@askexenow/exe-os 0.9.65 → 0.9.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/deploy/stack-manifests/v0.9.json +54 -5
  2. package/dist/bin/age-ontology-load.js +61 -0
  3. package/dist/bin/agentic-ontology-backfill.js +4708 -0
  4. package/dist/bin/agentic-reflection-backfill.js +4144 -0
  5. package/dist/bin/{exe-link.js → agentic-semantic-label.js} +1532 -2173
  6. package/dist/bin/backfill-conversations.js +528 -20
  7. package/dist/bin/backfill-responses.js +528 -20
  8. package/dist/bin/backfill-vectors.js +255 -20
  9. package/dist/bin/bulk-sync-postgres.js +4876 -0
  10. package/dist/bin/cleanup-stale-review-tasks.js +529 -21
  11. package/dist/bin/cli.js +3471 -1491
  12. package/dist/bin/exe-agent-config.js +4 -0
  13. package/dist/bin/exe-agent.js +16 -0
  14. package/dist/bin/exe-assign.js +528 -20
  15. package/dist/bin/exe-boot.js +492 -54
  16. package/dist/bin/exe-call.js +16 -0
  17. package/dist/bin/exe-cloud.js +7415 -518
  18. package/dist/bin/exe-dispatch.js +540 -22
  19. package/dist/bin/exe-doctor.js +3404 -1225
  20. package/dist/bin/exe-export-behaviors.js +542 -24
  21. package/dist/bin/exe-forget.js +529 -21
  22. package/dist/bin/exe-gateway.js +595 -25
  23. package/dist/bin/exe-heartbeat.js +541 -24
  24. package/dist/bin/exe-kill.js +529 -21
  25. package/dist/bin/exe-launch-agent.js +2334 -1067
  26. package/dist/bin/exe-new-employee.js +324 -166
  27. package/dist/bin/exe-pending-messages.js +529 -21
  28. package/dist/bin/exe-pending-notifications.js +529 -21
  29. package/dist/bin/exe-pending-reviews.js +529 -21
  30. package/dist/bin/exe-rename.js +529 -21
  31. package/dist/bin/exe-review.js +529 -21
  32. package/dist/bin/exe-search.js +542 -24
  33. package/dist/bin/exe-session-cleanup.js +540 -22
  34. package/dist/bin/exe-settings.js +14 -0
  35. package/dist/bin/exe-start-codex.js +817 -144
  36. package/dist/bin/exe-start-opencode.js +776 -80
  37. package/dist/bin/exe-status.js +529 -21
  38. package/dist/bin/exe-team.js +529 -21
  39. package/dist/bin/git-sweep.js +540 -22
  40. package/dist/bin/graph-backfill.js +580 -21
  41. package/dist/bin/graph-export.js +529 -21
  42. package/dist/bin/graph-layer-benchmark.js +109 -0
  43. package/dist/bin/install.js +420 -289
  44. package/dist/bin/intercom-check.js +540 -22
  45. package/dist/bin/postgres-agentic-reflection-backfill.js +187 -0
  46. package/dist/bin/postgres-agentic-semantic-backfill.js +237 -0
  47. package/dist/bin/scan-tasks.js +540 -22
  48. package/dist/bin/setup.js +790 -206
  49. package/dist/bin/shard-migrate.js +528 -20
  50. package/dist/bin/update.js +4 -0
  51. package/dist/gateway/index.js +593 -23
  52. package/dist/hooks/bug-report-worker.js +651 -64
  53. package/dist/hooks/codex-stop-task-finalizer.js +540 -22
  54. package/dist/hooks/commit-complete.js +540 -22
  55. package/dist/hooks/error-recall.js +542 -24
  56. package/dist/hooks/exe-heartbeat-hook.js +4 -0
  57. package/dist/hooks/ingest-worker.js +4 -0
  58. package/dist/hooks/ingest.js +539 -22
  59. package/dist/hooks/instructions-loaded.js +529 -21
  60. package/dist/hooks/notification.js +529 -21
  61. package/dist/hooks/post-compact.js +529 -21
  62. package/dist/hooks/post-tool-combined.js +543 -25
  63. package/dist/hooks/pre-compact.js +772 -127
  64. package/dist/hooks/pre-tool-use.js +529 -21
  65. package/dist/hooks/prompt-submit.js +543 -25
  66. package/dist/hooks/session-end.js +673 -140
  67. package/dist/hooks/session-start.js +662 -26
  68. package/dist/hooks/stop.js +540 -23
  69. package/dist/hooks/subagent-stop.js +529 -21
  70. package/dist/hooks/summary-worker.js +571 -126
  71. package/dist/index.js +593 -23
  72. package/dist/lib/agent-config.js +4 -0
  73. package/dist/lib/cloud-sync.js +408 -47
  74. package/dist/lib/config.js +25 -1
  75. package/dist/lib/consolidation.js +5 -1
  76. package/dist/lib/database.js +128 -0
  77. package/dist/lib/db-daemon-client.js +4 -0
  78. package/dist/lib/db.js +128 -0
  79. package/dist/lib/device-registry.js +128 -0
  80. package/dist/lib/embedder.js +25 -1
  81. package/dist/lib/employee-templates.js +16 -0
  82. package/dist/lib/employees.js +4 -0
  83. package/dist/lib/exe-daemon-client.js +4 -0
  84. package/dist/lib/exe-daemon.js +3158 -930
  85. package/dist/lib/hybrid-search.js +542 -24
  86. package/dist/lib/identity.js +7 -0
  87. package/dist/lib/keychain.js +178 -22
  88. package/dist/lib/license.js +4 -0
  89. package/dist/lib/messaging.js +7 -0
  90. package/dist/lib/reminders.js +7 -0
  91. package/dist/lib/schedules.js +255 -20
  92. package/dist/lib/skill-learning.js +28 -1
  93. package/dist/lib/status-brief.js +39 -0
  94. package/dist/lib/store.js +528 -20
  95. package/dist/lib/task-router.js +4 -0
  96. package/dist/lib/tasks.js +28 -1
  97. package/dist/lib/tmux-routing.js +28 -1
  98. package/dist/lib/token-spend.js +7 -0
  99. package/dist/mcp/server.js +2739 -813
  100. package/dist/mcp/tools/complete-reminder.js +7 -0
  101. package/dist/mcp/tools/create-reminder.js +7 -0
  102. package/dist/mcp/tools/create-task.js +28 -1
  103. package/dist/mcp/tools/deactivate-behavior.js +7 -0
  104. package/dist/mcp/tools/list-reminders.js +7 -0
  105. package/dist/mcp/tools/list-tasks.js +7 -0
  106. package/dist/mcp/tools/send-message.js +7 -0
  107. package/dist/mcp/tools/update-task.js +28 -1
  108. package/dist/runtime/index.js +540 -22
  109. package/dist/tui/App.js +618 -29
  110. package/package.json +9 -5
  111. package/src/commands/exe/cloud.md +11 -8
  112. package/stack.release.json +3 -3
  113. package/src/commands/exe/link.md +0 -17
@@ -214,6 +214,11 @@ function normalizeAutoUpdate(raw) {
214
214
  const userAU = raw.autoUpdate ?? {};
215
215
  raw.autoUpdate = { ...defaultAU, ...userAU };
216
216
  }
217
+ function normalizeOrchestration(raw) {
218
+ const defaultOrg = DEFAULT_CONFIG.orchestration;
219
+ const userOrg = raw.orchestration ?? {};
220
+ raw.orchestration = { ...defaultOrg, ...userOrg };
221
+ }
217
222
  async function loadConfig() {
218
223
  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
219
224
  await ensurePrivateDir(dir);
@@ -238,10 +243,15 @@ async function loadConfig() {
238
243
  normalizeScalingRoadmap(migratedCfg);
239
244
  normalizeSessionLifecycle(migratedCfg);
240
245
  normalizeAutoUpdate(migratedCfg);
246
+ normalizeOrchestration(migratedCfg);
241
247
  const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
242
248
  if (config.dbPath.startsWith("~")) {
243
249
  config.dbPath = config.dbPath.replace(/^~/, os.homedir());
244
250
  }
251
+ const envDbPath = path.join(dir, "memories.db");
252
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
253
+ config.dbPath = envDbPath;
254
+ }
245
255
  return config;
246
256
  } catch {
247
257
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
@@ -261,7 +271,16 @@ function loadConfigSync() {
261
271
  normalizeScalingRoadmap(migratedCfg);
262
272
  normalizeSessionLifecycle(migratedCfg);
263
273
  normalizeAutoUpdate(migratedCfg);
264
- return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
274
+ normalizeOrchestration(migratedCfg);
275
+ const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
276
+ if (config.dbPath.startsWith("~")) {
277
+ config.dbPath = config.dbPath.replace(/^~/, os.homedir());
278
+ }
279
+ const envDbPath = path.join(dir, "memories.db");
280
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
281
+ config.dbPath = envDbPath;
282
+ }
283
+ return config;
265
284
  } catch {
266
285
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
267
286
  }
@@ -282,6 +301,7 @@ async function loadConfigFrom(configPath) {
282
301
  normalizeScalingRoadmap(migratedCfg);
283
302
  normalizeSessionLifecycle(migratedCfg);
284
303
  normalizeAutoUpdate(migratedCfg);
304
+ normalizeOrchestration(migratedCfg);
285
305
  return { ...DEFAULT_CONFIG, ...migratedCfg };
286
306
  } catch {
287
307
  return { ...DEFAULT_CONFIG };
@@ -353,6 +373,10 @@ var init_config = __esm({
353
373
  checkOnBoot: true,
354
374
  autoInstall: false,
355
375
  checkIntervalMs: 24 * 60 * 60 * 1e3
376
+ },
377
+ orchestration: {
378
+ phase: "phase_1_coo",
379
+ phaseSetBy: "default"
356
380
  }
357
381
  };
358
382
  CONFIG_MIGRATIONS = [
@@ -1800,6 +1824,9 @@ function getClient() {
1800
1824
  if (_daemonClient && _daemonClient._isDaemonActive()) {
1801
1825
  return _daemonClient;
1802
1826
  }
1827
+ if (!_resilientClient) {
1828
+ return _adapterClient;
1829
+ }
1803
1830
  return _resilientClient;
1804
1831
  }
1805
1832
  async function initDaemonClient() {
@@ -2832,6 +2859,127 @@ async function ensureSchema() {
2832
2859
  VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
2833
2860
  END;
2834
2861
  `);
2862
+ await client.executeMultiple(`
2863
+ CREATE TABLE IF NOT EXISTS agent_sessions (
2864
+ id TEXT PRIMARY KEY,
2865
+ agent_id TEXT NOT NULL,
2866
+ project_name TEXT,
2867
+ started_at TEXT NOT NULL,
2868
+ last_event_at TEXT NOT NULL,
2869
+ event_count INTEGER NOT NULL DEFAULT 0,
2870
+ properties TEXT DEFAULT '{}'
2871
+ );
2872
+
2873
+ CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
2874
+ ON agent_sessions(agent_id, started_at);
2875
+
2876
+ CREATE TABLE IF NOT EXISTS agent_goals (
2877
+ id TEXT PRIMARY KEY,
2878
+ statement TEXT NOT NULL,
2879
+ owner_agent_id TEXT,
2880
+ project_name TEXT,
2881
+ status TEXT NOT NULL DEFAULT 'open',
2882
+ priority INTEGER NOT NULL DEFAULT 5,
2883
+ success_criteria TEXT,
2884
+ parent_goal_id TEXT,
2885
+ due_at TEXT,
2886
+ achieved_at TEXT,
2887
+ supersedes_id TEXT,
2888
+ created_at TEXT NOT NULL,
2889
+ updated_at TEXT NOT NULL,
2890
+ source_memory_id TEXT
2891
+ );
2892
+
2893
+ CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
2894
+ ON agent_goals(project_name, status, priority);
2895
+
2896
+ CREATE TABLE IF NOT EXISTS agent_events (
2897
+ id TEXT PRIMARY KEY,
2898
+ event_type TEXT NOT NULL,
2899
+ occurred_at TEXT NOT NULL,
2900
+ sequence_index INTEGER NOT NULL,
2901
+ actor_agent_id TEXT,
2902
+ agent_role TEXT,
2903
+ project_name TEXT,
2904
+ session_id TEXT,
2905
+ task_id TEXT,
2906
+ goal_id TEXT,
2907
+ parent_event_id TEXT,
2908
+ intention TEXT,
2909
+ outcome TEXT,
2910
+ evidence_memory_id TEXT,
2911
+ impact TEXT,
2912
+ payload TEXT DEFAULT '{}',
2913
+ created_at TEXT NOT NULL
2914
+ );
2915
+
2916
+ CREATE INDEX IF NOT EXISTS idx_agent_events_time
2917
+ ON agent_events(occurred_at, sequence_index);
2918
+
2919
+ CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
2920
+ ON agent_events(session_id, sequence_index);
2921
+
2922
+ CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
2923
+ ON agent_events(goal_id, occurred_at);
2924
+
2925
+ CREATE INDEX IF NOT EXISTS idx_agent_events_memory
2926
+ ON agent_events(evidence_memory_id);
2927
+
2928
+ CREATE TABLE IF NOT EXISTS agent_goal_links (
2929
+ id TEXT PRIMARY KEY,
2930
+ goal_id TEXT NOT NULL,
2931
+ link_type TEXT NOT NULL,
2932
+ target_id TEXT NOT NULL,
2933
+ target_type TEXT NOT NULL,
2934
+ created_at TEXT NOT NULL
2935
+ );
2936
+
2937
+ CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
2938
+ ON agent_goal_links(goal_id, target_type);
2939
+
2940
+ CREATE TABLE IF NOT EXISTS agent_semantic_labels (
2941
+ id TEXT PRIMARY KEY,
2942
+ source_memory_id TEXT NOT NULL,
2943
+ event_id TEXT,
2944
+ labeler TEXT NOT NULL,
2945
+ schema_version INTEGER NOT NULL DEFAULT 1,
2946
+ confidence REAL NOT NULL DEFAULT 0,
2947
+ labels TEXT NOT NULL,
2948
+ created_at TEXT NOT NULL,
2949
+ updated_at TEXT NOT NULL
2950
+ );
2951
+
2952
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
2953
+ ON agent_semantic_labels(source_memory_id, labeler);
2954
+
2955
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
2956
+ ON agent_semantic_labels(event_id);
2957
+
2958
+ CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
2959
+ id TEXT PRIMARY KEY,
2960
+ project_name TEXT,
2961
+ session_id TEXT,
2962
+ window_start_at TEXT NOT NULL,
2963
+ window_end_at TEXT NOT NULL,
2964
+ event_count INTEGER NOT NULL DEFAULT 0,
2965
+ goal_count INTEGER NOT NULL DEFAULT 0,
2966
+ success_count INTEGER NOT NULL DEFAULT 0,
2967
+ failure_count INTEGER NOT NULL DEFAULT 0,
2968
+ risk_count INTEGER NOT NULL DEFAULT 0,
2969
+ summary TEXT NOT NULL,
2970
+ learnings TEXT NOT NULL DEFAULT '[]',
2971
+ next_actions TEXT NOT NULL DEFAULT '[]',
2972
+ evidence_event_ids TEXT NOT NULL DEFAULT '[]',
2973
+ confidence REAL NOT NULL DEFAULT 0,
2974
+ created_at TEXT NOT NULL
2975
+ );
2976
+
2977
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
2978
+ ON agent_reflection_checkpoints(project_name, window_end_at);
2979
+
2980
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
2981
+ ON agent_reflection_checkpoints(session_id, window_end_at);
2982
+ `);
2835
2983
  try {
2836
2984
  await client.execute({
2837
2985
  sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -2981,7 +3129,7 @@ var init_database = __esm({
2981
3129
 
2982
3130
  // src/lib/keychain.ts
2983
3131
  import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
2984
- import { existsSync as existsSync6 } from "fs";
3132
+ import { existsSync as existsSync6, statSync as statSync2 } from "fs";
2985
3133
  import { execSync as execSync2 } from "child_process";
2986
3134
  import path6 from "path";
2987
3135
  import os5 from "os";
@@ -2991,29 +3139,65 @@ function getKeyDir() {
2991
3139
  function getKeyPath() {
2992
3140
  return path6.join(getKeyDir(), "master.key");
2993
3141
  }
2994
- function macKeychainGet() {
3142
+ function nativeKeychainAllowed() {
3143
+ return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
3144
+ }
3145
+ function linuxSecretAvailable() {
3146
+ if (!nativeKeychainAllowed()) return false;
3147
+ if (process.platform !== "linux") return false;
3148
+ if (linuxSecretAvailability !== null) return linuxSecretAvailability;
3149
+ try {
3150
+ execSync2("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
3151
+ } catch {
3152
+ linuxSecretAvailability = false;
3153
+ return false;
3154
+ }
3155
+ try {
3156
+ execSync2("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
3157
+ linuxSecretAvailability = true;
3158
+ } catch {
3159
+ linuxSecretAvailability = false;
3160
+ }
3161
+ return linuxSecretAvailability;
3162
+ }
3163
+ function isRootOnlyTrustedServerKeyFile(keyPath) {
3164
+ if (process.platform !== "linux") return false;
3165
+ try {
3166
+ const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
3167
+ const st = statSync2(keyPath);
3168
+ if (!st.isFile() || (st.mode & 63) !== 0) return false;
3169
+ if (uid === 0) return true;
3170
+ const exeOsDir = process.env.EXE_OS_DIR;
3171
+ return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
3172
+ } catch {
3173
+ return false;
3174
+ }
3175
+ }
3176
+ function macKeychainGet(service = SERVICE) {
3177
+ if (!nativeKeychainAllowed()) return null;
2995
3178
  if (process.platform !== "darwin") return null;
2996
3179
  try {
2997
3180
  return execSync2(
2998
- `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
3181
+ `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
2999
3182
  { encoding: "utf-8", timeout: 5e3 }
3000
3183
  ).trim();
3001
3184
  } catch {
3002
3185
  return null;
3003
3186
  }
3004
3187
  }
3005
- function macKeychainSet(value) {
3188
+ function macKeychainSet(value, service = SERVICE) {
3189
+ if (!nativeKeychainAllowed()) return false;
3006
3190
  if (process.platform !== "darwin") return false;
3007
3191
  try {
3008
3192
  try {
3009
3193
  execSync2(
3010
- `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
3194
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3011
3195
  { timeout: 5e3 }
3012
3196
  );
3013
3197
  } catch {
3014
3198
  }
3015
3199
  execSync2(
3016
- `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
3200
+ `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
3017
3201
  { timeout: 5e3 }
3018
3202
  );
3019
3203
  return true;
@@ -3021,22 +3205,48 @@ function macKeychainSet(value) {
3021
3205
  return false;
3022
3206
  }
3023
3207
  }
3024
- function linuxSecretGet() {
3025
- if (process.platform !== "linux") return null;
3208
+ function macKeychainDelete(service = SERVICE) {
3209
+ if (!nativeKeychainAllowed()) return false;
3210
+ if (process.platform !== "darwin") return false;
3211
+ try {
3212
+ execSync2(
3213
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3214
+ { timeout: 5e3 }
3215
+ );
3216
+ return true;
3217
+ } catch {
3218
+ return false;
3219
+ }
3220
+ }
3221
+ function linuxSecretGet(service = SERVICE) {
3222
+ if (!linuxSecretAvailable()) return null;
3026
3223
  try {
3027
3224
  return execSync2(
3028
- `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
3225
+ `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3029
3226
  { encoding: "utf-8", timeout: 5e3 }
3030
3227
  ).trim();
3031
3228
  } catch {
3032
3229
  return null;
3033
3230
  }
3034
3231
  }
3035
- function linuxSecretSet(value) {
3232
+ function linuxSecretSet(value, service = SERVICE) {
3233
+ if (!linuxSecretAvailable()) return false;
3234
+ try {
3235
+ execSync2(
3236
+ `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3237
+ { timeout: 5e3 }
3238
+ );
3239
+ return true;
3240
+ } catch {
3241
+ return false;
3242
+ }
3243
+ }
3244
+ function linuxSecretDelete(service = SERVICE) {
3245
+ if (!nativeKeychainAllowed()) return false;
3036
3246
  if (process.platform !== "linux") return false;
3037
3247
  try {
3038
3248
  execSync2(
3039
- `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
3249
+ `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3040
3250
  { timeout: 5e3 }
3041
3251
  );
3042
3252
  return true;
@@ -3045,6 +3255,7 @@ function linuxSecretSet(value) {
3045
3255
  }
3046
3256
  }
3047
3257
  async function tryKeytar() {
3258
+ if (!nativeKeychainAllowed()) return null;
3048
3259
  try {
3049
3260
  return await import("keytar");
3050
3261
  } catch {
@@ -3118,7 +3329,19 @@ async function writeMachineBoundFileFallback(b64) {
3118
3329
  return "plaintext";
3119
3330
  }
3120
3331
  async function getMasterKey() {
3121
- const nativeValue = macKeychainGet() ?? linuxSecretGet();
3332
+ let nativeValue = macKeychainGet() ?? linuxSecretGet();
3333
+ if (!nativeValue) {
3334
+ const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
3335
+ if (legacyValue) {
3336
+ const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
3337
+ if (migrated) {
3338
+ macKeychainDelete(LEGACY_SERVICE);
3339
+ linuxSecretDelete(LEGACY_SERVICE);
3340
+ process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
3341
+ }
3342
+ nativeValue = legacyValue;
3343
+ }
3344
+ }
3122
3345
  if (nativeValue) {
3123
3346
  return Buffer.from(nativeValue, "base64");
3124
3347
  }
@@ -3126,12 +3349,17 @@ async function getMasterKey() {
3126
3349
  if (keytar) {
3127
3350
  try {
3128
3351
  const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
3129
- if (keytarValue) {
3130
- const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
3352
+ const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
3353
+ if (legacyKeytarValue) {
3354
+ const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
3131
3355
  if (migrated) {
3132
3356
  process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
3357
+ try {
3358
+ await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
3359
+ } catch {
3360
+ }
3133
3361
  }
3134
- return Buffer.from(keytarValue, "base64");
3362
+ return Buffer.from(legacyKeytarValue, "base64");
3135
3363
  }
3136
3364
  } catch {
3137
3365
  }
@@ -3156,7 +3384,7 @@ async function getMasterKey() {
3156
3384
  const decrypted = decryptWithMachineKey(content, machineKey);
3157
3385
  if (!decrypted) {
3158
3386
  process.stderr.write(
3159
- "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase: exe-os link import\n"
3387
+ "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase during setup: exe-os setup\n"
3160
3388
  );
3161
3389
  return null;
3162
3390
  }
@@ -3165,6 +3393,9 @@ async function getMasterKey() {
3165
3393
  b64Value = content;
3166
3394
  }
3167
3395
  const key = Buffer.from(b64Value, "base64");
3396
+ if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
3397
+ return key;
3398
+ }
3168
3399
  const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
3169
3400
  if (migrated) {
3170
3401
  process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -3192,12 +3423,14 @@ async function getMasterKey() {
3192
3423
  return null;
3193
3424
  }
3194
3425
  }
3195
- var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
3426
+ var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
3196
3427
  var init_keychain = __esm({
3197
3428
  "src/lib/keychain.ts"() {
3198
3429
  "use strict";
3199
- SERVICE = "exe-mem";
3430
+ SERVICE = "exe-os";
3431
+ LEGACY_SERVICE = "exe-mem";
3200
3432
  ACCOUNT = "master-key";
3433
+ linuxSecretAvailability = null;
3201
3434
  ENCRYPTED_PREFIX = "enc:";
3202
3435
  }
3203
3436
  });
@@ -3467,7 +3700,7 @@ __export(shard_manager_exports, {
3467
3700
  shardExists: () => shardExists
3468
3701
  });
3469
3702
  import path7 from "path";
3470
- import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync2 } from "fs";
3703
+ import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync3 } from "fs";
3471
3704
  import { createClient as createClient2 } from "@libsql/client";
3472
3705
  function initShardManager(encryptionKey) {
3473
3706
  _encryptionKey = encryptionKey;
@@ -3531,7 +3764,7 @@ async function auditShardHealth(options = {}) {
3531
3764
  const shards = [];
3532
3765
  for (const name of names) {
3533
3766
  const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
3534
- const stat = statSync2(dbPath);
3767
+ const stat = statSync3(dbPath);
3535
3768
  const item = {
3536
3769
  name,
3537
3770
  path: dbPath,
@@ -3784,7 +4017,7 @@ async function getReadyShardClient(projectName2) {
3784
4017
  _shardLastAccess.delete(safeName);
3785
4018
  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
3786
4019
  if (existsSync7(dbPath)) {
3787
- const stat = statSync2(dbPath);
4020
+ const stat = statSync3(dbPath);
3788
4021
  const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
3789
4022
  const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
3790
4023
  renameSync3(dbPath, archivedPath);
@@ -3904,6 +4137,12 @@ var init_platform_procedures = __esm({
3904
4137
  priority: "p0",
3905
4138
  content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
3906
4139
  },
4140
+ {
4141
+ title: "Customer orchestration maturity \u2014 recommend, never trap",
4142
+ domain: "workflow",
4143
+ priority: "p1",
4144
+ content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
4145
+ },
3907
4146
  {
3908
4147
  title: "Single dispatch path \u2014 create_task only",
3909
4148
  domain: "workflow",
@@ -3962,6 +4201,12 @@ var init_platform_procedures = __esm({
3962
4201
  priority: "p0",
3963
4202
  content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
3964
4203
  },
4204
+ {
4205
+ title: "Commit discipline \u2014 never leave verified work floating",
4206
+ domain: "workflow",
4207
+ priority: "p1",
4208
+ content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
4209
+ },
3965
4210
  {
3966
4211
  title: "Desktop and TUI are the same product",
3967
4212
  domain: "architecture",
@@ -4279,6 +4524,274 @@ var init_memory_cards = __esm({
4279
4524
  }
4280
4525
  });
4281
4526
 
4527
+ // src/lib/agentic-ontology.ts
4528
+ var agentic_ontology_exports = {};
4529
+ __export(agentic_ontology_exports, {
4530
+ clean: () => clean,
4531
+ extractGoalCandidates: () => extractGoalCandidates,
4532
+ inferIntention: () => inferIntention,
4533
+ inferOntologyEventType: () => inferOntologyEventType,
4534
+ inferOutcome: () => inferOutcome,
4535
+ inferSemanticLabel: () => inferSemanticLabel,
4536
+ insertOntologyForBatch: () => insertOntologyForBatch,
4537
+ insertOntologyForMemory: () => insertOntologyForMemory,
4538
+ ontologyPayload: () => ontologyPayload,
4539
+ stableId: () => stableId2
4540
+ });
4541
+ import { createHash as createHash3 } from "crypto";
4542
+ function stableId2(...parts) {
4543
+ return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
4544
+ }
4545
+ function clean(text, max = 240) {
4546
+ return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
4547
+ }
4548
+ function inferOntologyEventType(row) {
4549
+ const lower = row.raw_text.toLowerCase();
4550
+ if (row.has_error) return "error";
4551
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
4552
+ if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
4553
+ if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
4554
+ if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
4555
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
4556
+ if (row.tool_name.startsWith("memory_card")) return "memory_card";
4557
+ return "memory_observation";
4558
+ }
4559
+ function inferIntention(row) {
4560
+ if (row.intent) return clean(row.intent, 220);
4561
+ const text = clean(row.raw_text, 1e3);
4562
+ const patterns = [
4563
+ /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
4564
+ /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
4565
+ /(?:task|plan):\s*([^.!?\n]{8,220})/i
4566
+ ];
4567
+ for (const p of patterns) {
4568
+ const m = text.match(p);
4569
+ if (m?.[1]) return clean(m[1], 220);
4570
+ }
4571
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
4572
+ return `${row.tool_name} during ${row.project_name}`;
4573
+ }
4574
+ return null;
4575
+ }
4576
+ function inferOutcome(row) {
4577
+ if (row.outcome) return clean(row.outcome, 220);
4578
+ if (row.has_error) return "error";
4579
+ const lower = row.raw_text.toLowerCase();
4580
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
4581
+ if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
4582
+ if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
4583
+ return null;
4584
+ }
4585
+ function extractGoalCandidates(row) {
4586
+ const text = clean(row.raw_text, 1600);
4587
+ const patterns = [
4588
+ /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
4589
+ /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
4590
+ ];
4591
+ const out = [];
4592
+ for (const pattern of patterns) {
4593
+ for (const m of text.matchAll(pattern)) {
4594
+ const candidate = clean(m[1] ?? "", 220);
4595
+ if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
4596
+ if (out.length >= 3) return out;
4597
+ }
4598
+ }
4599
+ return out;
4600
+ }
4601
+ function uniq(values, max = 6) {
4602
+ const out = [];
4603
+ for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
4604
+ if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
4605
+ if (out.length >= max) break;
4606
+ }
4607
+ return out;
4608
+ }
4609
+ function extractMatches(text, patterns, max = 5) {
4610
+ const out = [];
4611
+ for (const pattern of patterns) {
4612
+ for (const match of text.matchAll(pattern)) {
4613
+ const value = match[1] ?? match[0];
4614
+ if (value) out.push(value);
4615
+ if (out.length >= max) return uniq(out, max);
4616
+ }
4617
+ }
4618
+ return uniq(out, max);
4619
+ }
4620
+ function inferSemanticLabel(row) {
4621
+ const text = clean(row.raw_text, 2400);
4622
+ const eventType = inferOntologyEventType(row);
4623
+ const intention = inferIntention(row);
4624
+ const outcome = inferOutcome(row);
4625
+ const goals = extractGoalCandidates(row);
4626
+ const milestones = extractMatches(text, [
4627
+ /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
4628
+ /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
4629
+ ]);
4630
+ const problems = extractMatches(text, [
4631
+ /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
4632
+ /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
4633
+ ]);
4634
+ const decisions = extractMatches(text, [
4635
+ /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
4636
+ ]);
4637
+ const temporalAnchors = extractMatches(text, [
4638
+ /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
4639
+ /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
4640
+ ], 8);
4641
+ const nextActions = extractMatches(text, [
4642
+ /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
4643
+ ]);
4644
+ const actors = uniq([
4645
+ row.agent_id,
4646
+ ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
4647
+ ], 6);
4648
+ const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
4649
+ const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
4650
+ const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
4651
+ const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
4652
+ return {
4653
+ labeler: "deterministic",
4654
+ schemaVersion: 1,
4655
+ eventType,
4656
+ intention,
4657
+ outcome,
4658
+ impact,
4659
+ confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
4660
+ goals,
4661
+ milestones,
4662
+ problems,
4663
+ decisions,
4664
+ actors,
4665
+ temporalAnchors,
4666
+ successSignals,
4667
+ failureSignals,
4668
+ nextActions,
4669
+ summary: clean(text, 280)
4670
+ };
4671
+ }
4672
+ function ontologyPayload(row) {
4673
+ const semantic = inferSemanticLabel(row);
4674
+ return {
4675
+ tool_name: row.tool_name,
4676
+ memory_version: row.version ?? null,
4677
+ domain: row.domain ?? null,
4678
+ trajectory: row.trajectory ? safeJson(row.trajectory) : null,
4679
+ semantic
4680
+ };
4681
+ }
4682
+ function safeJson(value) {
4683
+ try {
4684
+ return JSON.parse(value);
4685
+ } catch {
4686
+ return value.slice(0, 1e3);
4687
+ }
4688
+ }
4689
+ async function resolveClient(client) {
4690
+ if (client) return client;
4691
+ const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
4692
+ return getClient2();
4693
+ }
4694
+ async function insertOntologyForMemory(row, client) {
4695
+ const db = await resolveClient(client);
4696
+ const occurredAt = row.timestamp;
4697
+ const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
4698
+ const eventType = inferOntologyEventType(row);
4699
+ const intention = inferIntention(row);
4700
+ const outcome = inferOutcome(row);
4701
+ const eventId = stableId2("event", row.id);
4702
+ const now = (/* @__PURE__ */ new Date()).toISOString();
4703
+ await db.execute({
4704
+ sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
4705
+ VALUES (?, ?, ?, ?, ?, 1, ?)
4706
+ ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
4707
+ event_count = event_count + 1`,
4708
+ args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
4709
+ });
4710
+ await db.execute({
4711
+ sql: `INSERT OR IGNORE INTO agent_events
4712
+ (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
4713
+ session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
4714
+ impact, payload, created_at)
4715
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
4716
+ args: [
4717
+ eventId,
4718
+ eventType,
4719
+ occurredAt,
4720
+ sequence,
4721
+ row.agent_id,
4722
+ row.agent_role,
4723
+ row.project_name,
4724
+ row.session_id,
4725
+ row.task_id ?? null,
4726
+ intention,
4727
+ outcome,
4728
+ row.id,
4729
+ row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
4730
+ JSON.stringify(ontologyPayload(row)),
4731
+ now
4732
+ ]
4733
+ });
4734
+ const semantic = inferSemanticLabel(row);
4735
+ await db.execute({
4736
+ sql: `INSERT INTO agent_semantic_labels
4737
+ (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
4738
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
4739
+ ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
4740
+ labels = excluded.labels, updated_at = excluded.updated_at`,
4741
+ args: [
4742
+ stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
4743
+ row.id,
4744
+ eventId,
4745
+ semantic.labeler,
4746
+ semantic.schemaVersion,
4747
+ semantic.confidence,
4748
+ JSON.stringify(semantic),
4749
+ now,
4750
+ now
4751
+ ]
4752
+ });
4753
+ for (const statement of extractGoalCandidates(row)) {
4754
+ const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
4755
+ await db.execute({
4756
+ sql: `INSERT INTO agent_goals
4757
+ (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
4758
+ parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
4759
+ VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
4760
+ ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
4761
+ args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
4762
+ });
4763
+ await db.execute({
4764
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4765
+ (id, goal_id, link_type, target_id, target_type, created_at)
4766
+ VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
4767
+ args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
4768
+ });
4769
+ await db.execute({
4770
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4771
+ (id, goal_id, link_type, target_id, target_type, created_at)
4772
+ VALUES (?, ?, 'event', ?, 'event', ?)`,
4773
+ args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
4774
+ });
4775
+ }
4776
+ }
4777
+ async function insertOntologyForBatch(rows, client) {
4778
+ const db = await resolveClient(client);
4779
+ let count = 0;
4780
+ for (const row of rows) {
4781
+ try {
4782
+ await insertOntologyForMemory(row, db);
4783
+ count++;
4784
+ } catch {
4785
+ }
4786
+ }
4787
+ return count;
4788
+ }
4789
+ var init_agentic_ontology = __esm({
4790
+ "src/lib/agentic-ontology.ts"() {
4791
+ "use strict";
4792
+ }
4793
+ });
4794
+
4282
4795
  // src/lib/store.ts
4283
4796
  var store_exports = {};
4284
4797
  __export(store_exports, {
@@ -4622,6 +5135,11 @@ async function flushBatch() {
4622
5135
  await insertMemoryCardsForBatch2(batch);
4623
5136
  } catch {
4624
5137
  }
5138
+ try {
5139
+ const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
5140
+ await insertOntologyForBatch2(batch);
5141
+ } catch {
5142
+ }
4625
5143
  schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
4626
5144
  _pendingRecords.splice(0, batch.length);
4627
5145
  try {
@@ -4970,7 +5488,7 @@ import {
4970
5488
  existsSync as existsSync8,
4971
5489
  mkdirSync as mkdirSync3,
4972
5490
  readdirSync as readdirSync2,
4973
- statSync as statSync3,
5491
+ statSync as statSync4,
4974
5492
  unlinkSync as unlinkSync3,
4975
5493
  writeFileSync as writeFileSync3
4976
5494
  } from "fs";
@@ -5042,7 +5560,7 @@ function sweepStaleBehaviorExports(now = Date.now()) {
5042
5560
  for (const entry of entries) {
5043
5561
  const filePath = path8.join(BEHAVIORS_EXPORT_DIR, entry);
5044
5562
  try {
5045
- const stat = statSync3(filePath);
5563
+ const stat = statSync4(filePath);
5046
5564
  if (now - stat.mtimeMs > STALE_EXPORT_AGE_MS) {
5047
5565
  unlinkSync3(filePath);
5048
5566
  }