect honor the originating product's ?redirect= via SPA /confirm.
74
- GOTRUE_SITE_URL=https://auth.${DOMAIN}
75
- GOTRUE_EXTERNAL_URL=https://auth.${DOMAIN}
76
- # SSO redirect allow-list (bug 66f8e10a): app origins the gateway may bounce
77
- # users back to via ?redirect=. Required for unified SSO across crm/wiki/erp.
78
- GOTRUE_URI_ALLOW_LIST=https://crm.${DOMAIN},https://wiki.${DOMAIN},https://erp.${DOMAIN}
79
- # Bug 0327b017: scope the session cookie to the PARENT apex domain so it is
80
- # shared across crm/wiki/erp/auth subdomains → true SSO (no re-login).
81
- GOTRUE_COOKIE_DOMAIN=.${DOMAIN}
82
- GOTRUE_COOKIE_KEY=exe-auth
83
- # Invite-only by default; never autoconfirm without an SMTP round-trip (bug 36c04fe3).
84
- # Configure SMTP_HOST below and keep MAILER_AUTOCONFIRM=false to verify email ownership.
85
- GOTRUE_DISABLE_SIGNUP=true
86
- GOTRUE_MAILER_AUTOCONFIRM=false
87
- GOTRUE_EXTERNAL_EMAIL_ENABLED=true
88
- GOTRUE_EXTERNAL_PHONE_ENABLED=false
89
- # Auth-email From address — customer domain, not askexe.com (bug 133c9d5b).
90
- SMTP_FROM=noreply@${DOMAIN}
91
- SMTP_HOST=
92
- SMTP_PORT=587
93
- SMTP_USER=
94
- SMTP_PASS=
95
- IS_SIGN_UP_DISABLED=true
96
- AUTH_PASSWORD_ENABLED=true
97
- # --- Auth gateway (exe-auth — shared SSO sign-in UI at auth.<domain>) ---
98
- # Bug 58840873: pin the auth image so compose never falls back to its stale
99
- # default tag. Bug 379e5c13: server_name/CORS from the configured apex domain
100
- # directly (no last-2-label slicing → safe for company.co.uk). Bug 5960ebb1:
101
- # AUTH_DISABLE_SIGNUP mirrors GOTRUE_DISABLE_SIGNUP so the SPA hides signup UI.
102
- AUTH_IMAGE_TAG=update.askexe.com/askexe/exe-auth:v0.2.0
103
- AUTH_SERVER_NAME=auth.${DOMAIN}
104
- AUTH_CORS_ORIGIN=https://${DOMAIN}
105
- AUTH_DEFAULT_PRODUCT=AUTH
106
- AUTH_DISABLE_SIGNUP=true
107
- CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.3
108
- CRM_SERVER_URL=https://crm.${DOMAIN}
109
- CRM_APP_SECRET=$(gen 48)
110
- EXE_CRM_ADMIN_TOKEN=$(gen 48)
111
- CRM_HOST_PORT=3000
112
- WIKI_IMAGE_TAG=ghcr.io/askexe/exe-wiki:v0.9.4
113
- WIKI_DB_SCHEMA=wiki
114
- WIKI_VECTOR_DB=exeOsMcp
115
- WIKI_AUTH_TOKEN=$(gen 48)
116
- EXE_WIKI_ADMIN_TOKEN=$(gen 48)
117
- WIKI_JWT_SECRET=$(gen 48)
118
- WIKI_SIG_KEY=$(gen 48)
119
- WIKI_SIG_SALT=$(gen 16)
120
- WIKI_HOST_PORT=3001
121
- EXE_OS_IMAGE_TAG=ghcr.io/askexe/exe-os:v0.9.155
122
- EXED_MCP_TOKEN=$(gen 48)
123
- EXED_DEVICE_ID=vps-${CLIENT}
124
- EXE_MCP_HOST_BIND=0.0.0.0
125
- EXE_MCP_HOST_PORT=48739
126
- EXE_CLOUD_SYNC_TO_POSTGRES=true
127
- EXE_LICENSE_KEY=${LICENSE:-CHANGEME_EXE_LICENSE_KEY}
128
- GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.3
129
- EXE_GATEWAY_AUTH_TOKEN=$(gen 48)
130
- EXE_GATEWAY_WS_RELAY_AUTH_TOKEN=$(gen 48)
131
- EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN=$(gen 32)
132
- API_ROUTER_URL=https://gateway.${DOMAIN}
133
- GATEWAY_HTTP_HOST_PORT=3100
134
- GATEWAY_WS_HOST_PORT=3101
135
- MONITOR_HUB_IMAGE_TAG=ghcr.io/askexe/exe-monitor-hub:v0.9.4
136
- MONITOR_AGENT_IMAGE_TAG=ghcr.io/askexe/exe-monitor-agent:v0.9.4
137
- EXE_MONITOR_ADMIN_TOKEN=$(gen 48)
138
- # bug a125785d: shared secret for hub error ingestion (POST /api/exe-monitor/errors).
139
- # The hub fails CLOSED (rejects all ingestion) when unset, so generate one and
140
- # wire it to every error-reporting service via X-Monitor-Key.
141
- EXE_MONITOR_KEY=$(gen 32)
142
- # bug 182c6da3: URL the hub POSTs error-spike alerts to. Unset = alerting silently
143
- # disabled. Default to the gateway's error-spike endpoint (POST /api/alerts/error-spike
144
- # on the gateway HTTP port) so spikes reach WhatsApp alerting.
145
- GATEWAY_ALERT_URL=http://exe-gateway:3100/api/alerts/error-spike
146
- MONITOR_HUB_URL=http://exe-monitor-hub:8090
147
- MONITOR_HUB_PORT=8090
148
- # Bootstrap superuser — created on first start, stored in pb_data afterwards.
149
- MONITOR_HUB_ADMIN_EMAIL=admin@${DOMAIN}
150
- MONITOR_HUB_ADMIN_PASSWORD=$(gen 24)
151
- # bug dacf0042: leave TOKEN/KEY EMPTY (not a CHANGEME placeholder). The agent
152
- # treats empty as "unpaired, keep retrying" — the safe state. `exe-os stack-update`
153
- # fills the real values after pairing the agent with the hub. A non-empty
154
- # placeholder would be submitted to the hub as a bogus token forever.
155
- MONITOR_AGENT_TOKEN=
156
- MONITOR_AGENT_KEY=
157
- MONITOR_AGENT_LISTEN=:45876
158
- # --- R2 (Cloudflare) — shared by media uploads + VPS backups ---
159
- R2_MEDIA_BUCKET=CHANGEME_R2_BUCKET
160
- R2_MEDIA_ENDPOINT=CHANGEME_https://ACCOUNT_ID.r2.cloudflarestorage.com
161
- R2_MEDIA_ACCESS_KEY=CHANGEME_R2_ACCESS_KEY
162
- R2_MEDIA_SECRET_KEY=CHANGEME_R2_SECRET_KEY
163
- # --- Backup encryption (customer-owned, AskExe cannot decrypt) ---
164
- EXE_BACKUP_KEY=$(gen 32)
165
- ENVEOF
166
- }
63
+ # Run via npx tsx (the project is pure ESM require() is forbidden).
64
+ if ! npx --yes tsx "$SCRIPT_DIR/generate-env.ts" "$CLIENT" "$DOMAIN" "${LICENSE:-}" > .env 2>/tmp/exe-generate-env.err; then
65
+ rm -f .env
66
+ err "generate-env.ts failed — refusing to write a .env with stale fallback image tags."
67
+ err "Generator error:"; cat /tmp/exe-generate-env.err >&2 || true
68
+ err "Fix node/tsx and re-run setup.sh (the inline fallback was removed: bug 716c0f6e)."
69
+ exit 1
70
+ fi
71
+ else
72
+ err "node + npx are required to generate .env (single source of truth for"
73
+ err "manifest-pinned image tags). Install Node.js, then re-run setup.sh."
74
+ err "The stale inline fallback was removed (bug 716c0f6e)."
75
+ exit 1
167
76
  fi
168
77
  # bug 759d13db: lock the secret file to owner-only even if a prior umask was
169
78
  # looser or the node generator path created it before umask took effect.
@@ -259,12 +168,12 @@ if [[ ! -f gateway.json ]]; then
259
168
  "whatsapp": {
260
169
  "enabled": true,
261
170
  "credentials": {
262
- "authDir": "/app/auth_info/default"
171
+ "authDir": "/data/auth_info/default"
263
172
  },
264
173
  "accounts": [
265
174
  {
266
175
  "name": "default",
267
- "authDir": "/app/auth_info/default"
176
+ "authDir": "/data/auth_info/default"
268
177
  }
269
178
  ]
270
179
  }
@@ -289,27 +198,60 @@ else
289
198
  info "Cloudflared config exists."
290
199
  fi
291
200
 
292
- # Step 4: Pull images
293
- info "Step 4: Pulling Docker images..."
294
- docker compose pull 2>&1 || { err "Image pull failed check GHCR authentication"; exit 1; }
201
+ # Step 4+5: Bring up the stack.
202
+ #
203
+ # Bug 716c0f6e: first-install must route through `exe-os stack-update`the SAME
204
+ # gated path used for upgrades — so a fresh deploy gets the manifest's
205
+ # digest-pinned image refs, the BLOCKING static preflight gate, registry/proxy
206
+ # auth, health-gated rollout, and automatic rollback on failure. Raw
207
+ # `docker compose pull && up` skips ALL of that and pulls whatever tags happen to
208
+ # be in .env with no preflight, no rollback, and no health sequencing.
209
+ #
210
+ # The exe-os CLI is REQUIRED — setup.sh will attempt to install it via npm
211
+ # if not already on PATH. If npm is unavailable, setup fails loudly.
212
+ # There is NO raw compose fallback (that was the bug).
213
+ EXE_CLI=""
214
+ if command -v exe-os >/dev/null 2>&1; then EXE_CLI="exe-os"; fi
295
215
 
296
- # Step 5: Start stack
297
- info "Step 5: Starting stack..."
298
- docker compose up -d 2>&1
216
+ if [[ -z "$EXE_CLI" ]]; then
217
+ # Bug 716c0f6e: the exe-os CLI is REQUIRED for first-install. Raw
218
+ # `docker compose pull && up` bypasses the digest-pinned manifest,
219
+ # preflight gates, proxy auth, health sequencing, and rollback — all
220
+ # critical for production deploys. Attempt to install the CLI via npm
221
+ # (node is already validated present in Step 2). If npm is not available,
222
+ # fail loudly with install instructions instead of silently deploying
223
+ # with stale/unverified images.
224
+ info "Step 4: exe-os CLI not found — attempting install via npm..."
225
+ if command -v npm >/dev/null 2>&1; then
226
+ if npm install -g exe-os 2>/tmp/exe-npm-install.err; then
227
+ EXE_CLI="exe-os"
228
+ info "exe-os CLI installed successfully."
229
+ else
230
+ err "npm install -g exe-os failed:"
231
+ cat /tmp/exe-npm-install.err >&2 || true
232
+ fi
233
+ fi
234
+ fi
299
235
 
300
- # Step 6: Wait for health
301
- info "Step 6: Waiting for services to be healthy..."
302
- sleep 10
303
- HEALTHY=0
304
- for i in $(seq 1 30); do
305
- COUNT=$(docker ps --filter "health=healthy" --format '{{.Names}}' | wc -l | tr -d ' ')
306
- TOTAL=$(docker ps --format '{{.Names}}' | wc -l | tr -d ' ')
307
- echo -ne "\r $COUNT/$TOTAL healthy (attempt $i/30)..."
308
- if [[ "$COUNT" -ge "$TOTAL" ]]; then HEALTHY=1; break; fi
309
- sleep 5
310
- done
311
- echo ""
312
- [[ "$HEALTHY" -eq 1 ]] && info "All services healthy!" || warn "Some services not healthy yet check docker ps"
236
+ if [[ -n "$EXE_CLI" ]]; then
237
+ info "Step 4+5: Deploying via '$EXE_CLI stack-update' (preflight + proxy auth + health-gated rollout + rollback)..."
238
+ if ! "$EXE_CLI" stack-update --yes; then
239
+ err "stack-update failed — the gated deploy refused or rolled back. Review the"
240
+ err "output above. Do NOT bypass with raw 'docker compose up' — fix the cause"
241
+ err "(preflight RED, image pull, or health failure) and re-run setup.sh."
242
+ exit 1
243
+ fi
244
+ info "stack-update completed (preflight + health gates passed)."
245
+ else
246
+ err "Step 4+5: exe-os CLI is REQUIRED for first-install deploys (bug 716c0f6e)."
247
+ err "Raw 'docker compose up' bypasses the digest-pinned manifest, preflight"
248
+ err "gates, health sequencing, and rollbackdeploying stale/unverified images."
249
+ err ""
250
+ err "Install the CLI and re-run setup.sh:"
251
+ err " npm install -g exe-os"
252
+ err " ./setup.sh --client $CLIENT --domain $DOMAIN${LICENSE:+ --license $LICENSE}"
253
+ exit 1
254
+ fi
313
255
 
314
256
  # Step 7: Verify
315
257
  info "Step 7: Verification"
@@ -33,6 +33,11 @@ check "Gateway" "http://127.0.0.1:3100/health"
33
33
  check "Monitor" "http://127.0.0.1:8090/api/health"
34
34
  check "GoTrue" "http://127.0.0.1:9999/health"
35
35
  check "exe-os" "http://127.0.0.1:8765/health"
36
+ # Bug 2e8ef511: the otel-collector is distroless and cannot run an in-container
37
+ # Docker healthcheck, so its health_check extension (HTTP 200 on the published
38
+ # OTEL_HEALTH_PORT, default 13133) is verified here instead. Without this probe a
39
+ # broken collector silently shows as "running" with no health signal anywhere.
40
+ check "OTel" "http://127.0.0.1:${OTEL_HEALTH_PORT:-13133}/"
36
41
 
37
42
  echo ""
38
43