@askexenow/exe-os 0.9.62 → 0.9.63

package/dist/bin/stack-update.js

@@ -95,10 +95,14 @@ function parseStackManifest(raw, publicKey) {
   }
   return parsed;
 }
-async function loadStackManifest(ref, fetchText = defaultFetchText, publicKey) {
-  if (/^https?:\/\//.test(ref)) return parseStackManifest(await fetchText(ref), publicKey);
+async function loadStackManifest(ref, fetchText = defaultFetchText, publicKey, authToken) {
+  if (/^https?:\/\//.test(ref)) return parseStackManifest(await fetchTextWithAuth(ref, fetchText, authToken), publicKey);
   return parseStackManifest(readFileSync(ref, "utf8"), publicKey);
 }
+async function fetchTextWithAuth(ref, fetchText, authToken) {
+  if (!authToken || fetchText !== defaultFetchText) return fetchText(ref);
+  return defaultFetchText(ref, authToken);
+}
 function parseEnv(raw) {
   const env = /* @__PURE__ */ new Map();
   for (const line of raw.split(/\r?\n/)) {
@@ -164,14 +168,16 @@ async function runStackUpdate(options) {
   const exec = options.exec ?? defaultExec;
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
   if (options.rollback) return rollbackStackUpdate(options);
-  const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey);
+  const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey, options.manifestAuthToken);
   const envRaw = readFileSync(options.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, options.targetVersion);
   assertBreakingChangesAllowed(plan, options.allowedBreakingChangeIds ?? []);
   const lockFile = options.lockFile ?? path.join(path.dirname(options.envFile), ".exe-stack-lock.json");
+  const previousVersion = readCurrentStackVersion(lockFile);
   if (options.dryRun || plan.changes.length === 0) {
     return { status: "planned", targetVersion: plan.targetVersion, changes: plan.changes, lockFile };
   }
+  await postDeployAudit(options, "started", plan.targetVersion, previousVersion);
   const backupDir = path.join(path.dirname(options.envFile), ".exe-stack-backups");
   mkdirSync(backupDir, { recursive: true });
   const stamp = now().toISOString().replace(/[:.]/g, "-");
@@ -188,6 +194,7 @@ async function runStackUpdate(options) {
     exec("docker", [...composeArgs, "up", "-d"]);
     await verifyReleaseHealth(plan.release, options.healthRetries ?? 12, options.healthDelayMs ?? 5e3);
     writeFileSync(lockFile, JSON.stringify({ stackVersion: plan.targetVersion, updatedAt: now().toISOString(), backupEnvFile, services: plan.release.services }, null, 2) + "\n");
+    await postDeployAudit(options, "success", plan.targetVersion, previousVersion, void 0, { changes: plan.changes.length });
     return { status: "updated", targetVersion: plan.targetVersion, changes: plan.changes, backupEnvFile, lockFile };
   } catch (err) {
     writeFileSync(options.envFile, envRaw, { mode: 384 });
@@ -196,9 +203,37 @@ async function runStackUpdate(options) {
     } catch {
     }
     const reason = err instanceof Error ? err.message : String(err);
+    await postDeployAudit(options, "failed", plan.targetVersion, previousVersion, reason, { rollbackAttempted: true });
     throw new Error(`Stack update failed and rollback was attempted: ${reason}`);
   }
 }
+function readCurrentStackVersion(lockFile) {
+  if (!existsSync(lockFile)) return void 0;
+  try {
+    const parsed = JSON.parse(readFileSync(lockFile, "utf8"));
+    return parsed.stackVersion;
+  } catch {
+    return void 0;
+  }
+}
+async function postDeployAudit(options, status, stackVersion, previousVersion, error, metadata) {
+  if (!options.auditUrl) return;
+  const postJson = options.postJson ?? defaultPostJson;
+  try {
+    await postJson(options.auditUrl, {
+      stackVersion,
+      previousVersion,
+      status,
+      error,
+      metadata,
+      deviceId: options.deviceId,
+      licenseKey: options.licenseKey
+    }, options.manifestAuthToken);
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    console.warn(`[stack-update] deploy audit failed: ${reason}`);
+  }
+}
 async function verifyReleaseHealth(release, retries, delayMs) {
   for (const [serviceName, service] of Object.entries(release.services)) {
     if (!service.healthUrl) continue;
@@ -235,20 +270,43 @@ function httpStatus(urlString) {
 function defaultExec(cmd, args, opts) {
   execFileSync(cmd, args, { stdio: "inherit", cwd: opts?.cwd });
 }
-async function defaultFetchText(ref) {
-  const res = await fetch(ref);
+async function defaultFetchText(ref, authToken) {
+  const res = await fetch(ref, {
+    headers: authToken ? { authorization: `Bearer ${authToken}` } : void 0
+  });
   if (!res.ok) throw new Error(`Failed to fetch ${ref}: HTTP ${res.status}`);
   return res.text();
 }
+async function defaultPostJson(url, body, authToken) {
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      ...authToken ? { authorization: `Bearer ${authToken}` } : {}
+    },
+    body: JSON.stringify(body)
+  });
+  if (!res.ok) throw new Error(`Failed to POST ${url}: HTTP ${res.status}`);
+}
 function defaultStackPaths() {
   const cwdCompose = path.resolve("docker-compose.yml");
   const cwdEnv = path.resolve(".env");
   return {
     composeFile: process.env.EXE_STACK_COMPOSE_FILE || (existsSync(cwdCompose) ? cwdCompose : "/opt/exe-stack/docker-compose.yml"),
     envFile: process.env.EXE_STACK_ENV_FILE || (existsSync(cwdEnv) ? cwdEnv : "/opt/exe-stack/.env"),
-    manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json"
+    manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json",
+    auditUrl: process.env.EXE_STACK_AUDIT_URL || "https://update.askexe.com/v1/deploy-audits",
+    manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN,
+    manifestPublicKey: loadDefaultPublicKey()
   };
 }
+function loadDefaultPublicKey() {
+  if (process.env.EXE_STACK_PUBLIC_KEY) return process.env.EXE_STACK_PUBLIC_KEY;
+  if (process.env.EXE_STACK_PUBLIC_KEY_FILE && existsSync(process.env.EXE_STACK_PUBLIC_KEY_FILE)) {
+    return readFileSync(process.env.EXE_STACK_PUBLIC_KEY_FILE, "utf8");
+  }
+  return void 0;
+}
 
 // src/bin/stack-update.ts
 function parseArgs(args) {
@@ -257,6 +315,11 @@ function parseArgs(args) {
     manifestRef: defaults.manifestRef,
     composeFile: defaults.composeFile,
     envFile: defaults.envFile,
+    auditUrl: defaults.auditUrl,
+    manifestAuthToken: defaults.manifestAuthToken,
+    manifestPublicKey: defaults.manifestPublicKey,
+    deviceId: process.env.EXE_DEVICE_ID,
+    licenseKey: process.env.EXE_LICENSE_KEY,
     dryRun: false,
     check: false,
     rollback: false,
@@ -277,6 +340,15 @@ function parseArgs(args) {
     else if (arg === "--lock-file") opts.lockFile = next();
     else if (arg === "--public-key") opts.manifestPublicKey = readFileSync2(next(), "utf8");
     else if (arg.startsWith("--public-key=")) opts.manifestPublicKey = readFileSync2(arg.split("=").slice(1).join("="), "utf8");
+    else if (arg === "--auth-token") opts.manifestAuthToken = next();
+    else if (arg.startsWith("--auth-token=")) opts.manifestAuthToken = arg.split("=").slice(1).join("=");
+    else if (arg === "--auth-token-env") opts.manifestAuthToken = process.env[next()] ?? "";
+    else if (arg === "--audit-url") opts.auditUrl = next();
+    else if (arg.startsWith("--audit-url=")) opts.auditUrl = arg.split("=").slice(1).join("=");
+    else if (arg === "--device-id") opts.deviceId = next();
+    else if (arg.startsWith("--device-id=")) opts.deviceId = arg.split("=").slice(1).join("=");
+    else if (arg === "--license-key") opts.licenseKey = next();
+    else if (arg.startsWith("--license-key=")) opts.licenseKey = arg.split("=").slice(1).join("=");
     else if (arg === "--rollback") opts.rollback = true;
     else if (arg === "--dry-run") opts.dryRun = true;
     else if (arg === "--check") opts.check = true;
@@ -307,6 +379,11 @@ Options:
   --check                    Print available changes only
   --dry-run                  Plan only; do not run Docker
   --public-key <path>        PEM public key for signed manifest verification
+  --auth-token <token>       Bearer token for private update manifest/audit API
+  --auth-token-env <name>    Read bearer token from an environment variable
+  --audit-url <url>          Deploy-audit endpoint (default: EXE_STACK_AUDIT_URL/update.askexe.com)
+  --device-id <id>           Device ID to include in deploy audit
+  --license-key <key>        License key to include in deploy audit
   --rollback                 Restore latest backed-up .env and restart stack
   --allow-breaking <ids>     Confirm breaking changes, comma-separated
   -y, --yes                  Non-interactive confirmation
@@ -344,7 +421,7 @@ async function main() {
     console.log(`\u2705 Stack rollback attempted using backup: ${result2.backupEnvFile ?? "latest backup"}`);
     return;
   }
-  const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey);
+  const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey, opts.manifestAuthToken);
   const envRaw = readFileSync2(opts.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, opts.targetVersion);
   console.log(`Exe OS stack target: ${plan.targetVersion}`);

package/dist/hooks/bug-report-worker.js

@@ -8892,54 +8892,98 @@ async function fastDbInit() {
 // src/adapters/claude/hooks/bug-report-worker.ts
 init_database();
 init_tasks();
-async function main() {
-  const toolName = process.env.BUG_TOOL_NAME ?? "unknown";
-  const errorText = process.env.BUG_ERROR_TEXT ?? "";
-  const toolInput = process.env.BUG_TOOL_INPUT ?? "{}";
-  const fingerprint = process.env.BUG_FINGERPRINT ?? "";
-  const agentId = process.env.BUG_AGENT_ID ?? "unknown";
-  const agentRole = process.env.BUG_AGENT_ROLE ?? "employee";
-  const projectName = process.env.BUG_PROJECT_NAME ?? "unknown";
-  await fastDbInit();
-  const fpPrefix = fingerprint.slice(0, 8);
-  const client = getClient();
-  const { loadEmployeesSync: loadEmployeesSync2, getEmployeeByRole: getEmployeeByRole2, getCoordinatorName: getCoordinatorName2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
-  const employees = loadEmployeesSync2();
-  const coordinatorName = getCoordinatorName2(employees);
-  const ctoName = getEmployeeByRole2(employees, "CTO")?.name ?? coordinatorName;
-  const existing = await client.execute({
-    sql: `SELECT id FROM tasks
-          WHERE assigned_to = ?
-            AND status IN ('open', 'in_progress')
-            AND title LIKE '[auto-bug]%'
-            AND task_file LIKE ?
-          LIMIT 1`,
-    args: [ctoName, `%${fpPrefix}%`]
+
+// src/lib/bug-intake.ts
+import { createHash as createHash3, randomUUID as randomUUID4 } from "crypto";
+var BUG_INTAKE_SCHEMA_VERSION = 1;
+function firstMeaningfulLine(text) {
+  return text.split("\n").find((line) => line.trim().length > 0)?.trim().slice(0, 80) ?? "unknown error";
+}
+function stableFingerprint(input) {
+  const basis = [
+    input.source,
+    input.toolName ?? "unknown",
+    firstMeaningfulLine(input.errorText ?? ""),
+    input.projectName ?? "unknown"
+  ].join("|");
+  return createHash3("sha256").update(basis).digest("hex").slice(0, 16);
+}
+function hashLicense(licenseKey) {
+  if (!licenseKey) return void 0;
+  return createHash3("sha256").update(licenseKey).digest("hex").slice(0, 16);
+}
+function buildBugIntake(input) {
+  const toolName = input.toolName ?? "unknown";
+  const errorText = input.errorText ?? "";
+  const summary = firstMeaningfulLine(errorText);
+  const fingerprint = input.fingerprint && input.fingerprint.trim().length > 0 ? input.fingerprint.trim() : stableFingerprint(input);
+  return {
+    schemaVersion: BUG_INTAKE_SCHEMA_VERSION,
+    id: randomUUID4(),
+    source: input.source,
+    createdAt: input.createdAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+    fingerprint,
+    severity: input.severity ?? "p1",
+    title: `[auto-bug] ${toolName}: ${summary.slice(0, 60)}`,
+    summary,
+    reporterAgentId: input.reporterAgentId ?? "unknown",
+    reporterAgentRole: input.reporterAgentRole ?? "employee",
+    projectName: input.projectName ?? "unknown",
+    toolName,
+    errorText,
+    toolInput: input.toolInput ?? "{}",
+    runtime: input.runtime,
+    repo: input.repo,
+    licenseKeyHash: hashLicense(input.licenseKey),
+    labels: ["auto-bug", input.source, toolName].filter(Boolean)
+  };
+}
+function buildBugIntakeFromEnv(env = process.env) {
+  return buildBugIntake({
+    source: "hook",
+    toolName: env.BUG_TOOL_NAME,
+    errorText: env.BUG_ERROR_TEXT,
+    toolInput: env.BUG_TOOL_INPUT,
+    fingerprint: env.BUG_FINGERPRINT,
+    reporterAgentId: env.BUG_AGENT_ID,
+    reporterAgentRole: env.BUG_AGENT_ROLE,
+    projectName: env.BUG_PROJECT_NAME,
+    runtime: env.EXE_RUNTIME,
+    repo: env.EXE_REPO,
+    licenseKey: env.EXE_LICENSE_KEY
   });
-  if (existing.rows.length > 0) {
-    process.stderr.write(`[bug-report-worker] Duplicate found for fingerprint ${fingerprint}, skipping
-`);
-    return;
-  }
-  const errorSummary = errorText.split("\n").find((line) => line.trim().length > 0)?.trim().slice(0, 60) ?? "unknown error";
-  const context = [
+}
+function formatBugIntakeTaskContext(record) {
+  return [
     "## Auto-detected system bug",
     "",
-    `**Detected by:** ${agentId} (${agentRole})`,
-    `**Tool:** ${toolName}`,
-    `**Timestamp:** ${(/* @__PURE__ */ new Date()).toISOString()}`,
-    `**Fingerprint:** ${fingerprint}`,
+    `**Schema:** bug-intake/v${record.schemaVersion}`,
+    `**Source:** ${record.source}`,
+    `**Detected by:** ${record.reporterAgentId} (${record.reporterAgentRole})`,
+    `**Tool:** ${record.toolName}`,
+    `**Timestamp:** ${record.createdAt}`,
+    `**Fingerprint:** ${record.fingerprint}`,
+    `**Severity:** ${record.severity}`,
+    record.runtime ? `**Runtime:** ${record.runtime}` : void 0,
+    record.repo ? `**Repo:** ${record.repo}` : void 0,
+    record.licenseKeyHash ? `**License hash:** ${record.licenseKeyHash}` : void 0,
     "",
     "## Error output",
     "",
     "```",
-    errorText.slice(0, 1e3),
+    record.errorText.slice(0, 2e3),
     "```",
     "",
     "## Tool input (reproduction context)",
     "",
     "```json",
-    toolInput.slice(0, 500),
+    record.toolInput.slice(0, 1e3),
+    "```",
+    "",
+    "## Normalized intake JSON",
+    "",
+    "```json",
+    JSON.stringify(record, null, 2),
     "```",
     "",
     "## Triage notes",
@@ -8947,19 +8991,44 @@ async function main() {
     "- Classification: system bug (auto-detected)",
     "- Review this error \u2014 fix if real, close if false positive",
     "- If false positive: add the error pattern to USER_ERROR_PATTERNS in error-detector.ts"
-  ].join("\n");
+  ].filter((line) => line !== void 0).join("\n");
+}
+
+// src/adapters/claude/hooks/bug-report-worker.ts
+async function main() {
+  const intake = buildBugIntakeFromEnv(process.env);
+  await fastDbInit();
+  const client = getClient();
+  const { loadEmployeesSync: loadEmployeesSync2, getEmployeeByRole: getEmployeeByRole2, getCoordinatorName: getCoordinatorName2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
+  const employees = loadEmployeesSync2();
+  const coordinatorName = getCoordinatorName2(employees);
+  const ctoName = getEmployeeByRole2(employees, "CTO")?.name ?? coordinatorName;
+  const existing = await client.execute({
+    sql: `SELECT id FROM tasks
+          WHERE assigned_to = ?
+            AND status IN ('open', 'in_progress')
+            AND title LIKE '[auto-bug]%'
+            AND (context LIKE ? OR task_file LIKE ?)
+          LIMIT 1`,
+    args: [ctoName, `%${intake.fingerprint}%`, `%${intake.fingerprint.slice(0, 8)}%`]
+  });
+  if (existing.rows.length > 0) {
+    process.stderr.write(`[bug-report-worker] Duplicate found for fingerprint ${intake.fingerprint}, skipping
+`);
+    return;
+  }
   await createTask({
-    title: `[auto-bug] ${toolName}: ${errorSummary}`,
+    title: intake.title,
     assignedTo: ctoName,
     assignedBy: "system",
-    projectName,
-    priority: "p1",
-    context,
+    projectName: intake.projectName,
+    priority: intake.severity,
+    context: formatBugIntakeTaskContext(intake),
     baseDir: process.cwd(),
     skipDispatch: true,
     reviewer: coordinatorName
   });
-  process.stderr.write(`[bug-report-worker] Created auto-bug task for ${toolName}: ${errorSummary}
+  process.stderr.write(`[bug-report-worker] Created auto-bug task for ${intake.toolName}: ${intake.summary}
 `);
 }
 main().catch((err) => {