@askexenow/exe-os 0.9.62 → 0.9.64

package/dist/bin/cli.js

@@ -17181,10 +17181,14 @@ function parseStackManifest(raw, publicKey) {
   }
   return parsed;
 }
-async function loadStackManifest(ref, fetchText = defaultFetchText, publicKey) {
-  if (/^https?:\/\//.test(ref)) return parseStackManifest(await fetchText(ref), publicKey);
+async function loadStackManifest(ref, fetchText = defaultFetchText, publicKey, authToken) {
+  if (/^https?:\/\//.test(ref)) return parseStackManifest(await fetchTextWithAuth(ref, fetchText, authToken), publicKey);
   return parseStackManifest(readFileSync25(ref, "utf8"), publicKey);
 }
+async function fetchTextWithAuth(ref, fetchText, authToken) {
+  if (!authToken || fetchText !== defaultFetchText) return fetchText(ref);
+  return defaultFetchText(ref, authToken);
+}
 function parseEnv(raw) {
   const env = /* @__PURE__ */ new Map();
   for (const line of raw.split(/\r?\n/)) {
@@ -17250,14 +17254,16 @@ async function runStackUpdate(options) {
   const exec2 = options.exec ?? defaultExec;
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
   if (options.rollback) return rollbackStackUpdate(options);
-  const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey);
+  const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey, options.manifestAuthToken);
   const envRaw = readFileSync25(options.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, options.targetVersion);
   assertBreakingChangesAllowed(plan, options.allowedBreakingChangeIds ?? []);
   const lockFile = options.lockFile ?? path37.join(path37.dirname(options.envFile), ".exe-stack-lock.json");
+  const previousVersion = readCurrentStackVersion(lockFile);
   if (options.dryRun || plan.changes.length === 0) {
     return { status: "planned", targetVersion: plan.targetVersion, changes: plan.changes, lockFile };
   }
+  await postDeployAudit(options, "started", plan.targetVersion, previousVersion);
   const backupDir = path37.join(path37.dirname(options.envFile), ".exe-stack-backups");
   mkdirSync19(backupDir, { recursive: true });
   const stamp = now().toISOString().replace(/[:.]/g, "-");
@@ -17269,11 +17275,18 @@ async function runStackUpdate(options) {
   writeFileSync20(tmp, patched, { mode: 384 });
   renameSync7(tmp, options.envFile);
   const composeArgs = ["compose", "--file", options.composeFile, "--env-file", options.envFile];
+  let registryForLogout;
   try {
+    const creds = await fetchImageCredentials(options);
+    if (creds) {
+      (options.dockerLogin ?? defaultDockerLogin)(creds);
+      registryForLogout = creds.registry;
+    }
     exec2("docker", [...composeArgs, "pull"]);
     exec2("docker", [...composeArgs, "up", "-d"]);
     await verifyReleaseHealth(plan.release, options.healthRetries ?? 12, options.healthDelayMs ?? 5e3);
     writeFileSync20(lockFile, JSON.stringify({ stackVersion: plan.targetVersion, updatedAt: now().toISOString(), backupEnvFile, services: plan.release.services }, null, 2) + "\n");
+    await postDeployAudit(options, "success", plan.targetVersion, previousVersion, void 0, { changes: plan.changes.length });
     return { status: "updated", targetVersion: plan.targetVersion, changes: plan.changes, backupEnvFile, lockFile };
   } catch (err) {
     writeFileSync20(options.envFile, envRaw, { mode: 384 });
@@ -17282,7 +17295,55 @@ async function runStackUpdate(options) {
     } catch {
     }
     const reason = err instanceof Error ? err.message : String(err);
+    await postDeployAudit(options, "failed", plan.targetVersion, previousVersion, reason, { rollbackAttempted: true });
     throw new Error(`Stack update failed and rollback was attempted: ${reason}`);
+  } finally {
+    if (registryForLogout) {
+      try {
+        (options.dockerLogout ?? defaultDockerLogout)(registryForLogout);
+      } catch {
+      }
+    }
+  }
+}
+async function fetchImageCredentials(options) {
+  if (!options.imageCredentialsUrl) return null;
+  const res = await fetch(options.imageCredentialsUrl, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      ...options.manifestAuthToken ? { authorization: `Bearer ${options.manifestAuthToken}` } : {}
+    },
+    body: JSON.stringify({ deviceId: options.deviceId, licenseKey: options.licenseKey })
+  });
+  if (!res.ok) throw new Error(`Failed to fetch image credentials: HTTP ${res.status}`);
+  return await res.json();
+}
+function readCurrentStackVersion(lockFile) {
+  if (!existsSync30(lockFile)) return void 0;
+  try {
+    const parsed = JSON.parse(readFileSync25(lockFile, "utf8"));
+    return parsed.stackVersion;
+  } catch {
+    return void 0;
+  }
+}
+async function postDeployAudit(options, status, stackVersion, previousVersion, error, metadata) {
+  if (!options.auditUrl) return;
+  const postJson = options.postJson ?? defaultPostJson;
+  try {
+    await postJson(options.auditUrl, {
+      stackVersion,
+      previousVersion,
+      status,
+      error,
+      metadata,
+      deviceId: options.deviceId,
+      licenseKey: options.licenseKey
+    }, options.manifestAuthToken);
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    console.warn(`[stack-update] deploy audit failed: ${reason}`);
   }
 }
 async function verifyReleaseHealth(release, retries, delayMs) {
@@ -17321,20 +17382,53 @@ function httpStatus(urlString) {
 function defaultExec(cmd, args2, opts) {
   execFileSync3(cmd, args2, { stdio: "inherit", cwd: opts?.cwd });
 }
-async function defaultFetchText(ref) {
-  const res = await fetch(ref);
+function defaultDockerLogin(creds) {
+  execFileSync3("docker", ["login", creds.registry, "-u", creds.username, "--password-stdin"], {
+    input: creds.password,
+    stdio: ["pipe", "inherit", "inherit"]
+  });
+}
+function defaultDockerLogout(registry) {
+  execFileSync3("docker", ["logout", registry], { stdio: "ignore" });
+}
+async function defaultFetchText(ref, authToken) {
+  const res = await fetch(ref, {
+    headers: authToken ? { authorization: `Bearer ${authToken}` } : void 0
+  });
   if (!res.ok) throw new Error(`Failed to fetch ${ref}: HTTP ${res.status}`);
   return res.text();
 }
+async function defaultPostJson(url, body, authToken) {
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      ...authToken ? { authorization: `Bearer ${authToken}` } : {}
+    },
+    body: JSON.stringify(body)
+  });
+  if (!res.ok) throw new Error(`Failed to POST ${url}: HTTP ${res.status}`);
+}
 function defaultStackPaths() {
   const cwdCompose = path37.resolve("docker-compose.yml");
   const cwdEnv = path37.resolve(".env");
   return {
     composeFile: process.env.EXE_STACK_COMPOSE_FILE || (existsSync30(cwdCompose) ? cwdCompose : "/opt/exe-stack/docker-compose.yml"),
     envFile: process.env.EXE_STACK_ENV_FILE || (existsSync30(cwdEnv) ? cwdEnv : "/opt/exe-stack/.env"),
-    manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json"
+    manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json",
+    auditUrl: process.env.EXE_STACK_AUDIT_URL || "https://update.askexe.com/v1/deploy-audits",
+    imageCredentialsUrl: process.env.EXE_STACK_IMAGE_CREDENTIALS_URL || "https://update.askexe.com/v1/image-credentials",
+    manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN,
+    manifestPublicKey: loadDefaultPublicKey()
   };
 }
+function loadDefaultPublicKey() {
+  if (process.env.EXE_STACK_PUBLIC_KEY) return process.env.EXE_STACK_PUBLIC_KEY;
+  if (process.env.EXE_STACK_PUBLIC_KEY_FILE && existsSync30(process.env.EXE_STACK_PUBLIC_KEY_FILE)) {
+    return readFileSync25(process.env.EXE_STACK_PUBLIC_KEY_FILE, "utf8");
+  }
+  return void 0;
+}
 var init_stack_update = __esm({
   "src/lib/stack-update.ts"() {
     "use strict";
@@ -17353,6 +17447,12 @@ function parseArgs4(args2) {
     manifestRef: defaults.manifestRef,
     composeFile: defaults.composeFile,
     envFile: defaults.envFile,
+    auditUrl: defaults.auditUrl,
+    imageCredentialsUrl: defaults.imageCredentialsUrl,
+    manifestAuthToken: defaults.manifestAuthToken,
+    manifestPublicKey: defaults.manifestPublicKey,
+    deviceId: process.env.EXE_DEVICE_ID,
+    licenseKey: process.env.EXE_LICENSE_KEY,
     dryRun: false,
     check: false,
     rollback: false,
@@ -17373,6 +17473,18 @@ function parseArgs4(args2) {
     else if (arg === "--lock-file") opts.lockFile = next();
     else if (arg === "--public-key") opts.manifestPublicKey = readFileSync26(next(), "utf8");
     else if (arg.startsWith("--public-key=")) opts.manifestPublicKey = readFileSync26(arg.split("=").slice(1).join("="), "utf8");
+    else if (arg === "--auth-token") opts.manifestAuthToken = next();
+    else if (arg.startsWith("--auth-token=")) opts.manifestAuthToken = arg.split("=").slice(1).join("=");
+    else if (arg === "--auth-token-env") opts.manifestAuthToken = process.env[next()] ?? "";
+    else if (arg === "--audit-url") opts.auditUrl = next();
+    else if (arg.startsWith("--audit-url=")) opts.auditUrl = arg.split("=").slice(1).join("=");
+    else if (arg === "--image-credentials-url") opts.imageCredentialsUrl = next();
+    else if (arg.startsWith("--image-credentials-url=")) opts.imageCredentialsUrl = arg.split("=").slice(1).join("=");
+    else if (arg === "--no-image-credentials") opts.imageCredentialsUrl = void 0;
+    else if (arg === "--device-id") opts.deviceId = next();
+    else if (arg.startsWith("--device-id=")) opts.deviceId = arg.split("=").slice(1).join("=");
+    else if (arg === "--license-key") opts.licenseKey = next();
+    else if (arg.startsWith("--license-key=")) opts.licenseKey = arg.split("=").slice(1).join("=");
     else if (arg === "--rollback") opts.rollback = true;
     else if (arg === "--dry-run") opts.dryRun = true;
     else if (arg === "--check") opts.check = true;
@@ -17403,6 +17515,13 @@ Options:
   --check                    Print available changes only
   --dry-run                  Plan only; do not run Docker
   --public-key <path>        PEM public key for signed manifest verification
+  --auth-token <token>       Bearer token for private update manifest/audit API
+  --auth-token-env <name>    Read bearer token from an environment variable
+  --audit-url <url>          Deploy-audit endpoint (default: EXE_STACK_AUDIT_URL/update.askexe.com)
+  --image-credentials-url <url>  Registry credential broker endpoint
+  --no-image-credentials     Skip registry credential broker / Docker login
+  --device-id <id>           Device ID to include in deploy audit
+  --license-key <key>        License key to include in deploy audit
   --rollback                 Restore latest backed-up .env and restart stack
   --allow-breaking <ids>     Confirm breaking changes, comma-separated
   -y, --yes                  Non-interactive confirmation
@@ -17440,7 +17559,7 @@ async function main3() {
     console.log(`\u2705 Stack rollback attempted using backup: ${result2.backupEnvFile ?? "latest backup"}`);
     return;
   }
-  const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey);
+  const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey, opts.manifestAuthToken);
   const envRaw = readFileSync26(opts.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, opts.targetVersion);
   console.log(`Exe OS stack target: ${plan.targetVersion}`);

package/dist/bin/stack-update.js

@@ -95,10 +95,14 @@ function parseStackManifest(raw, publicKey) {
   }
   return parsed;
 }
-async function loadStackManifest(ref, fetchText = defaultFetchText, publicKey) {
-  if (/^https?:\/\//.test(ref)) return parseStackManifest(await fetchText(ref), publicKey);
+async function loadStackManifest(ref, fetchText = defaultFetchText, publicKey, authToken) {
+  if (/^https?:\/\//.test(ref)) return parseStackManifest(await fetchTextWithAuth(ref, fetchText, authToken), publicKey);
   return parseStackManifest(readFileSync(ref, "utf8"), publicKey);
 }
+async function fetchTextWithAuth(ref, fetchText, authToken) {
+  if (!authToken || fetchText !== defaultFetchText) return fetchText(ref);
+  return defaultFetchText(ref, authToken);
+}
 function parseEnv(raw) {
   const env = /* @__PURE__ */ new Map();
   for (const line of raw.split(/\r?\n/)) {
@@ -164,14 +168,16 @@ async function runStackUpdate(options) {
   const exec = options.exec ?? defaultExec;
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
   if (options.rollback) return rollbackStackUpdate(options);
-  const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey);
+  const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey, options.manifestAuthToken);
   const envRaw = readFileSync(options.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, options.targetVersion);
   assertBreakingChangesAllowed(plan, options.allowedBreakingChangeIds ?? []);
   const lockFile = options.lockFile ?? path.join(path.dirname(options.envFile), ".exe-stack-lock.json");
+  const previousVersion = readCurrentStackVersion(lockFile);
   if (options.dryRun || plan.changes.length === 0) {
     return { status: "planned", targetVersion: plan.targetVersion, changes: plan.changes, lockFile };
   }
+  await postDeployAudit(options, "started", plan.targetVersion, previousVersion);
   const backupDir = path.join(path.dirname(options.envFile), ".exe-stack-backups");
   mkdirSync(backupDir, { recursive: true });
   const stamp = now().toISOString().replace(/[:.]/g, "-");
@@ -183,11 +189,18 @@ async function runStackUpdate(options) {
   writeFileSync(tmp, patched, { mode: 384 });
   renameSync(tmp, options.envFile);
   const composeArgs = ["compose", "--file", options.composeFile, "--env-file", options.envFile];
+  let registryForLogout;
   try {
+    const creds = await fetchImageCredentials(options);
+    if (creds) {
+      (options.dockerLogin ?? defaultDockerLogin)(creds);
+      registryForLogout = creds.registry;
+    }
     exec("docker", [...composeArgs, "pull"]);
     exec("docker", [...composeArgs, "up", "-d"]);
     await verifyReleaseHealth(plan.release, options.healthRetries ?? 12, options.healthDelayMs ?? 5e3);
     writeFileSync(lockFile, JSON.stringify({ stackVersion: plan.targetVersion, updatedAt: now().toISOString(), backupEnvFile, services: plan.release.services }, null, 2) + "\n");
+    await postDeployAudit(options, "success", plan.targetVersion, previousVersion, void 0, { changes: plan.changes.length });
     return { status: "updated", targetVersion: plan.targetVersion, changes: plan.changes, backupEnvFile, lockFile };
   } catch (err) {
     writeFileSync(options.envFile, envRaw, { mode: 384 });
@@ -196,7 +209,55 @@ async function runStackUpdate(options) {
     } catch {
     }
     const reason = err instanceof Error ? err.message : String(err);
+    await postDeployAudit(options, "failed", plan.targetVersion, previousVersion, reason, { rollbackAttempted: true });
     throw new Error(`Stack update failed and rollback was attempted: ${reason}`);
+  } finally {
+    if (registryForLogout) {
+      try {
+        (options.dockerLogout ?? defaultDockerLogout)(registryForLogout);
+      } catch {
+      }
+    }
+  }
+}
+async function fetchImageCredentials(options) {
+  if (!options.imageCredentialsUrl) return null;
+  const res = await fetch(options.imageCredentialsUrl, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      ...options.manifestAuthToken ? { authorization: `Bearer ${options.manifestAuthToken}` } : {}
+    },
+    body: JSON.stringify({ deviceId: options.deviceId, licenseKey: options.licenseKey })
+  });
+  if (!res.ok) throw new Error(`Failed to fetch image credentials: HTTP ${res.status}`);
+  return await res.json();
+}
+function readCurrentStackVersion(lockFile) {
+  if (!existsSync(lockFile)) return void 0;
+  try {
+    const parsed = JSON.parse(readFileSync(lockFile, "utf8"));
+    return parsed.stackVersion;
+  } catch {
+    return void 0;
+  }
+}
+async function postDeployAudit(options, status, stackVersion, previousVersion, error, metadata) {
+  if (!options.auditUrl) return;
+  const postJson = options.postJson ?? defaultPostJson;
+  try {
+    await postJson(options.auditUrl, {
+      stackVersion,
+      previousVersion,
+      status,
+      error,
+      metadata,
+      deviceId: options.deviceId,
+      licenseKey: options.licenseKey
+    }, options.manifestAuthToken);
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    console.warn(`[stack-update] deploy audit failed: ${reason}`);
   }
 }
 async function verifyReleaseHealth(release, retries, delayMs) {
@@ -235,20 +296,53 @@ function httpStatus(urlString) {
 function defaultExec(cmd, args, opts) {
   execFileSync(cmd, args, { stdio: "inherit", cwd: opts?.cwd });
 }
-async function defaultFetchText(ref) {
-  const res = await fetch(ref);
+function defaultDockerLogin(creds) {
+  execFileSync("docker", ["login", creds.registry, "-u", creds.username, "--password-stdin"], {
+    input: creds.password,
+    stdio: ["pipe", "inherit", "inherit"]
+  });
+}
+function defaultDockerLogout(registry) {
+  execFileSync("docker", ["logout", registry], { stdio: "ignore" });
+}
+async function defaultFetchText(ref, authToken) {
+  const res = await fetch(ref, {
+    headers: authToken ? { authorization: `Bearer ${authToken}` } : void 0
+  });
   if (!res.ok) throw new Error(`Failed to fetch ${ref}: HTTP ${res.status}`);
   return res.text();
 }
+async function defaultPostJson(url, body, authToken) {
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      ...authToken ? { authorization: `Bearer ${authToken}` } : {}
+    },
+    body: JSON.stringify(body)
+  });
+  if (!res.ok) throw new Error(`Failed to POST ${url}: HTTP ${res.status}`);
+}
 function defaultStackPaths() {
   const cwdCompose = path.resolve("docker-compose.yml");
   const cwdEnv = path.resolve(".env");
   return {
     composeFile: process.env.EXE_STACK_COMPOSE_FILE || (existsSync(cwdCompose) ? cwdCompose : "/opt/exe-stack/docker-compose.yml"),
     envFile: process.env.EXE_STACK_ENV_FILE || (existsSync(cwdEnv) ? cwdEnv : "/opt/exe-stack/.env"),
-    manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json"
+    manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json",
+    auditUrl: process.env.EXE_STACK_AUDIT_URL || "https://update.askexe.com/v1/deploy-audits",
+    imageCredentialsUrl: process.env.EXE_STACK_IMAGE_CREDENTIALS_URL || "https://update.askexe.com/v1/image-credentials",
+    manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN,
+    manifestPublicKey: loadDefaultPublicKey()
   };
 }
+function loadDefaultPublicKey() {
+  if (process.env.EXE_STACK_PUBLIC_KEY) return process.env.EXE_STACK_PUBLIC_KEY;
+  if (process.env.EXE_STACK_PUBLIC_KEY_FILE && existsSync(process.env.EXE_STACK_PUBLIC_KEY_FILE)) {
+    return readFileSync(process.env.EXE_STACK_PUBLIC_KEY_FILE, "utf8");
+  }
+  return void 0;
+}
 
 // src/bin/stack-update.ts
 function parseArgs(args) {
@@ -257,6 +351,12 @@ function parseArgs(args) {
     manifestRef: defaults.manifestRef,
     composeFile: defaults.composeFile,
     envFile: defaults.envFile,
+    auditUrl: defaults.auditUrl,
+    imageCredentialsUrl: defaults.imageCredentialsUrl,
+    manifestAuthToken: defaults.manifestAuthToken,
+    manifestPublicKey: defaults.manifestPublicKey,
+    deviceId: process.env.EXE_DEVICE_ID,
+    licenseKey: process.env.EXE_LICENSE_KEY,
     dryRun: false,
     check: false,
     rollback: false,
@@ -277,6 +377,18 @@ function parseArgs(args) {
     else if (arg === "--lock-file") opts.lockFile = next();
     else if (arg === "--public-key") opts.manifestPublicKey = readFileSync2(next(), "utf8");
     else if (arg.startsWith("--public-key=")) opts.manifestPublicKey = readFileSync2(arg.split("=").slice(1).join("="), "utf8");
+    else if (arg === "--auth-token") opts.manifestAuthToken = next();
+    else if (arg.startsWith("--auth-token=")) opts.manifestAuthToken = arg.split("=").slice(1).join("=");
+    else if (arg === "--auth-token-env") opts.manifestAuthToken = process.env[next()] ?? "";
+    else if (arg === "--audit-url") opts.auditUrl = next();
+    else if (arg.startsWith("--audit-url=")) opts.auditUrl = arg.split("=").slice(1).join("=");
+    else if (arg === "--image-credentials-url") opts.imageCredentialsUrl = next();
+    else if (arg.startsWith("--image-credentials-url=")) opts.imageCredentialsUrl = arg.split("=").slice(1).join("=");
+    else if (arg === "--no-image-credentials") opts.imageCredentialsUrl = void 0;
+    else if (arg === "--device-id") opts.deviceId = next();
+    else if (arg.startsWith("--device-id=")) opts.deviceId = arg.split("=").slice(1).join("=");
+    else if (arg === "--license-key") opts.licenseKey = next();
+    else if (arg.startsWith("--license-key=")) opts.licenseKey = arg.split("=").slice(1).join("=");
     else if (arg === "--rollback") opts.rollback = true;
     else if (arg === "--dry-run") opts.dryRun = true;
     else if (arg === "--check") opts.check = true;
@@ -307,6 +419,13 @@ Options:
   --check                    Print available changes only
   --dry-run                  Plan only; do not run Docker
   --public-key <path>        PEM public key for signed manifest verification
+  --auth-token <token>       Bearer token for private update manifest/audit API
+  --auth-token-env <name>    Read bearer token from an environment variable
+  --audit-url <url>          Deploy-audit endpoint (default: EXE_STACK_AUDIT_URL/update.askexe.com)
+  --image-credentials-url <url>  Registry credential broker endpoint
+  --no-image-credentials     Skip registry credential broker / Docker login
+  --device-id <id>           Device ID to include in deploy audit
+  --license-key <key>        License key to include in deploy audit
   --rollback                 Restore latest backed-up .env and restart stack
   --allow-breaking <ids>     Confirm breaking changes, comma-separated
   -y, --yes                  Non-interactive confirmation
@@ -344,7 +463,7 @@ async function main() {
     console.log(`\u2705 Stack rollback attempted using backup: ${result2.backupEnvFile ?? "latest backup"}`);
     return;
   }
-  const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey);
+  const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey, opts.manifestAuthToken);
   const envRaw = readFileSync2(opts.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, opts.targetVersion);
   console.log(`Exe OS stack target: ${plan.targetVersion}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askexenow/exe-os",
-  "version": "0.9.62",
+  "version": "0.9.64",
   "description": "AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",