@askexenow/exe-os 0.9.63 → 0.9.65

package/dist/bin/stack-update.js

@@ -189,7 +189,13 @@ async function runStackUpdate(options) {
   writeFileSync(tmp, patched, { mode: 384 });
   renameSync(tmp, options.envFile);
   const composeArgs = ["compose", "--file", options.composeFile, "--env-file", options.envFile];
+  let registryForLogout;
   try {
+    const creds = await fetchImageCredentials(options);
+    if (creds) {
+      (options.dockerLogin ?? defaultDockerLogin)(creds);
+      registryForLogout = creds.registry;
+    }
     exec("docker", [...composeArgs, "pull"]);
     exec("docker", [...composeArgs, "up", "-d"]);
     await verifyReleaseHealth(plan.release, options.healthRetries ?? 12, options.healthDelayMs ?? 5e3);
@@ -205,8 +211,28 @@ async function runStackUpdate(options) {
     const reason = err instanceof Error ? err.message : String(err);
     await postDeployAudit(options, "failed", plan.targetVersion, previousVersion, reason, { rollbackAttempted: true });
     throw new Error(`Stack update failed and rollback was attempted: ${reason}`);
+  } finally {
+    if (registryForLogout) {
+      try {
+        (options.dockerLogout ?? defaultDockerLogout)(registryForLogout);
+      } catch {
+      }
+    }
   }
 }
+async function fetchImageCredentials(options) {
+  if (!options.imageCredentialsUrl) return null;
+  const res = await fetch(options.imageCredentialsUrl, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      ...options.manifestAuthToken ? { authorization: `Bearer ${options.manifestAuthToken}` } : {}
+    },
+    body: JSON.stringify({ deviceId: options.deviceId, licenseKey: options.licenseKey })
+  });
+  if (!res.ok) throw new Error(`Failed to fetch image credentials: HTTP ${res.status}`);
+  return await res.json();
+}
 function readCurrentStackVersion(lockFile) {
   if (!existsSync(lockFile)) return void 0;
   try {
@@ -270,6 +296,15 @@ function httpStatus(urlString) {
 function defaultExec(cmd, args, opts) {
   execFileSync(cmd, args, { stdio: "inherit", cwd: opts?.cwd });
 }
+function defaultDockerLogin(creds) {
+  execFileSync("docker", ["login", creds.registry, "-u", creds.username, "--password-stdin"], {
+    input: creds.password,
+    stdio: ["pipe", "inherit", "inherit"]
+  });
+}
+function defaultDockerLogout(registry) {
+  execFileSync("docker", ["logout", registry], { stdio: "ignore" });
+}
 async function defaultFetchText(ref, authToken) {
   const res = await fetch(ref, {
     headers: authToken ? { authorization: `Bearer ${authToken}` } : void 0
@@ -296,6 +331,7 @@ function defaultStackPaths() {
     envFile: process.env.EXE_STACK_ENV_FILE || (existsSync(cwdEnv) ? cwdEnv : "/opt/exe-stack/.env"),
     manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json",
     auditUrl: process.env.EXE_STACK_AUDIT_URL || "https://update.askexe.com/v1/deploy-audits",
+    imageCredentialsUrl: process.env.EXE_STACK_IMAGE_CREDENTIALS_URL || "https://update.askexe.com/v1/image-credentials",
     manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN,
     manifestPublicKey: loadDefaultPublicKey()
   };
@@ -316,6 +352,7 @@ function parseArgs(args) {
     composeFile: defaults.composeFile,
     envFile: defaults.envFile,
     auditUrl: defaults.auditUrl,
+    imageCredentialsUrl: defaults.imageCredentialsUrl,
     manifestAuthToken: defaults.manifestAuthToken,
     manifestPublicKey: defaults.manifestPublicKey,
     deviceId: process.env.EXE_DEVICE_ID,
@@ -345,6 +382,9 @@ function parseArgs(args) {
     else if (arg === "--auth-token-env") opts.manifestAuthToken = process.env[next()] ?? "";
     else if (arg === "--audit-url") opts.auditUrl = next();
     else if (arg.startsWith("--audit-url=")) opts.auditUrl = arg.split("=").slice(1).join("=");
+    else if (arg === "--image-credentials-url") opts.imageCredentialsUrl = next();
+    else if (arg.startsWith("--image-credentials-url=")) opts.imageCredentialsUrl = arg.split("=").slice(1).join("=");
+    else if (arg === "--no-image-credentials") opts.imageCredentialsUrl = void 0;
     else if (arg === "--device-id") opts.deviceId = next();
     else if (arg.startsWith("--device-id=")) opts.deviceId = arg.split("=").slice(1).join("=");
     else if (arg === "--license-key") opts.licenseKey = next();
@@ -382,6 +422,8 @@ Options:
   --auth-token <token>       Bearer token for private update manifest/audit API
   --auth-token-env <name>    Read bearer token from an environment variable
   --audit-url <url>          Deploy-audit endpoint (default: EXE_STACK_AUDIT_URL/update.askexe.com)
+  --image-credentials-url <url>  Registry credential broker endpoint
+  --no-image-credentials     Skip registry credential broker / Docker login
   --device-id <id>           Device ID to include in deploy audit
   --license-key <key>        License key to include in deploy audit
   --rollback                 Restore latest backed-up .env and restart stack

package/dist/hooks/bug-report-worker.js

@@ -8892,98 +8892,54 @@ async function fastDbInit() {
 // src/adapters/claude/hooks/bug-report-worker.ts
 init_database();
 init_tasks();
-
-// src/lib/bug-intake.ts
-import { createHash as createHash3, randomUUID as randomUUID4 } from "crypto";
-var BUG_INTAKE_SCHEMA_VERSION = 1;
-function firstMeaningfulLine(text) {
-  return text.split("\n").find((line) => line.trim().length > 0)?.trim().slice(0, 80) ?? "unknown error";
-}
-function stableFingerprint(input) {
-  const basis = [
-    input.source,
-    input.toolName ?? "unknown",
-    firstMeaningfulLine(input.errorText ?? ""),
-    input.projectName ?? "unknown"
-  ].join("|");
-  return createHash3("sha256").update(basis).digest("hex").slice(0, 16);
-}
-function hashLicense(licenseKey) {
-  if (!licenseKey) return void 0;
-  return createHash3("sha256").update(licenseKey).digest("hex").slice(0, 16);
-}
-function buildBugIntake(input) {
-  const toolName = input.toolName ?? "unknown";
-  const errorText = input.errorText ?? "";
-  const summary = firstMeaningfulLine(errorText);
-  const fingerprint = input.fingerprint && input.fingerprint.trim().length > 0 ? input.fingerprint.trim() : stableFingerprint(input);
-  return {
-    schemaVersion: BUG_INTAKE_SCHEMA_VERSION,
-    id: randomUUID4(),
-    source: input.source,
-    createdAt: input.createdAt ?? (/* @__PURE__ */ new Date()).toISOString(),
-    fingerprint,
-    severity: input.severity ?? "p1",
-    title: `[auto-bug] ${toolName}: ${summary.slice(0, 60)}`,
-    summary,
-    reporterAgentId: input.reporterAgentId ?? "unknown",
-    reporterAgentRole: input.reporterAgentRole ?? "employee",
-    projectName: input.projectName ?? "unknown",
-    toolName,
-    errorText,
-    toolInput: input.toolInput ?? "{}",
-    runtime: input.runtime,
-    repo: input.repo,
-    licenseKeyHash: hashLicense(input.licenseKey),
-    labels: ["auto-bug", input.source, toolName].filter(Boolean)
-  };
-}
-function buildBugIntakeFromEnv(env = process.env) {
-  return buildBugIntake({
-    source: "hook",
-    toolName: env.BUG_TOOL_NAME,
-    errorText: env.BUG_ERROR_TEXT,
-    toolInput: env.BUG_TOOL_INPUT,
-    fingerprint: env.BUG_FINGERPRINT,
-    reporterAgentId: env.BUG_AGENT_ID,
-    reporterAgentRole: env.BUG_AGENT_ROLE,
-    projectName: env.BUG_PROJECT_NAME,
-    runtime: env.EXE_RUNTIME,
-    repo: env.EXE_REPO,
-    licenseKey: env.EXE_LICENSE_KEY
+async function main() {
+  const toolName = process.env.BUG_TOOL_NAME ?? "unknown";
+  const errorText = process.env.BUG_ERROR_TEXT ?? "";
+  const toolInput = process.env.BUG_TOOL_INPUT ?? "{}";
+  const fingerprint = process.env.BUG_FINGERPRINT ?? "";
+  const agentId = process.env.BUG_AGENT_ID ?? "unknown";
+  const agentRole = process.env.BUG_AGENT_ROLE ?? "employee";
+  const projectName = process.env.BUG_PROJECT_NAME ?? "unknown";
+  await fastDbInit();
+  const fpPrefix = fingerprint.slice(0, 8);
+  const client = getClient();
+  const { loadEmployeesSync: loadEmployeesSync2, getEmployeeByRole: getEmployeeByRole2, getCoordinatorName: getCoordinatorName2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
+  const employees = loadEmployeesSync2();
+  const coordinatorName = getCoordinatorName2(employees);
+  const ctoName = getEmployeeByRole2(employees, "CTO")?.name ?? coordinatorName;
+  const existing = await client.execute({
+    sql: `SELECT id FROM tasks
+          WHERE assigned_to = ?
+            AND status IN ('open', 'in_progress')
+            AND title LIKE '[auto-bug]%'
+            AND task_file LIKE ?
+          LIMIT 1`,
+    args: [ctoName, `%${fpPrefix}%`]
   });
-}
-function formatBugIntakeTaskContext(record) {
-  return [
+  if (existing.rows.length > 0) {
+    process.stderr.write(`[bug-report-worker] Duplicate found for fingerprint ${fingerprint}, skipping
+`);
+    return;
+  }
+  const errorSummary = errorText.split("\n").find((line) => line.trim().length > 0)?.trim().slice(0, 60) ?? "unknown error";
+  const context = [
     "## Auto-detected system bug",
     "",
-    `**Schema:** bug-intake/v${record.schemaVersion}`,
-    `**Source:** ${record.source}`,
-    `**Detected by:** ${record.reporterAgentId} (${record.reporterAgentRole})`,
-    `**Tool:** ${record.toolName}`,
-    `**Timestamp:** ${record.createdAt}`,
-    `**Fingerprint:** ${record.fingerprint}`,
-    `**Severity:** ${record.severity}`,
-    record.runtime ? `**Runtime:** ${record.runtime}` : void 0,
-    record.repo ? `**Repo:** ${record.repo}` : void 0,
-    record.licenseKeyHash ? `**License hash:** ${record.licenseKeyHash}` : void 0,
+    `**Detected by:** ${agentId} (${agentRole})`,
+    `**Tool:** ${toolName}`,
+    `**Timestamp:** ${(/* @__PURE__ */ new Date()).toISOString()}`,
+    `**Fingerprint:** ${fingerprint}`,
     "",
     "## Error output",
     "",
     "```",
-    record.errorText.slice(0, 2e3),
+    errorText.slice(0, 1e3),
     "```",
     "",
     "## Tool input (reproduction context)",
     "",
     "```json",
-    record.toolInput.slice(0, 1e3),
-    "```",
-    "",
-    "## Normalized intake JSON",
-    "",
-    "```json",
-    JSON.stringify(record, null, 2),
+    toolInput.slice(0, 500),
     "```",
     "",
     "## Triage notes",
@@ -8991,44 +8947,19 @@ function formatBugIntakeTaskContext(record) {
     "- Classification: system bug (auto-detected)",
     "- Review this error \u2014 fix if real, close if false positive",
     "- If false positive: add the error pattern to USER_ERROR_PATTERNS in error-detector.ts"
-  ].filter((line) => line !== void 0).join("\n");
-}
-
-// src/adapters/claude/hooks/bug-report-worker.ts
-async function main() {
-  const intake = buildBugIntakeFromEnv(process.env);
-  await fastDbInit();
-  const client = getClient();
-  const { loadEmployeesSync: loadEmployeesSync2, getEmployeeByRole: getEmployeeByRole2, getCoordinatorName: getCoordinatorName2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
-  const employees = loadEmployeesSync2();
-  const coordinatorName = getCoordinatorName2(employees);
-  const ctoName = getEmployeeByRole2(employees, "CTO")?.name ?? coordinatorName;
-  const existing = await client.execute({
-    sql: `SELECT id FROM tasks
-          WHERE assigned_to = ?
-            AND status IN ('open', 'in_progress')
-            AND title LIKE '[auto-bug]%'
-            AND (context LIKE ? OR task_file LIKE ?)
-          LIMIT 1`,
-    args: [ctoName, `%${intake.fingerprint}%`, `%${intake.fingerprint.slice(0, 8)}%`]
-  });
-  if (existing.rows.length > 0) {
-    process.stderr.write(`[bug-report-worker] Duplicate found for fingerprint ${intake.fingerprint}, skipping
-`);
-    return;
-  }
+  ].join("\n");
   await createTask({
-    title: intake.title,
+    title: `[auto-bug] ${toolName}: ${errorSummary}`,
     assignedTo: ctoName,
     assignedBy: "system",
-    projectName: intake.projectName,
-    priority: intake.severity,
-    context: formatBugIntakeTaskContext(intake),
+    projectName,
+    priority: "p1",
+    context,
     baseDir: process.cwd(),
     skipDispatch: true,
     reviewer: coordinatorName
   });
-  process.stderr.write(`[bug-report-worker] Created auto-bug task for ${intake.toolName}: ${intake.summary}
+  process.stderr.write(`[bug-report-worker] Created auto-bug task for ${toolName}: ${errorSummary}
 `);
 }
 main().catch((err) => {