@askexenow/exe-os 0.9.322 → 0.9.324

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (319) hide show
  1. package/deploy/compose/.env.customer.example +1 -1
  2. package/deploy/compose/.env.example +18 -1
  3. package/deploy/compose/PROTECTED_FILES.md +4 -1
  4. package/deploy/compose/add-routes.sh +22 -0
  5. package/deploy/compose/cloudflared/config.yml.example +6 -3
  6. package/deploy/compose/docker-compose.yml +36 -1
  7. package/deploy/compose/generate-env.ts +40 -2
  8. package/deploy/compose/sso-edge/default.conf.template +11 -0
  9. package/deploy/compose/sso-edge/sso-redirect.conf +90 -21
  10. package/deploy/stack-manifests/v0.9.json +110 -2
  11. package/dist/{active-agent-M5NJFEBM.js → active-agent-CVSB2EER.js} +3 -3
  12. package/dist/{active-agent-SHM4QSRJ.js → active-agent-IUVRZOSF.js} +3 -3
  13. package/dist/{agentic-ontology-HQKCU7LG.js → agentic-ontology-2QFPBIQP.js} +1 -1
  14. package/dist/backfill-gate-J7UXFNXU.js +19 -0
  15. package/dist/{backfill-metadata-CXWFCTBO.js → backfill-metadata-W3PRQPVV.js} +4 -4
  16. package/dist/{behaviors-J47D342W.js → behaviors-MQCADHAD.js} +5 -5
  17. package/dist/bin/agentic-ontology-backfill.js +5 -5
  18. package/dist/bin/agentic-reflection-backfill.js +6 -6
  19. package/dist/bin/agentic-semantic-label.js +5 -5
  20. package/dist/bin/backfill-conversations.js +11 -11
  21. package/dist/bin/backfill-responses.js +11 -11
  22. package/dist/bin/backfill-vectors.js +102 -22
  23. package/dist/bin/bulk-sync-postgres.js +14 -14
  24. package/dist/bin/cc-doctor.js +5 -5
  25. package/dist/bin/cleanup-stale-review-tasks.js +20 -13
  26. package/dist/bin/cli.js +28 -31
  27. package/dist/bin/customer-readiness.js +1 -0
  28. package/dist/bin/deferred-daemon-restart.js +80 -77
  29. package/dist/bin/exe-agent-config.js +3 -3
  30. package/dist/bin/exe-agent.js +5 -5
  31. package/dist/bin/exe-assign.js +10 -10
  32. package/dist/bin/exe-boot.js +32 -23
  33. package/dist/bin/exe-call.js +5 -5
  34. package/dist/bin/exe-cloud.js +120 -47
  35. package/dist/bin/exe-config-dump.js +3 -3
  36. package/dist/bin/exe-dispatch.js +48 -14
  37. package/dist/bin/exe-doctor.js +4 -4
  38. package/dist/bin/exe-export-behaviors.js +7 -7
  39. package/dist/bin/exe-forget.js +6 -6
  40. package/dist/bin/exe-gateway.js +8 -8
  41. package/dist/bin/exe-healthcheck.js +17 -8
  42. package/dist/bin/exe-heartbeat.js +20 -13
  43. package/dist/bin/exe-kill.js +23 -16
  44. package/dist/bin/exe-launch-agent.js +30 -27
  45. package/dist/bin/exe-new-employee.js +9 -9
  46. package/dist/bin/exe-pending-messages.js +21 -14
  47. package/dist/bin/exe-pending-notifications.js +20 -13
  48. package/dist/bin/exe-pending-reviews.js +20 -13
  49. package/dist/bin/exe-rename.js +5 -5
  50. package/dist/bin/exe-review.js +22 -15
  51. package/dist/bin/exe-search.js +8 -13
  52. package/dist/bin/exe-session-cleanup.js +39 -22
  53. package/dist/bin/exe-settings.js +15 -15
  54. package/dist/bin/exe-start-codex.js +51 -34
  55. package/dist/bin/exe-start-opencode.js +8 -8
  56. package/dist/bin/exe-status.js +21 -14
  57. package/dist/bin/exe-support.js +3 -3
  58. package/dist/bin/exe-team.js +3 -3
  59. package/dist/bin/exe-watchdog.js +278 -39
  60. package/dist/bin/git-sweep.js +21 -14
  61. package/dist/bin/graph-backfill.js +4 -4
  62. package/dist/bin/graph-export.js +5 -5
  63. package/dist/bin/import-history.js +7 -7
  64. package/dist/bin/install-launchd.js +2 -2
  65. package/dist/bin/install.js +121 -88
  66. package/dist/bin/intercom-check.js +4 -4
  67. package/dist/bin/mcp-sessions.js +2 -2
  68. package/dist/bin/orchestration-metrics.js +4 -4
  69. package/dist/bin/postgres-agentic-reflection-backfill.js +2 -2
  70. package/dist/bin/postgres-agentic-semantic-backfill.js +1 -1
  71. package/dist/bin/pre-publish.js +1 -1
  72. package/dist/bin/registry-proxy.js +1 -1
  73. package/dist/bin/scan-tasks.js +20 -13
  74. package/dist/bin/setup.js +1 -1
  75. package/dist/bin/shard-migrate.js +4 -4
  76. package/dist/bin/stack-update.js +4 -4
  77. package/dist/bin/vps-health-gate.js +1 -1
  78. package/dist/{capability-cards-H7H3MU74.js → capability-cards-STD3NMCR.js} +2 -2
  79. package/dist/{capacity-monitor-WAEHVBL7.js → capacity-monitor-6O3PWYNM.js} +21 -14
  80. package/dist/{catchup-brief-L42STIDR.js → catchup-brief-EDQ3VZCF.js} +23 -16
  81. package/dist/{chunk-HKSJSW2V.js → chunk-2E2NKFXK.js} +1 -1
  82. package/dist/{chunk-NYFPFOYM.js → chunk-2NY7LZT7.js} +1 -1
  83. package/dist/{chunk-DGFIXJ4S.js → chunk-2QD5M47V.js} +3 -3
  84. package/dist/{chunk-3M73L663.js → chunk-2YWUZPHE.js} +2 -2
  85. package/dist/{chunk-LB77CSLO.js → chunk-2ZW4AQ24.js} +3 -3
  86. package/dist/{chunk-E32KARET.js → chunk-376J36IW.js} +4 -4
  87. package/dist/{chunk-CWQAXO3O.js → chunk-5RACW3LX.js} +28 -3
  88. package/dist/{chunk-VSXGFHJY.js → chunk-5VT45EV6.js} +1 -1
  89. package/dist/{chunk-X62GD6QW.js → chunk-5YCOEPEX.js} +2 -2
  90. package/dist/{chunk-TKBWBHFV.js → chunk-6FWMLTF2.js} +1 -1
  91. package/dist/chunk-6IWLAQ7O.js +40 -0
  92. package/dist/{chunk-WFHYAKEU.js → chunk-6XAAJ5OV.js} +1 -1
  93. package/dist/{chunk-4Z47UMMM.js → chunk-7M6TXYRQ.js} +23 -23
  94. package/dist/{chunk-HWC5W34K.js → chunk-7PLMYXPG.js} +1 -1
  95. package/dist/{chunk-DDKDN4HV.js → chunk-A47MXY2I.js} +7 -0
  96. package/dist/{chunk-SQ5JWDJ2.js → chunk-AEFZEJKW.js} +1 -1
  97. package/dist/{chunk-657AQEPY.js → chunk-AVKZIG4A.js} +1 -1
  98. package/dist/{chunk-EPBB2OD3.js → chunk-BB5IKY7B.js} +2 -2
  99. package/dist/{chunk-3JW3ZXCP.js → chunk-BC7IIR3A.js} +65 -39
  100. package/dist/{chunk-WSYKLS2Y.js → chunk-BDJQWBWF.js} +3 -3
  101. package/dist/{chunk-VY7345RO.js → chunk-BMSAJ2IH.js} +1 -1
  102. package/dist/{chunk-OI63OVCR.js → chunk-C7B44DJI.js} +1 -1
  103. package/dist/{chunk-GA76RGSP.js → chunk-CS6MYGNB.js} +5 -5
  104. package/dist/{chunk-6N4LYEDI.js → chunk-CSPHV5DJ.js} +1 -1
  105. package/dist/{chunk-HGM6NZQH.js → chunk-DYUISOIT.js} +1 -1
  106. package/dist/{signal-paths-4GOIRLGH.js → chunk-EIKATSE4.js} +3 -4
  107. package/dist/{chunk-G5TP2D2U.js → chunk-EWDTTTZP.js} +3 -3
  108. package/dist/{chunk-TI6YX3L5.js → chunk-F2RK5YWB.js} +36 -27
  109. package/dist/{chunk-HV5CUDOE.js → chunk-F6TJIWN5.js} +1 -1
  110. package/dist/{chunk-WCCR5IFR.js → chunk-FPTBCPI3.js} +2 -2
  111. package/dist/{chunk-QVFJCFNM.js → chunk-FROUDYRT.js} +33 -2
  112. package/dist/{chunk-T6AUMO5X.js → chunk-GIFDGNIL.js} +1 -1
  113. package/dist/{chunk-OFR7KQ37.js → chunk-HAYDXMW6.js} +3 -3
  114. package/dist/{chunk-V2ESQU3S.js → chunk-HBKYKN3S.js} +3 -3
  115. package/dist/{chunk-LCZ55G5G.js → chunk-HZ5J2GFE.js} +136 -66
  116. package/dist/{chunk-EOPSIIEH.js → chunk-ID3V4BWS.js} +1 -1
  117. package/dist/{chunk-ABGDTMKC.js → chunk-JRD7ARQ6.js} +60 -2
  118. package/dist/{chunk-7FBPLVHM.js → chunk-KADUJ7PE.js} +3 -3
  119. package/dist/{chunk-KLG53B63.js → chunk-KJOQLNX2.js} +1 -1
  120. package/dist/{chunk-AZL3EUR3.js → chunk-KK67DSCO.js} +229 -29
  121. package/dist/{chunk-H2SD2EA7.js → chunk-KLDQFOFY.js} +23 -9
  122. package/dist/chunk-KPIN44GZ.js +67 -0
  123. package/dist/{chunk-PLBDXCYZ.js → chunk-KUJGADX6.js} +1491 -606
  124. package/dist/{chunk-GN3IWZDH.js → chunk-KWWHRJGG.js} +660 -539
  125. package/dist/{chunk-ERSFOJGC.js → chunk-LUOQCGBO.js} +20 -11
  126. package/dist/{chunk-CXXERHNC.js → chunk-LWAGAC3H.js} +1 -1
  127. package/dist/{chunk-7BZ6TOZN.js → chunk-MB2YT5VQ.js} +3 -3
  128. package/dist/{chunk-KXP3CUTL.js → chunk-MCEXBLLK.js} +3 -3
  129. package/dist/{chunk-A3KUGBDP.js → chunk-MIWPKWXQ.js} +1 -1
  130. package/dist/{chunk-7CUF27OT.js → chunk-MKIFYIXC.js} +1 -1
  131. package/dist/{chunk-ONKIWA3R.js → chunk-ML4S5SHZ.js} +3 -1
  132. package/dist/{chunk-BFHBHQFA.js → chunk-MWIX3YKA.js} +5 -5
  133. package/dist/{chunk-6UQRJCKK.js → chunk-NBDTQVWU.js} +2 -2
  134. package/dist/{chunk-KK4ZOYXJ.js → chunk-NGACCR2M.js} +80 -40
  135. package/dist/{chunk-CMDC5D7S.js → chunk-NLEW62VC.js} +6 -0
  136. package/dist/{chunk-QYLDCPNG.js → chunk-PGFYWVOB.js} +1 -1
  137. package/dist/{chunk-XEBN5CPD.js → chunk-PGUISLOT.js} +3 -3
  138. package/dist/{chunk-MYMA23KC.js → chunk-PJTEZLAM.js} +1 -1
  139. package/dist/{chunk-QNUHDEPI.js → chunk-POOMY3CS.js} +4 -4
  140. package/dist/{chunk-2GBGIXKH.js → chunk-PV7IG4V6.js} +1 -1
  141. package/dist/{chunk-SENJA7BZ.js → chunk-QDI77B3E.js} +54 -7
  142. package/dist/{chunk-XLNF3CIO.js → chunk-QGOMYIVT.js} +119 -24
  143. package/dist/{chunk-HIOO7DZ2.js → chunk-QQFZ32WS.js} +5 -5
  144. package/dist/{chunk-KL5WYWS3.js → chunk-SOXUF34Y.js} +2 -2
  145. package/dist/{chunk-6XM6PZXQ.js → chunk-SPO2RLOB.js} +1 -1
  146. package/dist/{chunk-ROMB2HH4.js → chunk-T3XHH5FE.js} +6 -6
  147. package/dist/{chunk-6SXJZHRJ.js → chunk-TA3A4UQL.js} +1 -1
  148. package/dist/{chunk-XP53WEXP.js → chunk-TGVKQ3QB.js} +3 -3
  149. package/dist/{chunk-XC7C3GQ2.js → chunk-TNS6U2K7.js} +30 -19
  150. package/dist/{chunk-JXEMAB4M.js → chunk-UAIMI7CK.js} +1 -1
  151. package/dist/{chunk-YIFZZYQD.js → chunk-UBYAKNRF.js} +2 -2
  152. package/dist/{chunk-6IBUQBMY.js → chunk-UXYQLOFW.js} +198 -39
  153. package/dist/{chunk-C4BIZXKB.js → chunk-UYOW7U24.js} +1 -1
  154. package/dist/{chunk-NFM6VHL7.js → chunk-V4VYIHSL.js} +1 -1
  155. package/dist/{chunk-QQOH3I4A.js → chunk-VDUHWQFA.js} +1 -1
  156. package/dist/{chunk-EVUXF2G4.js → chunk-W5GBB23I.js} +1 -1
  157. package/dist/{chunk-FANIBYUO.js → chunk-WF3J6GJZ.js} +2 -2
  158. package/dist/{chunk-NAHAOFTY.js → chunk-WGHTISNK.js} +3 -3
  159. package/dist/{chunk-F5FAD2YR.js → chunk-WGOAILWE.js} +2 -2
  160. package/dist/{chunk-LOE2N23P.js → chunk-WJICX53Z.js} +1 -1
  161. package/dist/{skill-refinement-YLIAY7V4.js → chunk-Y2KBHLEO.js} +3 -11
  162. package/dist/{chunk-PISGLNV7.js → chunk-Y34FDPOY.js} +5 -5
  163. package/dist/{chunk-ORC5AO7E.js → chunk-YBHOWK3L.js} +2 -2
  164. package/dist/{chunk-7SDS5VCL.js → chunk-ZDNJ3TSB.js} +7 -7
  165. package/dist/{chunk-CHSRSESS.js → chunk-ZRZ2Z6RZ.js} +1 -1
  166. package/dist/{cleanup-graph-garbage-MX5JDTJA.js → cleanup-graph-garbage-2YH52ADR.js} +4 -4
  167. package/dist/{co-activation-K44LGZ7A.js → co-activation-7F3J2GC7.js} +2 -2
  168. package/dist/{co-occurrence-N62HJTRP.js → co-occurrence-B36Q5GY3.js} +2 -2
  169. package/dist/{code-context-index-6YQ3DGCN.js → code-context-index-2PUBBQOE.js} +3 -3
  170. package/dist/{crdt-sync-BO76VVRX.js → crdt-sync-MXHPR6V6.js} +1 -1
  171. package/dist/{crm-bridge-BVTB6LZK.js → crm-bridge-CZLEW2LW.js} +1 -1
  172. package/dist/{crm-webhook-UZLTHXAS.js → crm-webhook-56MWGMRY.js} +2 -2
  173. package/dist/{cto-delegation-gate-NVMRONA2.js → cto-delegation-gate-26BD7NEE.js} +19 -12
  174. package/dist/{daemon-orchestration-JI3RD5EZ.js → daemon-orchestration-IBP6PWEG.js} +31 -16
  175. package/dist/{db-backup-ITRADB2J.js → db-backup-XLID57KW.js} +1 -1
  176. package/dist/{doc-graph-extractor-L7YESUSI.js → doc-graph-extractor-VBZ6XTTE.js} +2 -2
  177. package/dist/{documents-7BFXA6V3.js → documents-C5LYSJT3.js} +10 -10
  178. package/dist/{dreaming-NRTMPNPZ.js → dreaming-LMVDIC5C.js} +20 -13
  179. package/dist/{exe-drift-GLJIM7EI.js → exe-drift-T3K6WA47.js} +3 -3
  180. package/dist/{exe-export-THIAYHXK.js → exe-export-QCTASWXI.js} +7 -7
  181. package/dist/{exe-import-3Y4VOUYL.js → exe-import-WNP5A7VA.js} +7 -7
  182. package/dist/{exe-key-IPGY4RMU.js → exe-key-JM3JXE2E.js} +78 -75
  183. package/dist/{exe-snapshot-2ZEWCDYK.js → exe-snapshot-ODDJUEM5.js} +23 -16
  184. package/dist/{fast-db-init-TLYUWCDE.js → fast-db-init-O6A3TK3F.js} +1 -1
  185. package/dist/{founder-context-J362DNU4.js → founder-context-FYTF4IMD.js} +2 -2
  186. package/dist/gateway/index.js +9 -9
  187. package/dist/{git-staleness-BRDHTHNS.js → git-staleness-YA5J6VYJ.js} +2 -2
  188. package/dist/{global-procedures-FNUKY2LF.js → global-procedures-76NDWTYN.js} +4 -4
  189. package/dist/{graph-auto-extract-AJZUV3PO.js → graph-auto-extract-I7QL2TY5.js} +2 -2
  190. package/dist/hooks/bug-report-worker.js +22 -15
  191. package/dist/hooks/codex-stop-task-finalizer.js +22 -15
  192. package/dist/hooks/commit-complete.js +22 -15
  193. package/dist/hooks/error-recall.js +6 -6
  194. package/dist/hooks/exe-heartbeat-hook.js +3 -3
  195. package/dist/hooks/ingest-worker.js +6 -6
  196. package/dist/hooks/ingest.js +6 -6
  197. package/dist/hooks/instructions-loaded.js +4 -4
  198. package/dist/hooks/manifest.json +20 -20
  199. package/dist/hooks/notification.js +4 -4
  200. package/dist/hooks/post-compact.js +21 -14
  201. package/dist/hooks/post-tool-combined.js +8 -8
  202. package/dist/hooks/pre-compact.js +22 -21
  203. package/dist/hooks/pre-tool-use.js +29 -19
  204. package/dist/hooks/prompt-submit.js +89 -72
  205. package/dist/hooks/session-end.js +27 -26
  206. package/dist/hooks/session-start.js +13 -13
  207. package/dist/hooks/stop.js +28 -21
  208. package/dist/hooks/subagent-stop.js +24 -41
  209. package/dist/hooks/summary-worker.js +27 -25
  210. package/dist/index.js +30 -23
  211. package/dist/{installer-SC7CQBYY.js → installer-3EYHBKWB.js} +5 -5
  212. package/dist/{installer-UEF44TWQ.js → installer-3VZMDDMJ.js} +5 -5
  213. package/dist/{installer-2EKTDQZB.js → installer-GYABVCB7.js} +5 -5
  214. package/dist/intercom-queue-ZCNT4LYU.js +53 -0
  215. package/dist/lib/agent-config.js +7 -1
  216. package/dist/lib/cloud-sync.js +16 -14
  217. package/dist/lib/consolidation.js +5 -5
  218. package/dist/lib/database.js +10 -2
  219. package/dist/lib/db-daemon-client.js +3 -3
  220. package/dist/lib/db.js +10 -2
  221. package/dist/lib/device-registry.js +1 -1
  222. package/dist/lib/embed-worker.js +28 -0
  223. package/dist/lib/embedder.js +3 -3
  224. package/dist/lib/employee-templates.js +5 -5
  225. package/dist/lib/employees.js +2 -2
  226. package/dist/lib/exe-daemon-client.js +2 -2
  227. package/dist/lib/exe-daemon.js +393 -140
  228. package/dist/lib/hybrid-search.js +5 -5
  229. package/dist/lib/identity.js +2 -2
  230. package/dist/lib/license.js +2 -2
  231. package/dist/lib/messaging.js +20 -13
  232. package/dist/lib/registry-proxy.js +1 -1
  233. package/dist/lib/reminders.js +3 -3
  234. package/dist/lib/schedules.js +5 -5
  235. package/dist/lib/session-registry.js +6 -4
  236. package/dist/lib/skill-learning.js +6 -6
  237. package/dist/lib/store.js +4 -4
  238. package/dist/lib/task-router.js +3 -3
  239. package/dist/lib/tasks.js +21 -14
  240. package/dist/lib/tmux-routing.js +29 -12
  241. package/dist/lib/token-spend.js +3 -3
  242. package/dist/{license-gate-YUUSIPJ7.js → license-gate-73XGUIVP.js} +3 -3
  243. package/dist/{license-sync-LX73IEBH.js → license-sync-CG5YRUVH.js} +2 -2
  244. package/dist/mcp/register-tools.js +75 -72
  245. package/dist/mcp/server.js +96 -130
  246. package/dist/mcp/tools/complete-reminder.js +4 -4
  247. package/dist/mcp/tools/create-reminder.js +4 -4
  248. package/dist/mcp/tools/create-task.js +37 -18
  249. package/dist/mcp/tools/deactivate-behavior.js +7 -7
  250. package/dist/mcp/tools/list-reminders.js +4 -4
  251. package/dist/mcp/tools/list-tasks.js +23 -16
  252. package/dist/mcp/tools/send-message.js +22 -15
  253. package/dist/mcp/tools/update-task.js +22 -15
  254. package/dist/{mcp-http-config-MBG5AQNH.js → mcp-http-config-TT7PXZLX.js} +3 -3
  255. package/dist/{memory-cards-MGZ4P3AA.js → memory-cards-6NGUDUDN.js} +4 -4
  256. package/dist/{memory-graph-extractor-44P2ATID.js → memory-graph-extractor-FIMS3VQR.js} +3 -3
  257. package/dist/{memory-poisoning-defense-3CYFKNLA.js → memory-poisoning-defense-M3LOQ3XU.js} +2 -2
  258. package/dist/{memory-pressure-watchdog-6PFLEOUO.js → memory-pressure-watchdog-45GABDWH.js} +20 -13
  259. package/dist/{memory-queue-client-BZD6MXA5.js → memory-queue-client-BDYKFNB4.js} +3 -3
  260. package/dist/{memory-reflection-AYPJRPU7.js → memory-reflection-LANCFYK2.js} +7 -9
  261. package/dist/{notifications-BBQ23ORD.js → notifications-N5NKUYAU.js} +19 -12
  262. package/dist/{orchestration-events-O5P5NEKS.js → orchestration-events-KVNRNIPR.js} +3 -3
  263. package/dist/{orchestrator-SERM6FDY.js → orchestrator-VTF5BR26.js} +21 -14
  264. package/dist/{pipeline-router-T673WGL3.js → pipeline-router-KQAYWDPH.js} +3 -3
  265. package/dist/{plan-limits-QWBN2EKH.js → plan-limits-EUZI4X5W.js} +5 -5
  266. package/dist/{projection-worker-K6TILAZH.js → projection-worker-FG6G226D.js} +12 -2
  267. package/dist/{prospective-memory-XRNRMEDL.js → prospective-memory-FVDNUSIL.js} +2 -2
  268. package/dist/{reranker-3XC5UM4F.js → reranker-54Q3L32E.js} +1 -1
  269. package/dist/{retrieval-health-ULVVOIPL.js → retrieval-health-YJ7CXYVD.js} +1 -1
  270. package/dist/{review-polling-5YGDPJUX.js → review-polling-TKXYSXH6.js} +20 -13
  271. package/dist/runtime/index.js +23 -16
  272. package/dist/{session-events-D52HNUJK.js → session-events-WQHTP65R.js} +20 -13
  273. package/dist/{session-kill-telemetry-IBNCJSI7.js → session-kill-telemetry-2HSE7IGH.js} +20 -13
  274. package/dist/{session-scope-5FWZ4AYR.js → session-scope-RBKAC75W.js} +19 -12
  275. package/dist/{setup-wizard-KVTLSSRD.js → setup-wizard-AA6ZV57H.js} +1 -1
  276. package/dist/signal-paths-4G53QTII.js +11 -0
  277. package/dist/skill-refinement-QI35LMTZ.js +20 -0
  278. package/dist/{stack-update-OWWGTYRB.js → stack-update-BE6PX4AG.js} +9 -3
  279. package/dist/{steward-gate-3ZITRYVH.js → steward-gate-2XD5BXH6.js} +3 -3
  280. package/dist/{support-outbox-QPQQK7F7.js → support-outbox-MGUVVGHT.js} +96 -44
  281. package/dist/sweep-budget-WB2FKPYN.js +64 -0
  282. package/dist/{task-enforcement-L4YTDOOX.js → task-enforcement-DMOCBRLB.js} +191 -17
  283. package/dist/{task-scope-OIHLMQOQ.js → task-scope-ULBNFBFH.js} +25 -12
  284. package/dist/{tasks-crud-QUIIRWE3.js → tasks-crud-6SJOKES5.js} +25 -12
  285. package/dist/{tasks-notify-ANYLB5GU.js → tasks-notify-TESRABUM.js} +20 -13
  286. package/dist/{tasks-review-BWSCXFMB.js → tasks-review-INDAGLWJ.js} +27 -14
  287. package/dist/{telemetry-upload-XLDBCD7B.js → telemetry-upload-6XB3Q3IH.js} +7 -7
  288. package/dist/{token-budget-OQCLPV3A.js → token-budget-NOF27AZC.js} +3 -3
  289. package/dist/{tool-capability-index-3UWKZZED.js → tool-capability-index-EFBBPTBI.js} +1 -1
  290. package/dist/{tool-telemetry-AQTFWOWG.js → tool-telemetry-OEK6KQFF.js} +1 -1
  291. package/dist/tui/App.js +28 -21
  292. package/dist/{tui-data-3Y5L5LJB.js → tui-data-EG6LEZFF.js} +19 -12
  293. package/dist/{worker-gate-WJS2MFNA.js → worker-gate-YA35VMAN.js} +1 -1
  294. package/dist/{workflow-engine-EPPZ226V.js → workflow-engine-3AVKRE5I.js} +2 -2
  295. package/dist/{worktree-OYGDGJP7.js → worktree-72QYYL5L.js} +4 -4
  296. package/dist/{worktree-sweep-KV4H4766.js → worktree-sweep-GDISKGQ2.js} +5 -5
  297. package/package.json +1 -1
  298. package/release-notes.json +45 -45
  299. package/dist/chunk-4FVVJ7ME.js +0 -193
  300. package/dist/completion-nudge-dedup-DBZF24MM.js +0 -74
  301. package/dist/git-task-sweep-7GVUKDBW.js +0 -47
  302. package/dist/intercom-queue-6M5IRX3Y.js +0 -17
  303. /package/dist/{chunk-QTEHH4LG.js → chunk-24WPWCD6.js} +0 -0
  304. /package/dist/{chunk-IZY6V4FI.js → chunk-4O3N7I5Z.js} +0 -0
  305. /package/dist/{chunk-WXRVHXVP.js → chunk-7577GDDG.js} +0 -0
  306. /package/dist/{chunk-Q5YKWFVO.js → chunk-EWKZKO7F.js} +0 -0
  307. /package/dist/{chunk-DY3J6GQO.js → chunk-H43BPGIV.js} +0 -0
  308. /package/dist/{chunk-DQJ3WZRK.js → chunk-IHRXCNSC.js} +0 -0
  309. /package/dist/{chunk-RRQI5PSJ.js → chunk-NIB2N6L2.js} +0 -0
  310. /package/dist/{chunk-ZU6767WK.js → chunk-QMUSJESS.js} +0 -0
  311. /package/dist/{chunk-72LWCZTJ.js → chunk-RXS2LBKE.js} +0 -0
  312. /package/dist/{chunk-SJZT66LM.js → chunk-SNFYZFXY.js} +0 -0
  313. /package/dist/{chunk-SIJSFULW.js → chunk-TSYMWC53.js} +0 -0
  314. /package/dist/{core-memory-DARTILJG.js → core-memory-NKKP2XUB.js} +0 -0
  315. /package/dist/{entity-boost-VR5YOQCT.js → entity-boost-DRIUFTYB.js} +0 -0
  316. /package/dist/{message-queue-client-HVFR67QH.js → message-queue-client-4ERC7HLX.js} +0 -0
  317. /package/dist/{oauth-server-UQHCFVHT.js → oauth-server-PECJREY2.js} +0 -0
  318. /package/dist/{project-boot-22ZZL2GE.js → project-boot-SFKP2MFW.js} +0 -0
  319. /package/dist/{wiki-acl-EZMGL6KW.js → wiki-acl-QIBDNXSM.js} +0 -0
@@ -186,7 +186,7 @@ MONITOR_AGENT_LISTEN=:45876
186
186
  # erp.<domain> → http://exe-sso-edge:80 (NOT exe-erp / exe-erp-nginx)
187
187
  # gateway.<domain> → http://exe-gateway:3100 (routed directly — no SSO gate)
188
188
  # monitor.<domain> → http://exe-monitor-hub:8090
189
- # auth.<domain> → http://gotrue:9999
189
+ # auth.<domain> → http://exe-auth:80 (auth gateway — NOT raw gotrue:9999; bug 802661a5)
190
190
  # api.<domain> → http://exe-os:8765
191
191
  # SET_MANUALLY
192
192
  CLOUDFLARE_TUNNEL_TOKEN=CHANGEME_CLOUDFLARE_TUNNEL_TOKEN
@@ -10,6 +10,12 @@ DOMAIN=CHANGEME_DOMAIN
10
10
  POSTGRES_USER=exe
11
11
  POSTGRES_PASSWORD=CHANGEME_POSTGRES_PASSWORD
12
12
  POSTGRES_DB=exedb
13
+ # bug ad645206: NEVER connect to exe-db via its container IP (10.42.0.x) —
14
+ # container IPs are reassigned on every stack update and silently break any
15
+ # script that hardcodes them. In-network services use the service hostname
16
+ # exe-db:5432; host-side scripts (crons, collectors, OCR workers) use the
17
+ # stable loopback port below (published as 127.0.0.1:<port> by compose).
18
+ EXE_DB_HOST_PORT=55432
13
19
 
14
20
  CLICKHOUSE_DB=default
15
21
  CLICKHOUSE_USER=exe
@@ -139,6 +145,17 @@ GATEWAY_WS_HOST_PORT=3101
139
145
  GATEWAY_GOTRUE_URL=http://gotrue:9999
140
146
  # CRM bridge: exe-gateway reaches exe-crm through Docker service DNS.
141
147
  CRM_GRAPHQL_URL=http://exe-crm:3000/graphql
148
+ # bug 0b66164c: CRM bridge token. Compose passes CRM_API_TOKEN into the
149
+ # gateway container, defaulting to the EXE_CRM_ADMIN_TOKEN generated in the
150
+ # CRM block above — set this only to override with a dedicated token. If the
151
+ # gateway logs 'CRM bridge Disabled', check this chain and recreate the
152
+ # gateway container.
153
+ # CRM_API_TOKEN=
154
+ # bug a99c1462: one-time Baileys v7 WhatsApp auth migration. Set =1 for a
155
+ # single gateway restart after an update that invalidates WhatsApp auth
156
+ # (fresh-QR reconnect loop): old auth is archived and a clean QR pairing
157
+ # starts. Re-pair at https://gateway.<domain>/pair/<account>, then unset.
158
+ # EXE_GATEWAY_CONFIRM_BAILEYS_V7_REPAIR=1
142
159
  # Error forwarding to exe-monitor-hub (strongly recommended for production)
143
160
  ERROR_REPORTING_ENABLED=true
144
161
  MONITOR_ERROR_URL=http://exe-monitor-hub:8090/api/exe-monitor/errors
@@ -230,7 +247,7 @@ MONITOR_SHARE_ALL_SYSTEMS=false
230
247
  # erp.<domain> → http://exe-sso-edge:80 (NOT exe-erp / exe-erp-nginx)
231
248
  # gateway.<domain> → http://exe-gateway:3100 (routed directly — no SSO gate)
232
249
  # monitor.<domain> → http://exe-monitor-hub:8090
233
- # auth.<domain> → http://gotrue:9999
250
+ # auth.<domain> → http://exe-auth:80 (auth gateway — NOT raw gotrue:9999; bug 802661a5)
234
251
  # api.<domain> → http://exe-os:8765
235
252
  # SET_MANUALLY
236
253
  CLOUDFLARE_TUNNEL_TOKEN=CHANGEME_CLOUDFLARE_TUNNEL_TOKEN
@@ -14,7 +14,10 @@ and log a migration notice, not replace the existing one.
14
14
 
15
15
  ## Data volumes (Docker managed, persist across updates)
16
16
  - `postgres_data` — all database data (CRM, wiki, graph, raw, gateway)
17
- - `gateway_data` — Baileys WhatsApp auth state (creds.json, sessions)
17
+ - `gateway_data` — gateway runtime data and local cache
18
+ - `gateway_whatsapp_auth` — Baileys WhatsApp auth state (creds.json, sessions);
19
+ mounted at both `/data/auth_info` and `/data/.auth` so gateway image updates
20
+ cannot strand pairings by switching auth directories
18
21
  - `wiki_data` — uploaded documents, workspace storage
19
22
  - `crm_data` — CRM local file storage
20
23
  - `monitor_hub_data` — PocketBase data, alert history
@@ -26,6 +26,8 @@
26
26
  # Host overlay dir : ${OVERLAY_DIR:-/opt/exe-stack/overlay}
27
27
  # In-container view : /data/overlay (read-only bind-mount, always present)
28
28
  # Applied into : ${OVERLAY_TARGET:-/app/overlay} inside the container
29
+ # Legacy fallback : matching files under /app/dist (when the image has no
30
+ # EXE_GATEWAY_OVERLAY_DIR loader yet)
29
31
  #
30
32
  # Overlays are loaded by the gateway from EXE_GATEWAY_OVERLAY_DIR (defaults to
31
33
  # /data/overlay — the bind-mount — so on a modern gateway no copy is even needed;
@@ -84,6 +86,26 @@ for f in "${overlay_files[@]}"; do
84
86
  else
85
87
  log " ERROR failed to apply ${base}"
86
88
  fi
89
+
90
+ # Compatibility fallback for gateway builds that still do NOT read
91
+ # EXE_GATEWAY_OVERLAY_DIR or /app/overlay (bug 20ae1f85). HYGO's overlays are
92
+ # flat files (po-intake.js, whatsapp.js) that patch same-named files in the
93
+ # built gateway dist. If exactly one match exists, patch that runtime file too
94
+ # so the overlay survives a container recreate even before the gateway image
95
+ # grows a native overlay loader. Multiple matches are unsafe — warn instead of
96
+ # guessing.
97
+ matches=$(docker exec "$CONTAINER" sh -c 'find /app/dist -type f -name "$1" 2>/dev/null' sh "$base" 2>/dev/null || true)
98
+ match_count=$(printf '%s\n' "$matches" | sed '/^$/d' | wc -l | tr -d ' ')
99
+ if [[ "$match_count" == "1" ]]; then
100
+ target=$(printf '%s\n' "$matches" | sed '/^$/d' | head -n1)
101
+ if docker cp "$f" "${CONTAINER}:${target}" >/dev/null 2>&1; then
102
+ log " patched legacy runtime file ${target}"
103
+ else
104
+ log " WARN failed to patch legacy runtime file ${target}"
105
+ fi
106
+ elif [[ "$match_count" != "0" ]]; then
107
+ log " WARN ${base} matched ${match_count} files under /app/dist; not patching legacy runtime path"
108
+ fi
87
109
  done
88
110
 
89
111
  if [[ "$applied" -eq 0 ]]; then
@@ -9,7 +9,7 @@
9
9
  # erp.<domain> → http://exe-sso-edge:80 (unified SSO redirect)
10
10
  # gateway.<domain> → http://exe-gateway:3100
11
11
  # monitor.<domain> → http://exe-monitor-hub:8090
12
- # auth.<domain> → http://gotrue:9999
12
+ # auth.<domain> → http://exe-auth:80 (auth gateway — NOT raw gotrue:9999; bug 802661a5)
13
13
  # api.<domain> → http://exe-os:8765
14
14
  # No config.yml or credentials file needed — the token embeds everything.
15
15
  #
@@ -51,9 +51,12 @@ ingress:
51
51
  service: http_status:404
52
52
  - hostname: monitor.CHANGEME_DOMAIN
53
53
  service: http://exe-monitor-hub:8090
54
- # Auth (GoTrue)
54
+ # Auth gateway (login SPA + /api/ proxy to GoTrue). Bug 802661a5: routing
55
+ # auth.<domain> straight to raw gotrue:9999 bypasses the exe-auth gateway —
56
+ # no login UI, no CORS/domain templating, and GoTrue's API is exposed as the
57
+ # public front door. Always route through the exe-auth container.
55
58
  - hostname: auth.CHANGEME_DOMAIN
56
- service: http://gotrue:9999
59
+ service: http://exe-auth:80
57
60
  # exe-os daemon (MCP)
58
61
  - hostname: api.CHANGEME_DOMAIN
59
62
  service: http://exe-os:8765
@@ -68,6 +68,15 @@ services:
68
68
  # container recreation; push it off-box for true disaster recovery.
69
69
  - pg_wal_archive:/var/lib/postgresql/wal_archive
70
70
  - ./init-db.sql:/docker-entrypoint-initdb.d/01-init.sql:ro
71
+ # bug ad645206: STABLE loopback-only host port for host-side tooling
72
+ # (dashboard snapshot crons, collectors, OCR workers, psql). Container IPs
73
+ # on the backend network (10.42.0.x) are REASSIGNED whenever the stack is
74
+ # recreated by an update — every script that hardcoded an IP broke silently
75
+ # (ECONNREFUSED for days). Host scripts must connect to
76
+ # 127.0.0.1:${EXE_DB_HOST_PORT} (default 55432); in-network services keep
77
+ # using the service hostname exe-db:5432. Never reference a container IP.
78
+ ports:
79
+ - "127.0.0.1:${EXE_DB_HOST_PORT:-55432}:5432"
71
80
  networks:
72
81
  - backend
73
82
  healthcheck:
@@ -507,7 +516,7 @@ services:
507
516
  # offline boots fail). WIKI_EXE_OS_NPM_VERSION defaults to the stack's
508
517
  # pinned exe-os npm version and is threaded into the spawn args.
509
518
  EXE_OS_MCP_COMMAND: ${WIKI_EXE_OS_MCP_COMMAND:-npx}
510
- EXE_OS_MCP_ARGS: ${WIKI_EXE_OS_MCP_ARGS:--y @askexenow/exe-os@${WIKI_EXE_OS_NPM_VERSION:-0.9.318} mcp}
519
+ EXE_OS_MCP_ARGS: ${WIKI_EXE_OS_MCP_ARGS:--y @askexenow/exe-os@${WIKI_EXE_OS_NPM_VERSION:-0.9.322} mcp}
511
520
  BRANDING_CONFIG_PATH: /app/branding.json
512
521
  ports:
513
522
  - "127.0.0.1:${WIKI_HOST_PORT:-3001}:3001"
@@ -693,6 +702,21 @@ services:
693
702
  EXED_MCP_URL: http://exe-os:48739/mcp
694
703
  EXED_MCP_TOKEN: ${EXED_MCP_TOKEN:?EXED_MCP_TOKEN is required}
695
704
  CRM_GRAPHQL_URL: ${CRM_GRAPHQL_URL:-http://exe-crm:3000/graphql}
705
+ # bug 0b66164c: CRM bridge auth token. The per-service env allowlist that
706
+ # replaced the blanket `env_file: .env` (bug 67d62490) silently DROPPED
707
+ # CRM_API_TOKEN from the gateway container on the next stack update — the
708
+ # CRM bridge disabled itself ("CRM bridge Disabled — CRM_API_TOKEN not
709
+ # set") and WhatsApp→CRM contact sync stopped with no alert. Pass the
710
+ # token through explicitly, defaulting to the EXE_CRM_ADMIN_TOKEN that
711
+ # generate-env.ts already provisions (the CRM accepts it as an admin API
712
+ # token), so a fresh stack has a working bridge out of the box.
713
+ CRM_API_TOKEN: ${CRM_API_TOKEN:-${EXE_CRM_ADMIN_TOKEN:-}}
714
+ # bug a99c1462: opt-in Baileys v7 auth-state migration. When a gateway
715
+ # update crosses a Baileys major (pre-v7 auth state invalid → fresh QR +
716
+ # reconnect loop), set this to 1 in .env for ONE restart: the gateway
717
+ # archives the old WhatsApp auth (kept 7 days) and starts a clean QR
718
+ # pairing flow. Re-pair at https://gateway.<domain>/pair/<account>, then unset.
719
+ EXE_GATEWAY_CONFIRM_BAILEYS_V7_REPAIR: ${EXE_GATEWAY_CONFIRM_BAILEYS_V7_REPAIR:-}
696
720
  ERROR_REPORTING_ENABLED: "true"
697
721
  MONITOR_ERROR_URL: http://exe-monitor-hub:8090/api/exe-monitor/errors
698
722
  # bug 182c6da3 / a125785d: shared monitor secret. The hub authenticates the
@@ -721,6 +745,12 @@ services:
721
745
  # EXE_GATEWAY_HOME; the old /app/auth_info mount was unreachable when the
722
746
  # gateway used its default path. gateway.json authDir updated to match.
723
747
  - gateway_whatsapp_auth:/data/auth_info
748
+ # bug d16a808f/a99c1462: keep the SAME WhatsApp auth-state volume visible
749
+ # at the newer Baileys/default gateway path too. Some gateway builds used
750
+ # /data/.auth/whatsapp-* regardless of gateway.json authDir; exposing one
751
+ # volume at both paths prevents an image update from "losing" pairings just
752
+ # because the app switched auth directories.
753
+ - gateway_whatsapp_auth:/data/.auth
724
754
  - ./gateway.json:/data/gateway.json:ro
725
755
  # bug 02bc1bb8: PERSISTENT customer-overlay bind-mount. Anything the
726
756
  # customer drops in the host ./overlay dir (e.g. po-intake.js) is exposed
@@ -904,6 +934,11 @@ services:
904
934
  condition: service_healthy
905
935
  exe-erp-nginx:
906
936
  condition: service_healthy
937
+ # Bug 462d3273: the edge's /_sso_gate validates ?access_token= against
938
+ # GoTrue (upstream sso_gotrue → gotrue:9999) instead of trusting its
939
+ # presence, so the edge needs GoTrue resolvable and healthy at start.
940
+ gotrue:
941
+ condition: service_healthy
907
942
  environment:
908
943
  DOMAIN: ${DOMAIN:?DOMAIN is required — set to your customer apex domain (e.g. hygo.co)}
909
944
  # Neutralize nginx:alpine's built-in 20-envsubst-on-templates.sh: it would
@@ -51,6 +51,10 @@ const DEFAULT_MONITOR_HUB_URL = "http://exe-monitor-hub:8090";
51
51
  const DEFAULT_MONITOR_AGENT_LISTEN = ":45876";
52
52
  const DEFAULT_EXE_MCP_HOST_BIND = "127.0.0.1";
53
53
  const DEFAULT_EXE_MCP_HOST_PORT = "48739";
54
+ // bug ad645206: stable loopback-only host port for exe-db so host-side scripts
55
+ // never hardcode a (reassigned-on-update) container IP. 55432 avoids colliding
56
+ // with a host-local Postgres on 5432.
57
+ const DEFAULT_EXE_DB_HOST_PORT = "55432";
54
58
 
55
59
  export interface GenerateEnvOptions {
56
60
  clientName: string;
@@ -73,6 +77,12 @@ export function generateEnv(options: GenerateEnvOptions): string {
73
77
  `POSTGRES_USER=${POSTGRES_USER}`,
74
78
  `POSTGRES_PASSWORD=${randomSecret(RANDOM_SECRET_32)}`,
75
79
  `POSTGRES_DB=${POSTGRES_DB}`,
80
+ "# bug ad645206: NEVER connect to exe-db via its container IP (10.42.0.x) —",
81
+ "# container IPs are reassigned on every stack update and silently break any",
82
+ "# script that hardcodes them. In-network services use the service hostname",
83
+ "# exe-db:5432; host-side scripts (crons, collectors, OCR workers) use the",
84
+ "# stable loopback port below (published as 127.0.0.1:<port> by compose).",
85
+ `EXE_DB_HOST_PORT=${DEFAULT_EXE_DB_HOST_PORT}`,
76
86
  "",
77
87
  `CLICKHOUSE_DB=${CLICKHOUSE_DB}`,
78
88
  `CLICKHOUSE_USER=${CLICKHOUSE_USER}`,
@@ -190,6 +200,17 @@ export function generateEnv(options: GenerateEnvOptions): string {
190
200
  "GATEWAY_GOTRUE_URL=http://gotrue:9999",
191
201
  "# CRM bridge: exe-gateway reaches exe-crm through Docker service DNS.",
192
202
  `CRM_GRAPHQL_URL=${DEFAULT_CRM_GRAPHQL_URL}`,
203
+ "# bug 0b66164c: CRM bridge token. Compose passes CRM_API_TOKEN into the",
204
+ "# gateway container, defaulting to the EXE_CRM_ADMIN_TOKEN generated in the",
205
+ "# CRM block above — set this only to override with a dedicated token. If the",
206
+ "# gateway logs 'CRM bridge Disabled', check this chain and recreate the",
207
+ "# gateway container.",
208
+ "# CRM_API_TOKEN=",
209
+ "# bug a99c1462: one-time Baileys v7 WhatsApp auth migration. Set =1 for a",
210
+ "# single gateway restart after an update that invalidates WhatsApp auth",
211
+ "# (fresh-QR reconnect loop): old auth is archived and a clean QR pairing",
212
+ "# starts. Re-pair at https://gateway.<domain>/pair/<account>, then unset.",
213
+ "# EXE_GATEWAY_CONFIRM_BAILEYS_V7_REPAIR=1",
193
214
  "# Error forwarding to exe-monitor-hub (strongly recommended for production)",
194
215
  "ERROR_REPORTING_ENABLED=true",
195
216
  "MONITOR_ERROR_URL=http://exe-monitor-hub:8090/api/exe-monitor/errors",
@@ -271,7 +292,7 @@ export function generateEnv(options: GenerateEnvOptions): string {
271
292
  "# erp.<domain> → http://exe-sso-edge:80 (NOT exe-erp / exe-erp-nginx)",
272
293
  "# gateway.<domain> → http://exe-gateway:3100 (routed directly — no SSO gate)",
273
294
  "# monitor.<domain> → http://exe-monitor-hub:8090",
274
- "# auth.<domain> → http://gotrue:9999",
295
+ "# auth.<domain> → http://exe-auth:80 (auth gateway — NOT raw gotrue:9999; bug 802661a5)",
275
296
  "# api.<domain> → http://exe-os:8765",
276
297
  MANUAL_VALUE_COMMENT,
277
298
  "CLOUDFLARE_TUNNEL_TOKEN=",
@@ -296,6 +317,12 @@ export function generateExampleEnv(): string {
296
317
  `POSTGRES_USER=${POSTGRES_USER}`,
297
318
  "POSTGRES_PASSWORD=CHANGEME_POSTGRES_PASSWORD",
298
319
  `POSTGRES_DB=${POSTGRES_DB}`,
320
+ "# bug ad645206: NEVER connect to exe-db via its container IP (10.42.0.x) —",
321
+ "# container IPs are reassigned on every stack update and silently break any",
322
+ "# script that hardcodes them. In-network services use the service hostname",
323
+ "# exe-db:5432; host-side scripts (crons, collectors, OCR workers) use the",
324
+ "# stable loopback port below (published as 127.0.0.1:<port> by compose).",
325
+ `EXE_DB_HOST_PORT=${DEFAULT_EXE_DB_HOST_PORT}`,
299
326
  "",
300
327
  `CLICKHOUSE_DB=${CLICKHOUSE_DB}`,
301
328
  `CLICKHOUSE_USER=${CLICKHOUSE_USER}`,
@@ -425,6 +452,17 @@ export function generateExampleEnv(): string {
425
452
  "GATEWAY_GOTRUE_URL=http://gotrue:9999",
426
453
  "# CRM bridge: exe-gateway reaches exe-crm through Docker service DNS.",
427
454
  `CRM_GRAPHQL_URL=${DEFAULT_CRM_GRAPHQL_URL}`,
455
+ "# bug 0b66164c: CRM bridge token. Compose passes CRM_API_TOKEN into the",
456
+ "# gateway container, defaulting to the EXE_CRM_ADMIN_TOKEN generated in the",
457
+ "# CRM block above — set this only to override with a dedicated token. If the",
458
+ "# gateway logs 'CRM bridge Disabled', check this chain and recreate the",
459
+ "# gateway container.",
460
+ "# CRM_API_TOKEN=",
461
+ "# bug a99c1462: one-time Baileys v7 WhatsApp auth migration. Set =1 for a",
462
+ "# single gateway restart after an update that invalidates WhatsApp auth",
463
+ "# (fresh-QR reconnect loop): old auth is archived and a clean QR pairing",
464
+ "# starts. Re-pair at https://gateway.<domain>/pair/<account>, then unset.",
465
+ "# EXE_GATEWAY_CONFIRM_BAILEYS_V7_REPAIR=1",
428
466
  "# Error forwarding to exe-monitor-hub (strongly recommended for production)",
429
467
  "ERROR_REPORTING_ENABLED=true",
430
468
  "MONITOR_ERROR_URL=http://exe-monitor-hub:8090/api/exe-monitor/errors",
@@ -516,7 +554,7 @@ export function generateExampleEnv(): string {
516
554
  "# erp.<domain> → http://exe-sso-edge:80 (NOT exe-erp / exe-erp-nginx)",
517
555
  "# gateway.<domain> → http://exe-gateway:3100 (routed directly — no SSO gate)",
518
556
  "# monitor.<domain> → http://exe-monitor-hub:8090",
519
- "# auth.<domain> → http://gotrue:9999",
557
+ "# auth.<domain> → http://exe-auth:80 (auth gateway — NOT raw gotrue:9999; bug 802661a5)",
520
558
  "# api.<domain> → http://exe-os:8765",
521
559
  MANUAL_VALUE_COMMENT,
522
560
  "CLOUDFLARE_TUNNEL_TOKEN=CHANGEME_CLOUDFLARE_TUNNEL_TOKEN",
@@ -20,6 +20,17 @@ upstream sso_crm { server exe-crm:3000; }
20
20
  upstream sso_wiki { server exe-wiki:3001; }
21
21
  # ERP must be reached through its own nginx (gunicorn can't serve /assets/ — bug 6776edf0)
22
22
  upstream sso_erp { server exe-erp-nginx:80; }
23
+ # Shared GoTrue — the sso-redirect snippet's /_sso_gate validates ?access_token=
24
+ # against GET /user here instead of trusting its presence (P0 bug 462d3273).
25
+ upstream sso_gotrue { server gotrue:9999; }
26
+
27
+ # Extract the SSO callback token from the request line (P0 bug 462d3273).
28
+ # The gate's auth_request subrequest does not inherit the query string, but it
29
+ # does inherit $request_uri — this map is how /_sso_gate reads the token.
30
+ map $request_uri $sso_uri_access_token {
31
+ default "";
32
+ "~[?&]access_token=(?<tok>[^&]+)" $tok;
33
+ }
23
34
 
24
35
  map $http_upgrade $sso_conn_upgrade {
25
36
  default upgrade;
@@ -1,5 +1,5 @@
1
1
  # ─────────────────────────────────────────────────────────────────────────────
2
- # Unified SSO redirect snippet (bug 66f8e10a)
2
+ # Unified SSO redirect snippet (bug 66f8e10a, hardened for bug 462d3273)
3
3
  #
4
4
  # Funnels UNAUTHENTICATED visitors of an app subdomain (crm / wiki / erp) to the
5
5
  # central auth gateway at auth.<domain>, then lets the gateway redirect them back
@@ -7,20 +7,42 @@
7
7
  # advertised "single front door" does not exist.
8
8
  #
9
9
  # ── How it works ────────────────────────────────────────────────────────────
10
- # 1. nginx checks for a session cookie that the app sets once authenticated.
11
- # The cookie name differs per app (Twenty/CRM, Wiki, Frappe/ERP) set it
12
- # via $sso_session_cookie below.
13
- # 2. If the cookie is ABSENT, nginx 302-redirects to:
10
+ # 1. Every request runs the edge auth gate (auth_request /_sso_gate).
11
+ # 2. If the app session cookie is present the request passes (the app validates
12
+ # its own session server-side — the cookie name differs per app; set it via
13
+ # $sso_session_cookie below).
14
+ # 3. If the request carries ?access_token= (the SSO callback), the edge
15
+ # VALIDATES the token against the shared GoTrue (`GET /user` with
16
+ # `Authorization: Bearer <token>`) before letting it through. P0 bug
17
+ # 462d3273: the edge previously trusted the mere PRESENCE of the query
18
+ # param, so `?access_token=anything` bypassed the gate. Presence is never
19
+ # trusted — only a token GoTrue accepts passes.
20
+ # 4. Anything else 401s inside the gate and is 302-redirected to:
14
21
  # https://auth.<domain>/?product=<App>&redirect=https://<app>.<domain><uri>
15
- # 3. The gateway authenticates against the shared GoTrue and bounces the user
16
- # back to the app URL with ?access_token=<jwt>&refresh_token=<...>.
17
- # 4. The app consumes the token (it already shares GoTrue) and sets its session
18
- # cookie subsequent requests carry the cookie and skip the redirect.
22
+ # 5. The gateway authenticates against the shared GoTrue and bounces the user
23
+ # back to the app URL with ?access_token=<jwt>&refresh_token=<...>. The app
24
+ # consumes the token and sets its session cookie subsequent requests carry
25
+ # the cookie and skip the GoTrue round-trip (gate returns 204 locally).
19
26
  #
20
27
  # ── Per-customer install ────────────────────────────────────────────────────
21
28
  # These are templated values — replace before installing, or render with envsubst
22
29
  # (DOMAIN, APP_NAME, APP_SUBDOMAIN, APP_SESSION_COOKIE):
23
30
  #
31
+ # # TWO http-context declarations MUST exist once per nginx config (the
32
+ # # compose edge ships them in sso-edge/default.conf.template; host-nginx
33
+ # # installs add them next to their `include`s — see sso-redirect.README.md):
34
+ # #
35
+ # # 1. The shared GoTrue upstream the gate validates tokens against
36
+ # # (compose: `server gotrue:9999`; host nginx: the published port):
37
+ # upstream sso_gotrue { server 127.0.0.1:9999; }
38
+ # # 2. The callback-token extractor. The auth_request subrequest does not
39
+ # # inherit the query string, but it DOES inherit $request_uri, so the
40
+ # # token is mapped from it:
41
+ # map $request_uri $sso_uri_access_token {
42
+ # default "";
43
+ # "~[?&]access_token=(?<tok>[^&]+)" $tok;
44
+ # }
45
+ #
24
46
  # server {
25
47
  # server_name crm.${DOMAIN};
26
48
  # set $sso_auth_base "https://auth.${DOMAIN}";
@@ -40,24 +62,71 @@
40
62
  # the stack with Cloudflare Tunnel instead of host nginx, implement the same gate
41
63
  # with Cloudflare Access (see sso-redirect.README.md) — cloudflared ingress alone
42
64
  # cannot express a cookie-conditional redirect.
65
+ #
66
+ # NOTE: cookie PRESENCE is still trusted at the edge (the CRM/ERP session cookies
67
+ # are app-native sessions the edge cannot verify against GoTrue); each app fully
68
+ # validates its own session server-side. The edge gate's job is the login funnel
69
+ # plus never letting an unvalidated bearer token skip it (bug 462d3273).
43
70
  # ─────────────────────────────────────────────────────────────────────────────
44
71
 
45
- # Decide whether the request is authenticated. If the app session cookie is
46
- # present we treat the request as authenticated and do NOT redirect.
47
- # $sso_session_cookie must be set by the including server block (default: empty).
48
- set $sso_needs_login 1;
49
- if ($sso_session_cookie) {
50
- set $sso_needs_login 0;
72
+ # Run the gate for every request on this vhost. The gate is a zero-cost local
73
+ # check when the session cookie is present; it only round-trips to GoTrue for
74
+ # the ?access_token= SSO callback. A gate 401 becomes the login redirect below.
75
+ # Requires nginx built with ngx_http_auth_request_module (present in the
76
+ # official nginx / nginx:alpine builds).
77
+ auth_request /_sso_gate;
78
+ error_page 401 = @sso_login;
79
+
80
+ location = /_sso_gate {
81
+ internal;
82
+ auth_request off; # never gate the gate (recursion guard)
83
+
84
+ # The gate must answer the auth subrequest with a PLAIN 401 — without this
85
+ # override, the server-level `error_page 401 = @sso_login` would intercept
86
+ # the internally-generated 401s below and turn the subrequest into a 302,
87
+ # which auth_request rejects ("auth request unexpected status: 302").
88
+ error_page 401 = @sso_gate_deny;
89
+
90
+ # 1. App session cookie present → authenticated (app re-validates it).
91
+ if ($sso_session_cookie) {
92
+ return 204;
93
+ }
94
+
95
+ # 2. No cookie and no token → unauthenticated → login redirect.
96
+ # $sso_uri_access_token comes from the REQUIRED http-context map (see
97
+ # header comment): the auth_request subrequest does not inherit the
98
+ # query string (so $arg_access_token is empty here) and server-level
99
+ # `set` re-runs empty in the subrequest — but $request_uri IS inherited,
100
+ # so a map over it yields the callback token reliably.
101
+ if ($sso_uri_access_token = "") {
102
+ return 401;
103
+ }
104
+
105
+ # 3. SSO callback: VALIDATE the token against the shared GoTrue.
106
+ # GET /user returns 200 only for a currently-valid access token; any
107
+ # 401/403 propagates and triggers the login redirect. If GoTrue is
108
+ # unreachable the subrequest 5xx fails the gate (fail closed).
109
+ proxy_pass http://sso_gotrue/user;
110
+ proxy_pass_request_body off;
111
+ proxy_set_header Content-Length "";
112
+ proxy_set_header Authorization "Bearer $sso_uri_access_token";
113
+ proxy_set_header Cookie "";
114
+ proxy_connect_timeout 5s;
115
+ proxy_send_timeout 5s;
116
+ proxy_read_timeout 5s;
51
117
  }
52
118
 
53
- # Never redirect the SSO callback itself (it carries ?access_token=) or static/
54
- # health/API paths only redirect top-level navigations.
55
- if ($arg_access_token) {
56
- set $sso_needs_login 0;
119
+ # Plain-401 sink for the gate subrequest (see error_page inside /_sso_gate).
120
+ # recursive_error_pages is off by default, so this terminal 401 is not
121
+ # re-intercepted by the server-level error_page.
122
+ location @sso_gate_deny {
123
+ auth_request off;
124
+ return 401;
57
125
  }
58
126
 
59
- # Perform the redirect for unauthenticated top-level page loads.
127
+ # Login redirect for unauthenticated top-level page loads.
60
128
  # $request_uri preserves the path + query the user was trying to reach.
61
- if ($sso_needs_login = 1) {
129
+ location @sso_login {
130
+ auth_request off;
62
131
  return 302 "$sso_auth_base/?product=$sso_product&redirect=$sso_app_url$request_uri";
63
132
  }
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "schemaVersion": 1,
3
- "latest": "0.9.28",
3
+ "latest": "0.9.29",
4
4
  "stacks": {
5
5
  "0.9.0": {
6
6
  "version": "0.9.0",
@@ -1906,11 +1906,119 @@
1906
1906
  "category": "infra"
1907
1907
  }
1908
1908
  }
1909
+ },
1910
+ "0.9.29": {
1911
+ "version": "0.9.29",
1912
+ "releasedAt": "2026-07-04T00:00:00Z",
1913
+ "notes": "exe-os v0.9.324 (#305 daemon event-loop, #307 orchestration dispatch, #308 customer-readiness, #309 MCP transport isolation + coordinator-orphan reaper), exe-gateway v0.9.28 (#55: WhatsApp auth persistence, crm-bridge push_name, overlay loading, raw-event replay ON CONFLICT, health adapter state, Prisma migrations), exe-crm v0.9.53 (#58: startup-crash WorkspaceDomainsService + upgrade command + version resolution + k8s hardening), exe-wiki v0.9.27 (#34: test-teardown). Other services unchanged from 0.9.28.",
1914
+ "npmVersion": "0.9.324",
1915
+ "services": {
1916
+ "exe-db": {
1917
+ "image": "pgvector/pgvector:0.8.0-pg16@sha256:a132765ec351c65111b5b675928a3a0515a466a40f97277329db8b8209ad8bc9",
1918
+ "env": "EXE_DB_IMAGE",
1919
+ "composeService": "exe-db",
1920
+ "required": true,
1921
+ "category": "core",
1922
+ "description": "Postgres (pgvector) — digest-pinned (bug 32d6e02f; was tag-only in 0.9.25, regressed from 0.9.24)"
1923
+ },
1924
+ "exe-os": {
1925
+ "image": "update.askexe.com/askexe/exe-os:v0.9.324@sha256:3ce6406e0f7f279ff2568bbbb7d55de51a46fdf35c49691f24fd959d6fd2d3fa",
1926
+ "env": "EXE_OS_IMAGE_TAG",
1927
+ "composeService": "exe-os",
1928
+ "healthUrl": "http://127.0.0.1:8765/health",
1929
+ "required": true,
1930
+ "category": "core",
1931
+ "description": "exe-os daemon + MCP server"
1932
+ },
1933
+ "crm": {
1934
+ "image": "update.askexe.com/askexe/exe-crm:v0.9.53@sha256:a586dcc8bbd992538e3caa18c44e772d30f31155dfef0a2b7466ca3fc7c553d8",
1935
+ "env": "CRM_IMAGE_TAG",
1936
+ "composeService": "exe-crm",
1937
+ "healthUrl": "http://127.0.0.1:3000/healthz",
1938
+ "category": "app"
1939
+ },
1940
+ "wiki": {
1941
+ "image": "update.askexe.com/askexe/exe-wiki:v0.9.27@sha256:a422e787f06850a5302dc560bfb1b944d8b35927607ded762bbda610fb7db48d",
1942
+ "env": "WIKI_IMAGE_TAG",
1943
+ "composeService": "exe-wiki",
1944
+ "healthUrl": "http://127.0.0.1:3001/api/ping",
1945
+ "category": "app"
1946
+ },
1947
+ "gateway": {
1948
+ "image": "update.askexe.com/askexe/exe-gateway:v0.9.28@sha256:b3ab35cf00490711c4ae945d06da042cb285ca1c07902ea1c2e28ca540741a5d",
1949
+ "env": "GATEWAY_IMAGE_TAG",
1950
+ "composeService": "exe-gateway",
1951
+ "healthUrl": "http://127.0.0.1:3100/health",
1952
+ "category": "app",
1953
+ "description": "WhatsApp/messaging gateway — CRM bridge fix, BYOK alias, SQL race fix, Baileys WA version floor"
1954
+ },
1955
+ "monitorAgent": {
1956
+ "image": "update.askexe.com/askexe/exe-monitor-agent:v0.9.5@sha256:cada7dace00ccb629aa10976e80e20d7d25685042519bd2aec58ab4bf35ff0cd",
1957
+ "env": "MONITOR_AGENT_IMAGE_TAG",
1958
+ "composeService": "exe-monitor-agent",
1959
+ "category": "monitoring"
1960
+ },
1961
+ "monitorHub": {
1962
+ "image": "update.askexe.com/askexe/exe-monitor-hub:v0.9.5@sha256:1af31893cc8b1e51892be7d7705fa6c6b3108af8366b1fa8da2879d8ae21ec88",
1963
+ "env": "MONITOR_HUB_IMAGE_TAG",
1964
+ "composeService": "exe-monitor-hub",
1965
+ "healthUrl": "http://127.0.0.1:8090/api/health",
1966
+ "category": "monitoring"
1967
+ },
1968
+ "auth": {
1969
+ "image": "update.askexe.com/askexe/exe-auth:v0.1.0@sha256:5de4fe282c60c9877b6a0e22cfba43f6222982d81eb315667e9479eb94d94d7a",
1970
+ "env": "AUTH_IMAGE_TAG",
1971
+ "composeService": "exe-auth",
1972
+ "healthUrl": "http://127.0.0.1:3300/api/health",
1973
+ "category": "auth"
1974
+ },
1975
+ "erp": {
1976
+ "image": "update.askexe.com/askexe/exe-erp:v0.2.0-final8@sha256:15bb6020b109b4dfd51d245273ffa88bbfbaf0de09da05a09e6b6f9344b00c46",
1977
+ "env": "ERP_IMAGE_TAG",
1978
+ "composeService": "exe-erp",
1979
+ "healthUrl": "http://127.0.0.1:8069/api/method/ping",
1980
+ "healthHost": "localhost",
1981
+ "required": false,
1982
+ "category": "app",
1983
+ "description": "Enterprise Resource Planning"
1984
+ },
1985
+ "gotrue": {
1986
+ "image": "supabase/gotrue:v2.172.1@sha256:b0dd7aa28dd1f9a8bd31f136c8b912661f701d9b863171e5843cb08f18f49de4",
1987
+ "composeService": "gotrue",
1988
+ "healthUrl": "http://127.0.0.1:9999/health",
1989
+ "category": "infra"
1990
+ },
1991
+ "redis": {
1992
+ "image": "redis:7.4-alpine@sha256:6ab0b6e7381779332f97b8ca76193e45b0756f38d4c0dcda72dbb3c32061ab99",
1993
+ "composeService": "redis",
1994
+ "category": "infra"
1995
+ },
1996
+ "clickhouse": {
1997
+ "image": "clickhouse/clickhouse-server:24.8.4.13-alpine@sha256:88a45f9e328549b2579256c46ee38e5c0e25ae58303d9eb6d9c7ed8d6d2bbf3c",
1998
+ "composeService": "clickhouse",
1999
+ "category": "infra"
2000
+ },
2001
+ "cloudflared": {
2002
+ "image": "cloudflare/cloudflared@sha256:ba461b8aa9c042156dbd39c38657fe7431bafa063220eab8d5330a523863da9f",
2003
+ "composeService": "cloudflared",
2004
+ "category": "infra"
2005
+ },
2006
+ "exe-sso-edge": {
2007
+ "image": "nginx:alpine@sha256:20316569d8f81a160065d7d2a5eeffc7ca97d79022462ee255fd23fa103a6b5c",
2008
+ "composeService": "exe-sso-edge",
2009
+ "category": "infra"
2010
+ },
2011
+ "exe-otel-collector": {
2012
+ "image": "otel/opentelemetry-collector-contrib:0.114.0@sha256:37fa87091cfaaec7234a27e4e395a40c31c2bfaea97a349a4afef6d9e9681197",
2013
+ "composeService": "exe-otel-collector",
2014
+ "category": "infra"
2015
+ }
2016
+ }
1909
2017
  }
1910
2018
  },
1911
2019
  "signature": {
1912
2020
  "keyId": "exe-stack-1",
1913
2021
  "alg": "ed25519",
1914
- "signature": "QYIPCDJ7lIcg4E3qgzq9vZnOEvN8D5JZFKAxb8ho+uWrS6aHAyWJv3VLZTRNG9+dO5XbfG4CLCJMbTo4bMpPCA=="
2022
+ "signature": "7e/1gwcJB83aPHZPJHEnZRI/Nc4Rr5NZn4qyqk3f9Bv6KruxygvvagcUs/u+NPjWrzyXIUK5nimpGsaulJf7DQ=="
1915
2023
  }
1916
2024
  }
@@ -6,12 +6,12 @@ import {
6
6
  getAllActiveAgents,
7
7
  resolveActiveAgentFromTmuxSession,
8
8
  writeActiveAgent
9
- } from "./chunk-EOPSIIEH.js";
9
+ } from "./chunk-ID3V4BWS.js";
10
10
  import "./chunk-CVYC6DUW.js";
11
11
  import "./chunk-GJV3WDWM.js";
12
- import "./chunk-XLNF3CIO.js";
12
+ import "./chunk-QGOMYIVT.js";
13
13
  import "./chunk-2I23RPSI.js";
14
- import "./chunk-WXRVHXVP.js";
14
+ import "./chunk-7577GDDG.js";
15
15
  import "./chunk-PNQDP3OA.js";
16
16
  import "./chunk-H73TUI4Y.js";
17
17
  import "./chunk-7HLWBYH7.js";
@@ -5,12 +5,12 @@ import {
5
5
  getAllActiveAgents,
6
6
  resolveActiveAgentFromTmuxSession,
7
7
  writeActiveAgent
8
- } from "./chunk-EOPSIIEH.js";
8
+ } from "./chunk-ID3V4BWS.js";
9
9
  import "./chunk-CVYC6DUW.js";
10
10
  import "./chunk-GJV3WDWM.js";
11
- import "./chunk-XLNF3CIO.js";
11
+ import "./chunk-QGOMYIVT.js";
12
12
  import "./chunk-2I23RPSI.js";
13
- import "./chunk-WXRVHXVP.js";
13
+ import "./chunk-7577GDDG.js";
14
14
  import "./chunk-PNQDP3OA.js";
15
15
  import "./chunk-H73TUI4Y.js";
16
16
  import "./chunk-7HLWBYH7.js";
@@ -10,7 +10,7 @@ import {
10
10
  insertOntologyForMemory,
11
11
  ontologyPayload,
12
12
  stableId
13
- } from "./chunk-DY3J6GQO.js";
13
+ } from "./chunk-H43BPGIV.js";
14
14
  import "./chunk-MLKGABMK.js";
15
15
  export {
16
16
  ONTOLOGY_YIELD_EVERY,
@@ -0,0 +1,19 @@
1
+ import {
2
+ NOT_PARKED_SQL,
3
+ PARKED_EMBEDDING_MODEL,
4
+ PARKED_EMBEDDING_MODEL_PREFIX,
5
+ backfillKillSwitchEnabled,
6
+ computeBackfillDisabled,
7
+ countActionableNullVectors
8
+ } from "./chunk-KPIN44GZ.js";
9
+ import "./chunk-7Y5UDEVM.js";
10
+ import "./chunk-SHIICYJW.js";
11
+ import "./chunk-MLKGABMK.js";
12
+ export {
13
+ NOT_PARKED_SQL,
14
+ PARKED_EMBEDDING_MODEL,
15
+ PARKED_EMBEDDING_MODEL_PREFIX,
16
+ backfillKillSwitchEnabled,
17
+ computeBackfillDisabled,
18
+ countActionableNullVectors
19
+ };