@askexenow/exe-os 0.9.63 → 0.9.65

package/dist/bin/cli.js

@@ -820,7 +820,7 @@ function isLegacySplitPostToolCommand(command) {
 function textHasLegacySplitPostToolHook(text) {
   return [EXE_HOOK_FILES.ingest, EXE_HOOK_FILES.errorRecall, EXE_HOOK_FILES.ingestWorker].some((file) => text.includes(file));
 }
-var EXE_HOOK_FILES, EXE_HOOKS, EXE_HOOK_MANIFEST, LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS;
+var EXE_HOOK_FILES, EXE_HOOKS, LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS;
 var init_runtime_hook_manifest = __esm({
   "src/adapters/runtime-hook-manifest.ts"() {
     "use strict";
@@ -844,116 +844,6 @@ var init_runtime_hook_manifest = __esm({
       notification: "dist/hooks/notification.js",
       instructionsLoaded: "dist/hooks/instructions-loaded.js"
     };
-    EXE_HOOK_MANIFEST = [
-      {
-        key: "postToolCombined",
-        event: "PostToolUse",
-        commandMarker: EXE_HOOKS.postToolCombined,
-        owner: "exe-os",
-        purpose: "Single PostToolUse entrypoint for ingestion, error recall, summaries, and bug detection.",
-        runtimes: ["claude", "codex", "opencode"],
-        checkpointRole: "none"
-      },
-      {
-        key: "sessionStart",
-        event: "SessionStart",
-        commandMarker: EXE_HOOKS.sessionStart,
-        owner: "exe-os",
-        purpose: "Loads agent identity, procedures, and boot context.",
-        runtimes: ["claude", "codex", "opencode"],
-        checkpointRole: "none"
-      },
-      {
-        key: "promptSubmit",
-        event: "UserPromptSubmit",
-        commandMarker: EXE_HOOKS.promptSubmit,
-        owner: "exe-os",
-        purpose: "Injects current tasks, pending reviews, and local context before each prompt.",
-        runtimes: ["claude", "codex", "opencode"],
-        checkpointRole: "none"
-      },
-      {
-        key: "heartbeat",
-        event: "UserPromptSubmit",
-        commandMarker: EXE_HOOKS.heartbeat,
-        owner: "exe-os",
-        purpose: "Lightweight heartbeat/status sidecar for Claude Code sessions.",
-        runtimes: ["claude"],
-        checkpointRole: "none"
-      },
-      {
-        key: "stop",
-        event: "Stop",
-        commandMarker: EXE_HOOKS.stop,
-        owner: "exe-os",
-        purpose: "Finalizes task state, capacity signals, and emergency checkpointing.",
-        runtimes: ["claude", "codex", "opencode"],
-        checkpointRole: "capacity_checkpoint"
-      },
-      {
-        key: "preToolUse",
-        event: "PreToolUse",
-        commandMarker: EXE_HOOKS.preToolUse,
-        owner: "exe-os",
-        purpose: "Preflight guardrails before shell/tool execution.",
-        runtimes: ["claude", "codex", "opencode"],
-        checkpointRole: "none"
-      },
-      {
-        key: "subagentStop",
-        event: "SubagentStop",
-        commandMarker: EXE_HOOKS.subagentStop,
-        owner: "exe-os",
-        purpose: "Captures subagent completion context.",
-        runtimes: ["claude"],
-        checkpointRole: "none"
-      },
-      {
-        key: "preCompact",
-        event: "PreCompact",
-        commandMarker: EXE_HOOKS.preCompact,
-        owner: "exe-os",
-        purpose: "Writes active-task snapshot and compaction recovery context.",
-        runtimes: ["claude"],
-        checkpointRole: "recovery_context"
-      },
-      {
-        key: "postCompact",
-        event: "PostCompact",
-        commandMarker: EXE_HOOKS.postCompact,
-        owner: "exe-os",
-        purpose: "Rehydrates recovery context after compaction.",
-        runtimes: ["claude"],
-        checkpointRole: "recovery_context"
-      },
-      {
-        key: "sessionEnd",
-        event: "SessionEnd",
-        commandMarker: EXE_HOOKS.sessionEnd,
-        owner: "exe-os",
-        purpose: "Stores session-end checkpoint and triages orphaned in-progress tasks.",
-        runtimes: ["claude"],
-        checkpointRole: "session_summary"
-      },
-      {
-        key: "notification",
-        event: "Notification",
-        commandMarker: EXE_HOOKS.notification,
-        owner: "exe-os",
-        purpose: "Captures runtime notifications and nudges.",
-        runtimes: ["claude"],
-        checkpointRole: "none"
-      },
-      {
-        key: "instructionsLoaded",
-        event: "InstructionsLoaded",
-        commandMarker: EXE_HOOKS.instructionsLoaded,
-        owner: "exe-os",
-        purpose: "Applies runtime instruction post-processing.",
-        runtimes: ["claude"],
-        checkpointRole: "none"
-      }
-    ];
     LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS = [
       "dist/hooks/ingest.js",
       "dist/hooks/error-recall.js",
@@ -5781,31 +5671,43 @@ function logError(msg) {
   } catch {
   }
 }
+function isTruthyEnv(value) {
+  return /^(1|true|yes|on)$/i.test(value ?? "");
+}
 function loadPgClient() {
   if (_pgFailed) return null;
-  const postgresUrl = process.env.DATABASE_URL;
   const configPath = path14.join(EXE_AI_DIR, "config.json");
   let cloudPostgresUrl;
+  let configEnabled = false;
   try {
     if (existsSync14(configPath)) {
       const cfg = JSON.parse(readFileSync10(configPath, "utf8"));
       cloudPostgresUrl = cfg.cloud?.postgresUrl;
-      if (cfg.cloud?.syncToPostgres === false) {
-        _pgFailed = true;
-        return null;
-      }
+      configEnabled = cfg.cloud?.syncToPostgres === true;
     }
   } catch {
   }
-  const url = postgresUrl || cloudPostgresUrl;
+  const envEnabled = isTruthyEnv(process.env.EXE_CLOUD_SYNC_TO_POSTGRES);
+  if (!envEnabled && !configEnabled) {
+    return null;
+  }
+  const url = process.env.DATABASE_URL || cloudPostgresUrl;
   if (!url) {
     _pgFailed = true;
     return null;
   }
   if (!_pgPromise) {
     _pgPromise = (async () => {
+      if (!process.env.DATABASE_URL) process.env.DATABASE_URL = url;
       const { createRequire: createRequire3 } = await import("module");
       const { pathToFileURL: pathToFileURL3 } = await import("url");
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const mod2 = await import(pathToFileURL3(explicitPath).href);
+        const Ctor2 = mod2.PrismaClient ?? mod2.default?.PrismaClient;
+        if (!Ctor2) throw new Error(`No PrismaClient at ${explicitPath}`);
+        return new Ctor2();
+      }
       const exeDbRoot = process.env.EXE_DB_ROOT ?? path14.join(homedir2(), "exe-db");
       const req = createRequire3(path14.join(exeDbRoot, "package.json"));
       const entry = req.resolve("@prisma/client");
@@ -6002,6 +5904,15 @@ async function cloudSync(config) {
   } catch {
     throw new Error("[cloud-sync] Database not initialized. Call initStore() before cloudSync().");
   }
+  try {
+    const relink = await client.execute("SELECT value FROM sync_meta WHERE key = 'cloud_relink_required' LIMIT 1");
+    if (String(relink.rows[0]?.value ?? "") === "1") {
+      throw new Error("[cloud-sync] Paused after key rotation. Re-link/reupload cloud sync with the new recovery phrase before syncing.");
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("Paused after key rotation")) throw err;
+  }
   try {
     const { getRawClient: getRawClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
     await getRawClient2().execute("PRAGMA wal_checkpoint(PASSIVE)");
@@ -17385,7 +17296,13 @@ async function runStackUpdate(options) {
   writeFileSync20(tmp, patched, { mode: 384 });
   renameSync7(tmp, options.envFile);
   const composeArgs = ["compose", "--file", options.composeFile, "--env-file", options.envFile];
+  let registryForLogout;
   try {
+    const creds = await fetchImageCredentials(options);
+    if (creds) {
+      (options.dockerLogin ?? defaultDockerLogin)(creds);
+      registryForLogout = creds.registry;
+    }
     exec2("docker", [...composeArgs, "pull"]);
     exec2("docker", [...composeArgs, "up", "-d"]);
     await verifyReleaseHealth(plan.release, options.healthRetries ?? 12, options.healthDelayMs ?? 5e3);
@@ -17401,8 +17318,28 @@ async function runStackUpdate(options) {
     const reason = err instanceof Error ? err.message : String(err);
     await postDeployAudit(options, "failed", plan.targetVersion, previousVersion, reason, { rollbackAttempted: true });
     throw new Error(`Stack update failed and rollback was attempted: ${reason}`);
+  } finally {
+    if (registryForLogout) {
+      try {
+        (options.dockerLogout ?? defaultDockerLogout)(registryForLogout);
+      } catch {
+      }
+    }
   }
 }
+async function fetchImageCredentials(options) {
+  if (!options.imageCredentialsUrl) return null;
+  const res = await fetch(options.imageCredentialsUrl, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      ...options.manifestAuthToken ? { authorization: `Bearer ${options.manifestAuthToken}` } : {}
+    },
+    body: JSON.stringify({ deviceId: options.deviceId, licenseKey: options.licenseKey })
+  });
+  if (!res.ok) throw new Error(`Failed to fetch image credentials: HTTP ${res.status}`);
+  return await res.json();
+}
 function readCurrentStackVersion(lockFile) {
   if (!existsSync30(lockFile)) return void 0;
   try {
@@ -17466,6 +17403,15 @@ function httpStatus(urlString) {
 function defaultExec(cmd, args2, opts) {
   execFileSync3(cmd, args2, { stdio: "inherit", cwd: opts?.cwd });
 }
+function defaultDockerLogin(creds) {
+  execFileSync3("docker", ["login", creds.registry, "-u", creds.username, "--password-stdin"], {
+    input: creds.password,
+    stdio: ["pipe", "inherit", "inherit"]
+  });
+}
+function defaultDockerLogout(registry) {
+  execFileSync3("docker", ["logout", registry], { stdio: "ignore" });
+}
 async function defaultFetchText(ref, authToken) {
   const res = await fetch(ref, {
     headers: authToken ? { authorization: `Bearer ${authToken}` } : void 0
@@ -17492,6 +17438,7 @@ function defaultStackPaths() {
     envFile: process.env.EXE_STACK_ENV_FILE || (existsSync30(cwdEnv) ? cwdEnv : "/opt/exe-stack/.env"),
     manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json",
     auditUrl: process.env.EXE_STACK_AUDIT_URL || "https://update.askexe.com/v1/deploy-audits",
+    imageCredentialsUrl: process.env.EXE_STACK_IMAGE_CREDENTIALS_URL || "https://update.askexe.com/v1/image-credentials",
     manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN,
     manifestPublicKey: loadDefaultPublicKey()
   };
@@ -17522,6 +17469,7 @@ function parseArgs4(args2) {
     composeFile: defaults.composeFile,
     envFile: defaults.envFile,
     auditUrl: defaults.auditUrl,
+    imageCredentialsUrl: defaults.imageCredentialsUrl,
     manifestAuthToken: defaults.manifestAuthToken,
     manifestPublicKey: defaults.manifestPublicKey,
     deviceId: process.env.EXE_DEVICE_ID,
@@ -17551,6 +17499,9 @@ function parseArgs4(args2) {
     else if (arg === "--auth-token-env") opts.manifestAuthToken = process.env[next()] ?? "";
     else if (arg === "--audit-url") opts.auditUrl = next();
     else if (arg.startsWith("--audit-url=")) opts.auditUrl = arg.split("=").slice(1).join("=");
+    else if (arg === "--image-credentials-url") opts.imageCredentialsUrl = next();
+    else if (arg.startsWith("--image-credentials-url=")) opts.imageCredentialsUrl = arg.split("=").slice(1).join("=");
+    else if (arg === "--no-image-credentials") opts.imageCredentialsUrl = void 0;
     else if (arg === "--device-id") opts.deviceId = next();
     else if (arg.startsWith("--device-id=")) opts.deviceId = arg.split("=").slice(1).join("=");
     else if (arg === "--license-key") opts.licenseKey = next();
@@ -17588,6 +17539,8 @@ Options:
   --auth-token <token>       Bearer token for private update manifest/audit API
   --auth-token-env <name>    Read bearer token from an environment variable
   --audit-url <url>          Deploy-audit endpoint (default: EXE_STACK_AUDIT_URL/update.askexe.com)
+  --image-credentials-url <url>  Registry credential broker endpoint
+  --no-image-credentials     Skip registry credential broker / Docker login
   --device-id <id>           Device ID to include in deploy audit
   --license-key <key>        License key to include in deploy audit
   --rollback                 Restore latest backed-up .env and restart stack

package/dist/bin/exe-boot.js

@@ -9061,31 +9061,43 @@ function logError(msg) {
   } catch {
   }
 }
+function isTruthyEnv(value) {
+  return /^(1|true|yes|on)$/i.test(value ?? "");
+}
 function loadPgClient() {
   if (_pgFailed) return null;
-  const postgresUrl = process.env.DATABASE_URL;
   const configPath = path25.join(EXE_AI_DIR, "config.json");
   let cloudPostgresUrl;
+  let configEnabled = false;
   try {
     if (existsSync21(configPath)) {
       const cfg = JSON.parse(readFileSync15(configPath, "utf8"));
       cloudPostgresUrl = cfg.cloud?.postgresUrl;
-      if (cfg.cloud?.syncToPostgres === false) {
-        _pgFailed = true;
-        return null;
-      }
+      configEnabled = cfg.cloud?.syncToPostgres === true;
     }
   } catch {
   }
-  const url = postgresUrl || cloudPostgresUrl;
+  const envEnabled = isTruthyEnv(process.env.EXE_CLOUD_SYNC_TO_POSTGRES);
+  if (!envEnabled && !configEnabled) {
+    return null;
+  }
+  const url = process.env.DATABASE_URL || cloudPostgresUrl;
   if (!url) {
     _pgFailed = true;
     return null;
   }
   if (!_pgPromise) {
     _pgPromise = (async () => {
+      if (!process.env.DATABASE_URL) process.env.DATABASE_URL = url;
       const { createRequire: createRequire3 } = await import("module");
       const { pathToFileURL: pathToFileURL3 } = await import("url");
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const mod2 = await import(pathToFileURL3(explicitPath).href);
+        const Ctor2 = mod2.PrismaClient ?? mod2.default?.PrismaClient;
+        if (!Ctor2) throw new Error(`No PrismaClient at ${explicitPath}`);
+        return new Ctor2();
+      }
       const exeDbRoot = process.env.EXE_DB_ROOT ?? path25.join(homedir2(), "exe-db");
       const req = createRequire3(path25.join(exeDbRoot, "package.json"));
       const entry = req.resolve("@prisma/client");
@@ -9282,6 +9294,15 @@ async function cloudSync(config) {
   } catch {
     throw new Error("[cloud-sync] Database not initialized. Call initStore() before cloudSync().");
   }
+  try {
+    const relink = await client.execute("SELECT value FROM sync_meta WHERE key = 'cloud_relink_required' LIMIT 1");
+    if (String(relink.rows[0]?.value ?? "") === "1") {
+      throw new Error("[cloud-sync] Paused after key rotation. Re-link/reupload cloud sync with the new recovery phrase before syncing.");
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("Paused after key rotation")) throw err;
+  }
   try {
     const { getRawClient: getRawClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
     await getRawClient2().execute("PRAGMA wal_checkpoint(PASSIVE)");