@askexenow/exe-os 0.9.62 → 0.9.63

package/dist/bin/cli.js

@@ -820,7 +820,7 @@ function isLegacySplitPostToolCommand(command) {
 function textHasLegacySplitPostToolHook(text) {
   return [EXE_HOOK_FILES.ingest, EXE_HOOK_FILES.errorRecall, EXE_HOOK_FILES.ingestWorker].some((file) => text.includes(file));
 }
-var EXE_HOOK_FILES, EXE_HOOKS, LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS;
+var EXE_HOOK_FILES, EXE_HOOKS, EXE_HOOK_MANIFEST, LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS;
 var init_runtime_hook_manifest = __esm({
   "src/adapters/runtime-hook-manifest.ts"() {
     "use strict";
@@ -844,6 +844,116 @@ var init_runtime_hook_manifest = __esm({
       notification: "dist/hooks/notification.js",
       instructionsLoaded: "dist/hooks/instructions-loaded.js"
     };
+    EXE_HOOK_MANIFEST = [
+      {
+        key: "postToolCombined",
+        event: "PostToolUse",
+        commandMarker: EXE_HOOKS.postToolCombined,
+        owner: "exe-os",
+        purpose: "Single PostToolUse entrypoint for ingestion, error recall, summaries, and bug detection.",
+        runtimes: ["claude", "codex", "opencode"],
+        checkpointRole: "none"
+      },
+      {
+        key: "sessionStart",
+        event: "SessionStart",
+        commandMarker: EXE_HOOKS.sessionStart,
+        owner: "exe-os",
+        purpose: "Loads agent identity, procedures, and boot context.",
+        runtimes: ["claude", "codex", "opencode"],
+        checkpointRole: "none"
+      },
+      {
+        key: "promptSubmit",
+        event: "UserPromptSubmit",
+        commandMarker: EXE_HOOKS.promptSubmit,
+        owner: "exe-os",
+        purpose: "Injects current tasks, pending reviews, and local context before each prompt.",
+        runtimes: ["claude", "codex", "opencode"],
+        checkpointRole: "none"
+      },
+      {
+        key: "heartbeat",
+        event: "UserPromptSubmit",
+        commandMarker: EXE_HOOKS.heartbeat,
+        owner: "exe-os",
+        purpose: "Lightweight heartbeat/status sidecar for Claude Code sessions.",
+        runtimes: ["claude"],
+        checkpointRole: "none"
+      },
+      {
+        key: "stop",
+        event: "Stop",
+        commandMarker: EXE_HOOKS.stop,
+        owner: "exe-os",
+        purpose: "Finalizes task state, capacity signals, and emergency checkpointing.",
+        runtimes: ["claude", "codex", "opencode"],
+        checkpointRole: "capacity_checkpoint"
+      },
+      {
+        key: "preToolUse",
+        event: "PreToolUse",
+        commandMarker: EXE_HOOKS.preToolUse,
+        owner: "exe-os",
+        purpose: "Preflight guardrails before shell/tool execution.",
+        runtimes: ["claude", "codex", "opencode"],
+        checkpointRole: "none"
+      },
+      {
+        key: "subagentStop",
+        event: "SubagentStop",
+        commandMarker: EXE_HOOKS.subagentStop,
+        owner: "exe-os",
+        purpose: "Captures subagent completion context.",
+        runtimes: ["claude"],
+        checkpointRole: "none"
+      },
+      {
+        key: "preCompact",
+        event: "PreCompact",
+        commandMarker: EXE_HOOKS.preCompact,
+        owner: "exe-os",
+        purpose: "Writes active-task snapshot and compaction recovery context.",
+        runtimes: ["claude"],
+        checkpointRole: "recovery_context"
+      },
+      {
+        key: "postCompact",
+        event: "PostCompact",
+        commandMarker: EXE_HOOKS.postCompact,
+        owner: "exe-os",
+        purpose: "Rehydrates recovery context after compaction.",
+        runtimes: ["claude"],
+        checkpointRole: "recovery_context"
+      },
+      {
+        key: "sessionEnd",
+        event: "SessionEnd",
+        commandMarker: EXE_HOOKS.sessionEnd,
+        owner: "exe-os",
+        purpose: "Stores session-end checkpoint and triages orphaned in-progress tasks.",
+        runtimes: ["claude"],
+        checkpointRole: "session_summary"
+      },
+      {
+        key: "notification",
+        event: "Notification",
+        commandMarker: EXE_HOOKS.notification,
+        owner: "exe-os",
+        purpose: "Captures runtime notifications and nudges.",
+        runtimes: ["claude"],
+        checkpointRole: "none"
+      },
+      {
+        key: "instructionsLoaded",
+        event: "InstructionsLoaded",
+        commandMarker: EXE_HOOKS.instructionsLoaded,
+        owner: "exe-os",
+        purpose: "Applies runtime instruction post-processing.",
+        runtimes: ["claude"],
+        checkpointRole: "none"
+      }
+    ];
     LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS = [
       "dist/hooks/ingest.js",
       "dist/hooks/error-recall.js",
@@ -17181,10 +17291,14 @@ function parseStackManifest(raw, publicKey) {
   }
   return parsed;
 }
-async function loadStackManifest(ref, fetchText = defaultFetchText, publicKey) {
-  if (/^https?:\/\//.test(ref)) return parseStackManifest(await fetchText(ref), publicKey);
+async function loadStackManifest(ref, fetchText = defaultFetchText, publicKey, authToken) {
+  if (/^https?:\/\//.test(ref)) return parseStackManifest(await fetchTextWithAuth(ref, fetchText, authToken), publicKey);
   return parseStackManifest(readFileSync25(ref, "utf8"), publicKey);
 }
+async function fetchTextWithAuth(ref, fetchText, authToken) {
+  if (!authToken || fetchText !== defaultFetchText) return fetchText(ref);
+  return defaultFetchText(ref, authToken);
+}
 function parseEnv(raw) {
   const env = /* @__PURE__ */ new Map();
   for (const line of raw.split(/\r?\n/)) {
@@ -17250,14 +17364,16 @@ async function runStackUpdate(options) {
   const exec2 = options.exec ?? defaultExec;
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
   if (options.rollback) return rollbackStackUpdate(options);
-  const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey);
+  const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey, options.manifestAuthToken);
   const envRaw = readFileSync25(options.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, options.targetVersion);
   assertBreakingChangesAllowed(plan, options.allowedBreakingChangeIds ?? []);
   const lockFile = options.lockFile ?? path37.join(path37.dirname(options.envFile), ".exe-stack-lock.json");
+  const previousVersion = readCurrentStackVersion(lockFile);
   if (options.dryRun || plan.changes.length === 0) {
     return { status: "planned", targetVersion: plan.targetVersion, changes: plan.changes, lockFile };
   }
+  await postDeployAudit(options, "started", plan.targetVersion, previousVersion);
   const backupDir = path37.join(path37.dirname(options.envFile), ".exe-stack-backups");
   mkdirSync19(backupDir, { recursive: true });
   const stamp = now().toISOString().replace(/[:.]/g, "-");
@@ -17274,6 +17390,7 @@ async function runStackUpdate(options) {
     exec2("docker", [...composeArgs, "up", "-d"]);
     await verifyReleaseHealth(plan.release, options.healthRetries ?? 12, options.healthDelayMs ?? 5e3);
     writeFileSync20(lockFile, JSON.stringify({ stackVersion: plan.targetVersion, updatedAt: now().toISOString(), backupEnvFile, services: plan.release.services }, null, 2) + "\n");
+    await postDeployAudit(options, "success", plan.targetVersion, previousVersion, void 0, { changes: plan.changes.length });
     return { status: "updated", targetVersion: plan.targetVersion, changes: plan.changes, backupEnvFile, lockFile };
   } catch (err) {
     writeFileSync20(options.envFile, envRaw, { mode: 384 });
@@ -17282,9 +17399,37 @@ async function runStackUpdate(options) {
     } catch {
     }
     const reason = err instanceof Error ? err.message : String(err);
+    await postDeployAudit(options, "failed", plan.targetVersion, previousVersion, reason, { rollbackAttempted: true });
     throw new Error(`Stack update failed and rollback was attempted: ${reason}`);
   }
 }
+function readCurrentStackVersion(lockFile) {
+  if (!existsSync30(lockFile)) return void 0;
+  try {
+    const parsed = JSON.parse(readFileSync25(lockFile, "utf8"));
+    return parsed.stackVersion;
+  } catch {
+    return void 0;
+  }
+}
+async function postDeployAudit(options, status, stackVersion, previousVersion, error, metadata) {
+  if (!options.auditUrl) return;
+  const postJson = options.postJson ?? defaultPostJson;
+  try {
+    await postJson(options.auditUrl, {
+      stackVersion,
+      previousVersion,
+      status,
+      error,
+      metadata,
+      deviceId: options.deviceId,
+      licenseKey: options.licenseKey
+    }, options.manifestAuthToken);
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    console.warn(`[stack-update] deploy audit failed: ${reason}`);
+  }
+}
 async function verifyReleaseHealth(release, retries, delayMs) {
   for (const [serviceName, service] of Object.entries(release.services)) {
     if (!service.healthUrl) continue;
@@ -17321,20 +17466,43 @@ function httpStatus(urlString) {
 function defaultExec(cmd, args2, opts) {
   execFileSync3(cmd, args2, { stdio: "inherit", cwd: opts?.cwd });
 }
-async function defaultFetchText(ref) {
-  const res = await fetch(ref);
+async function defaultFetchText(ref, authToken) {
+  const res = await fetch(ref, {
+    headers: authToken ? { authorization: `Bearer ${authToken}` } : void 0
+  });
   if (!res.ok) throw new Error(`Failed to fetch ${ref}: HTTP ${res.status}`);
   return res.text();
 }
+async function defaultPostJson(url, body, authToken) {
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      ...authToken ? { authorization: `Bearer ${authToken}` } : {}
+    },
+    body: JSON.stringify(body)
+  });
+  if (!res.ok) throw new Error(`Failed to POST ${url}: HTTP ${res.status}`);
+}
 function defaultStackPaths() {
   const cwdCompose = path37.resolve("docker-compose.yml");
   const cwdEnv = path37.resolve(".env");
   return {
     composeFile: process.env.EXE_STACK_COMPOSE_FILE || (existsSync30(cwdCompose) ? cwdCompose : "/opt/exe-stack/docker-compose.yml"),
     envFile: process.env.EXE_STACK_ENV_FILE || (existsSync30(cwdEnv) ? cwdEnv : "/opt/exe-stack/.env"),
-    manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json"
+    manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json",
+    auditUrl: process.env.EXE_STACK_AUDIT_URL || "https://update.askexe.com/v1/deploy-audits",
+    manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN,
+    manifestPublicKey: loadDefaultPublicKey()
   };
 }
+function loadDefaultPublicKey() {
+  if (process.env.EXE_STACK_PUBLIC_KEY) return process.env.EXE_STACK_PUBLIC_KEY;
+  if (process.env.EXE_STACK_PUBLIC_KEY_FILE && existsSync30(process.env.EXE_STACK_PUBLIC_KEY_FILE)) {
+    return readFileSync25(process.env.EXE_STACK_PUBLIC_KEY_FILE, "utf8");
+  }
+  return void 0;
+}
 var init_stack_update = __esm({
   "src/lib/stack-update.ts"() {
     "use strict";
@@ -17353,6 +17521,11 @@ function parseArgs4(args2) {
     manifestRef: defaults.manifestRef,
     composeFile: defaults.composeFile,
     envFile: defaults.envFile,
+    auditUrl: defaults.auditUrl,
+    manifestAuthToken: defaults.manifestAuthToken,
+    manifestPublicKey: defaults.manifestPublicKey,
+    deviceId: process.env.EXE_DEVICE_ID,
+    licenseKey: process.env.EXE_LICENSE_KEY,
     dryRun: false,
     check: false,
     rollback: false,
@@ -17373,6 +17546,15 @@ function parseArgs4(args2) {
     else if (arg === "--lock-file") opts.lockFile = next();
     else if (arg === "--public-key") opts.manifestPublicKey = readFileSync26(next(), "utf8");
     else if (arg.startsWith("--public-key=")) opts.manifestPublicKey = readFileSync26(arg.split("=").slice(1).join("="), "utf8");
+    else if (arg === "--auth-token") opts.manifestAuthToken = next();
+    else if (arg.startsWith("--auth-token=")) opts.manifestAuthToken = arg.split("=").slice(1).join("=");
+    else if (arg === "--auth-token-env") opts.manifestAuthToken = process.env[next()] ?? "";
+    else if (arg === "--audit-url") opts.auditUrl = next();
+    else if (arg.startsWith("--audit-url=")) opts.auditUrl = arg.split("=").slice(1).join("=");
+    else if (arg === "--device-id") opts.deviceId = next();
+    else if (arg.startsWith("--device-id=")) opts.deviceId = arg.split("=").slice(1).join("=");
+    else if (arg === "--license-key") opts.licenseKey = next();
+    else if (arg.startsWith("--license-key=")) opts.licenseKey = arg.split("=").slice(1).join("=");
     else if (arg === "--rollback") opts.rollback = true;
     else if (arg === "--dry-run") opts.dryRun = true;
     else if (arg === "--check") opts.check = true;
@@ -17403,6 +17585,11 @@ Options:
   --check                    Print available changes only
   --dry-run                  Plan only; do not run Docker
   --public-key <path>        PEM public key for signed manifest verification
+  --auth-token <token>       Bearer token for private update manifest/audit API
+  --auth-token-env <name>    Read bearer token from an environment variable
+  --audit-url <url>          Deploy-audit endpoint (default: EXE_STACK_AUDIT_URL/update.askexe.com)
+  --device-id <id>           Device ID to include in deploy audit
+  --license-key <key>        License key to include in deploy audit
   --rollback                 Restore latest backed-up .env and restart stack
   --allow-breaking <ids>     Confirm breaking changes, comma-separated
   -y, --yes                  Non-interactive confirmation
@@ -17440,7 +17627,7 @@ async function main3() {
     console.log(`\u2705 Stack rollback attempted using backup: ${result2.backupEnvFile ?? "latest backup"}`);
     return;
   }
-  const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey);
+  const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey, opts.manifestAuthToken);
   const envRaw = readFileSync26(opts.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, opts.targetVersion);
   console.log(`Exe OS stack target: ${plan.targetVersion}`);