@askexenow/exe-os 0.9.65 → 0.9.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/deploy/stack-manifests/v0.9.json +54 -5
  2. package/dist/bin/age-ontology-load.js +61 -0
  3. package/dist/bin/agentic-ontology-backfill.js +4708 -0
  4. package/dist/bin/agentic-reflection-backfill.js +4144 -0
  5. package/dist/bin/{exe-link.js → agentic-semantic-label.js} +1532 -2173
  6. package/dist/bin/backfill-conversations.js +528 -20
  7. package/dist/bin/backfill-responses.js +528 -20
  8. package/dist/bin/backfill-vectors.js +255 -20
  9. package/dist/bin/bulk-sync-postgres.js +4876 -0
  10. package/dist/bin/cleanup-stale-review-tasks.js +529 -21
  11. package/dist/bin/cli.js +3471 -1491
  12. package/dist/bin/exe-agent-config.js +4 -0
  13. package/dist/bin/exe-agent.js +16 -0
  14. package/dist/bin/exe-assign.js +528 -20
  15. package/dist/bin/exe-boot.js +492 -54
  16. package/dist/bin/exe-call.js +16 -0
  17. package/dist/bin/exe-cloud.js +7415 -518
  18. package/dist/bin/exe-dispatch.js +540 -22
  19. package/dist/bin/exe-doctor.js +3404 -1225
  20. package/dist/bin/exe-export-behaviors.js +542 -24
  21. package/dist/bin/exe-forget.js +529 -21
  22. package/dist/bin/exe-gateway.js +595 -25
  23. package/dist/bin/exe-heartbeat.js +541 -24
  24. package/dist/bin/exe-kill.js +529 -21
  25. package/dist/bin/exe-launch-agent.js +2334 -1067
  26. package/dist/bin/exe-new-employee.js +324 -166
  27. package/dist/bin/exe-pending-messages.js +529 -21
  28. package/dist/bin/exe-pending-notifications.js +529 -21
  29. package/dist/bin/exe-pending-reviews.js +529 -21
  30. package/dist/bin/exe-rename.js +529 -21
  31. package/dist/bin/exe-review.js +529 -21
  32. package/dist/bin/exe-search.js +542 -24
  33. package/dist/bin/exe-session-cleanup.js +540 -22
  34. package/dist/bin/exe-settings.js +14 -0
  35. package/dist/bin/exe-start-codex.js +817 -144
  36. package/dist/bin/exe-start-opencode.js +776 -80
  37. package/dist/bin/exe-status.js +529 -21
  38. package/dist/bin/exe-team.js +529 -21
  39. package/dist/bin/git-sweep.js +540 -22
  40. package/dist/bin/graph-backfill.js +580 -21
  41. package/dist/bin/graph-export.js +529 -21
  42. package/dist/bin/graph-layer-benchmark.js +109 -0
  43. package/dist/bin/install.js +420 -289
  44. package/dist/bin/intercom-check.js +540 -22
  45. package/dist/bin/postgres-agentic-reflection-backfill.js +187 -0
  46. package/dist/bin/postgres-agentic-semantic-backfill.js +237 -0
  47. package/dist/bin/scan-tasks.js +540 -22
  48. package/dist/bin/setup.js +790 -206
  49. package/dist/bin/shard-migrate.js +528 -20
  50. package/dist/bin/update.js +4 -0
  51. package/dist/gateway/index.js +593 -23
  52. package/dist/hooks/bug-report-worker.js +651 -64
  53. package/dist/hooks/codex-stop-task-finalizer.js +540 -22
  54. package/dist/hooks/commit-complete.js +540 -22
  55. package/dist/hooks/error-recall.js +542 -24
  56. package/dist/hooks/exe-heartbeat-hook.js +4 -0
  57. package/dist/hooks/ingest-worker.js +4 -0
  58. package/dist/hooks/ingest.js +539 -22
  59. package/dist/hooks/instructions-loaded.js +529 -21
  60. package/dist/hooks/notification.js +529 -21
  61. package/dist/hooks/post-compact.js +529 -21
  62. package/dist/hooks/post-tool-combined.js +543 -25
  63. package/dist/hooks/pre-compact.js +772 -127
  64. package/dist/hooks/pre-tool-use.js +529 -21
  65. package/dist/hooks/prompt-submit.js +543 -25
  66. package/dist/hooks/session-end.js +673 -140
  67. package/dist/hooks/session-start.js +662 -26
  68. package/dist/hooks/stop.js +540 -23
  69. package/dist/hooks/subagent-stop.js +529 -21
  70. package/dist/hooks/summary-worker.js +571 -126
  71. package/dist/index.js +593 -23
  72. package/dist/lib/agent-config.js +4 -0
  73. package/dist/lib/cloud-sync.js +408 -47
  74. package/dist/lib/config.js +25 -1
  75. package/dist/lib/consolidation.js +5 -1
  76. package/dist/lib/database.js +128 -0
  77. package/dist/lib/db-daemon-client.js +4 -0
  78. package/dist/lib/db.js +128 -0
  79. package/dist/lib/device-registry.js +128 -0
  80. package/dist/lib/embedder.js +25 -1
  81. package/dist/lib/employee-templates.js +16 -0
  82. package/dist/lib/employees.js +4 -0
  83. package/dist/lib/exe-daemon-client.js +4 -0
  84. package/dist/lib/exe-daemon.js +3158 -930
  85. package/dist/lib/hybrid-search.js +542 -24
  86. package/dist/lib/identity.js +7 -0
  87. package/dist/lib/keychain.js +178 -22
  88. package/dist/lib/license.js +4 -0
  89. package/dist/lib/messaging.js +7 -0
  90. package/dist/lib/reminders.js +7 -0
  91. package/dist/lib/schedules.js +255 -20
  92. package/dist/lib/skill-learning.js +28 -1
  93. package/dist/lib/status-brief.js +39 -0
  94. package/dist/lib/store.js +528 -20
  95. package/dist/lib/task-router.js +4 -0
  96. package/dist/lib/tasks.js +28 -1
  97. package/dist/lib/tmux-routing.js +28 -1
  98. package/dist/lib/token-spend.js +7 -0
  99. package/dist/mcp/server.js +2739 -813
  100. package/dist/mcp/tools/complete-reminder.js +7 -0
  101. package/dist/mcp/tools/create-reminder.js +7 -0
  102. package/dist/mcp/tools/create-task.js +28 -1
  103. package/dist/mcp/tools/deactivate-behavior.js +7 -0
  104. package/dist/mcp/tools/list-reminders.js +7 -0
  105. package/dist/mcp/tools/list-tasks.js +7 -0
  106. package/dist/mcp/tools/send-message.js +7 -0
  107. package/dist/mcp/tools/update-task.js +28 -1
  108. package/dist/runtime/index.js +540 -22
  109. package/dist/tui/App.js +618 -29
  110. package/package.json +9 -5
  111. package/src/commands/exe/cloud.md +11 -8
  112. package/stack.release.json +3 -3
  113. package/src/commands/exe/link.md +0 -17
@@ -189,6 +189,11 @@ function normalizeAutoUpdate(raw) {
189
189
  const userAU = raw.autoUpdate ?? {};
190
190
  raw.autoUpdate = { ...defaultAU, ...userAU };
191
191
  }
192
+ function normalizeOrchestration(raw) {
193
+ const defaultOrg = DEFAULT_CONFIG.orchestration;
194
+ const userOrg = raw.orchestration ?? {};
195
+ raw.orchestration = { ...defaultOrg, ...userOrg };
196
+ }
192
197
  async function loadConfig() {
193
198
  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
194
199
  await ensurePrivateDir(dir);
@@ -213,10 +218,15 @@ async function loadConfig() {
213
218
  normalizeScalingRoadmap(migratedCfg);
214
219
  normalizeSessionLifecycle(migratedCfg);
215
220
  normalizeAutoUpdate(migratedCfg);
221
+ normalizeOrchestration(migratedCfg);
216
222
  const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
217
223
  if (config.dbPath.startsWith("~")) {
218
224
  config.dbPath = config.dbPath.replace(/^~/, os.homedir());
219
225
  }
226
+ const envDbPath = path.join(dir, "memories.db");
227
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
228
+ config.dbPath = envDbPath;
229
+ }
220
230
  return config;
221
231
  } catch {
222
232
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
@@ -288,6 +298,10 @@ var init_config = __esm({
288
298
  checkOnBoot: true,
289
299
  autoInstall: false,
290
300
  checkIntervalMs: 24 * 60 * 60 * 1e3
301
+ },
302
+ orchestration: {
303
+ phase: "phase_1_coo",
304
+ phaseSetBy: "default"
291
305
  }
292
306
  };
293
307
  CONFIG_MIGRATIONS = [
@@ -1744,6 +1758,9 @@ function getClient() {
1744
1758
  if (_daemonClient && _daemonClient._isDaemonActive()) {
1745
1759
  return _daemonClient;
1746
1760
  }
1761
+ if (!_resilientClient) {
1762
+ return _adapterClient;
1763
+ }
1747
1764
  return _resilientClient;
1748
1765
  }
1749
1766
  async function initDaemonClient() {
@@ -2776,6 +2793,127 @@ async function ensureSchema() {
2776
2793
  VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
2777
2794
  END;
2778
2795
  `);
2796
+ await client.executeMultiple(`
2797
+ CREATE TABLE IF NOT EXISTS agent_sessions (
2798
+ id TEXT PRIMARY KEY,
2799
+ agent_id TEXT NOT NULL,
2800
+ project_name TEXT,
2801
+ started_at TEXT NOT NULL,
2802
+ last_event_at TEXT NOT NULL,
2803
+ event_count INTEGER NOT NULL DEFAULT 0,
2804
+ properties TEXT DEFAULT '{}'
2805
+ );
2806
+
2807
+ CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
2808
+ ON agent_sessions(agent_id, started_at);
2809
+
2810
+ CREATE TABLE IF NOT EXISTS agent_goals (
2811
+ id TEXT PRIMARY KEY,
2812
+ statement TEXT NOT NULL,
2813
+ owner_agent_id TEXT,
2814
+ project_name TEXT,
2815
+ status TEXT NOT NULL DEFAULT 'open',
2816
+ priority INTEGER NOT NULL DEFAULT 5,
2817
+ success_criteria TEXT,
2818
+ parent_goal_id TEXT,
2819
+ due_at TEXT,
2820
+ achieved_at TEXT,
2821
+ supersedes_id TEXT,
2822
+ created_at TEXT NOT NULL,
2823
+ updated_at TEXT NOT NULL,
2824
+ source_memory_id TEXT
2825
+ );
2826
+
2827
+ CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
2828
+ ON agent_goals(project_name, status, priority);
2829
+
2830
+ CREATE TABLE IF NOT EXISTS agent_events (
2831
+ id TEXT PRIMARY KEY,
2832
+ event_type TEXT NOT NULL,
2833
+ occurred_at TEXT NOT NULL,
2834
+ sequence_index INTEGER NOT NULL,
2835
+ actor_agent_id TEXT,
2836
+ agent_role TEXT,
2837
+ project_name TEXT,
2838
+ session_id TEXT,
2839
+ task_id TEXT,
2840
+ goal_id TEXT,
2841
+ parent_event_id TEXT,
2842
+ intention TEXT,
2843
+ outcome TEXT,
2844
+ evidence_memory_id TEXT,
2845
+ impact TEXT,
2846
+ payload TEXT DEFAULT '{}',
2847
+ created_at TEXT NOT NULL
2848
+ );
2849
+
2850
+ CREATE INDEX IF NOT EXISTS idx_agent_events_time
2851
+ ON agent_events(occurred_at, sequence_index);
2852
+
2853
+ CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
2854
+ ON agent_events(session_id, sequence_index);
2855
+
2856
+ CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
2857
+ ON agent_events(goal_id, occurred_at);
2858
+
2859
+ CREATE INDEX IF NOT EXISTS idx_agent_events_memory
2860
+ ON agent_events(evidence_memory_id);
2861
+
2862
+ CREATE TABLE IF NOT EXISTS agent_goal_links (
2863
+ id TEXT PRIMARY KEY,
2864
+ goal_id TEXT NOT NULL,
2865
+ link_type TEXT NOT NULL,
2866
+ target_id TEXT NOT NULL,
2867
+ target_type TEXT NOT NULL,
2868
+ created_at TEXT NOT NULL
2869
+ );
2870
+
2871
+ CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
2872
+ ON agent_goal_links(goal_id, target_type);
2873
+
2874
+ CREATE TABLE IF NOT EXISTS agent_semantic_labels (
2875
+ id TEXT PRIMARY KEY,
2876
+ source_memory_id TEXT NOT NULL,
2877
+ event_id TEXT,
2878
+ labeler TEXT NOT NULL,
2879
+ schema_version INTEGER NOT NULL DEFAULT 1,
2880
+ confidence REAL NOT NULL DEFAULT 0,
2881
+ labels TEXT NOT NULL,
2882
+ created_at TEXT NOT NULL,
2883
+ updated_at TEXT NOT NULL
2884
+ );
2885
+
2886
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
2887
+ ON agent_semantic_labels(source_memory_id, labeler);
2888
+
2889
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
2890
+ ON agent_semantic_labels(event_id);
2891
+
2892
+ CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
2893
+ id TEXT PRIMARY KEY,
2894
+ project_name TEXT,
2895
+ session_id TEXT,
2896
+ window_start_at TEXT NOT NULL,
2897
+ window_end_at TEXT NOT NULL,
2898
+ event_count INTEGER NOT NULL DEFAULT 0,
2899
+ goal_count INTEGER NOT NULL DEFAULT 0,
2900
+ success_count INTEGER NOT NULL DEFAULT 0,
2901
+ failure_count INTEGER NOT NULL DEFAULT 0,
2902
+ risk_count INTEGER NOT NULL DEFAULT 0,
2903
+ summary TEXT NOT NULL,
2904
+ learnings TEXT NOT NULL DEFAULT '[]',
2905
+ next_actions TEXT NOT NULL DEFAULT '[]',
2906
+ evidence_event_ids TEXT NOT NULL DEFAULT '[]',
2907
+ confidence REAL NOT NULL DEFAULT 0,
2908
+ created_at TEXT NOT NULL
2909
+ );
2910
+
2911
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
2912
+ ON agent_reflection_checkpoints(project_name, window_end_at);
2913
+
2914
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
2915
+ ON agent_reflection_checkpoints(session_id, window_end_at);
2916
+ `);
2779
2917
  try {
2780
2918
  await client.execute({
2781
2919
  sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -3352,7 +3490,7 @@ var init_task_scope = __esm({
3352
3490
 
3353
3491
  // src/lib/keychain.ts
3354
3492
  import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
3355
- import { existsSync as existsSync12 } from "fs";
3493
+ import { existsSync as existsSync12, statSync as statSync2 } from "fs";
3356
3494
  import { execSync as execSync4 } from "child_process";
3357
3495
  import path13 from "path";
3358
3496
  import os10 from "os";
@@ -3362,29 +3500,78 @@ function getKeyDir() {
3362
3500
  function getKeyPath() {
3363
3501
  return path13.join(getKeyDir(), "master.key");
3364
3502
  }
3365
- function macKeychainGet() {
3503
+ function nativeKeychainAllowed() {
3504
+ return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
3505
+ }
3506
+ function linuxSecretAvailable() {
3507
+ if (!nativeKeychainAllowed()) return false;
3508
+ if (process.platform !== "linux") return false;
3509
+ if (linuxSecretAvailability !== null) return linuxSecretAvailability;
3510
+ try {
3511
+ execSync4("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
3512
+ } catch {
3513
+ linuxSecretAvailability = false;
3514
+ return false;
3515
+ }
3516
+ try {
3517
+ execSync4("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
3518
+ linuxSecretAvailability = true;
3519
+ } catch {
3520
+ linuxSecretAvailability = false;
3521
+ }
3522
+ return linuxSecretAvailability;
3523
+ }
3524
+ function isRootOnlyTrustedServerKeyFile(keyPath) {
3525
+ if (process.platform !== "linux") return false;
3526
+ try {
3527
+ const uid = typeof os10.userInfo().uid === "number" ? os10.userInfo().uid : -1;
3528
+ const st = statSync2(keyPath);
3529
+ if (!st.isFile() || (st.mode & 63) !== 0) return false;
3530
+ if (uid === 0) return true;
3531
+ const exeOsDir = process.env.EXE_OS_DIR;
3532
+ return Boolean(exeOsDir && path13.resolve(keyPath).startsWith(path13.resolve(exeOsDir) + path13.sep));
3533
+ } catch {
3534
+ return false;
3535
+ }
3536
+ }
3537
+ function macKeychainGet(service = SERVICE) {
3538
+ if (!nativeKeychainAllowed()) return null;
3366
3539
  if (process.platform !== "darwin") return null;
3367
3540
  try {
3368
3541
  return execSync4(
3369
- `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
3542
+ `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
3370
3543
  { encoding: "utf-8", timeout: 5e3 }
3371
3544
  ).trim();
3372
3545
  } catch {
3373
3546
  return null;
3374
3547
  }
3375
3548
  }
3376
- function macKeychainSet(value) {
3549
+ function macKeychainSet(value, service = SERVICE) {
3550
+ if (!nativeKeychainAllowed()) return false;
3377
3551
  if (process.platform !== "darwin") return false;
3378
3552
  try {
3379
3553
  try {
3380
3554
  execSync4(
3381
- `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
3555
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3382
3556
  { timeout: 5e3 }
3383
3557
  );
3384
3558
  } catch {
3385
3559
  }
3386
3560
  execSync4(
3387
- `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
3561
+ `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
3562
+ { timeout: 5e3 }
3563
+ );
3564
+ return true;
3565
+ } catch {
3566
+ return false;
3567
+ }
3568
+ }
3569
+ function macKeychainDelete(service = SERVICE) {
3570
+ if (!nativeKeychainAllowed()) return false;
3571
+ if (process.platform !== "darwin") return false;
3572
+ try {
3573
+ execSync4(
3574
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3388
3575
  { timeout: 5e3 }
3389
3576
  );
3390
3577
  return true;
@@ -3392,22 +3579,35 @@ function macKeychainSet(value) {
3392
3579
  return false;
3393
3580
  }
3394
3581
  }
3395
- function linuxSecretGet() {
3396
- if (process.platform !== "linux") return null;
3582
+ function linuxSecretGet(service = SERVICE) {
3583
+ if (!linuxSecretAvailable()) return null;
3397
3584
  try {
3398
3585
  return execSync4(
3399
- `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
3586
+ `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3400
3587
  { encoding: "utf-8", timeout: 5e3 }
3401
3588
  ).trim();
3402
3589
  } catch {
3403
3590
  return null;
3404
3591
  }
3405
3592
  }
3406
- function linuxSecretSet(value) {
3593
+ function linuxSecretSet(value, service = SERVICE) {
3594
+ if (!linuxSecretAvailable()) return false;
3595
+ try {
3596
+ execSync4(
3597
+ `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3598
+ { timeout: 5e3 }
3599
+ );
3600
+ return true;
3601
+ } catch {
3602
+ return false;
3603
+ }
3604
+ }
3605
+ function linuxSecretDelete(service = SERVICE) {
3606
+ if (!nativeKeychainAllowed()) return false;
3407
3607
  if (process.platform !== "linux") return false;
3408
3608
  try {
3409
3609
  execSync4(
3410
- `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
3610
+ `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3411
3611
  { timeout: 5e3 }
3412
3612
  );
3413
3613
  return true;
@@ -3416,6 +3616,7 @@ function linuxSecretSet(value) {
3416
3616
  }
3417
3617
  }
3418
3618
  async function tryKeytar() {
3619
+ if (!nativeKeychainAllowed()) return null;
3419
3620
  try {
3420
3621
  return await import("keytar");
3421
3622
  } catch {
@@ -3489,7 +3690,19 @@ async function writeMachineBoundFileFallback(b64) {
3489
3690
  return "plaintext";
3490
3691
  }
3491
3692
  async function getMasterKey() {
3492
- const nativeValue = macKeychainGet() ?? linuxSecretGet();
3693
+ let nativeValue = macKeychainGet() ?? linuxSecretGet();
3694
+ if (!nativeValue) {
3695
+ const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
3696
+ if (legacyValue) {
3697
+ const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
3698
+ if (migrated) {
3699
+ macKeychainDelete(LEGACY_SERVICE);
3700
+ linuxSecretDelete(LEGACY_SERVICE);
3701
+ process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
3702
+ }
3703
+ nativeValue = legacyValue;
3704
+ }
3705
+ }
3493
3706
  if (nativeValue) {
3494
3707
  return Buffer.from(nativeValue, "base64");
3495
3708
  }
@@ -3497,12 +3710,17 @@ async function getMasterKey() {
3497
3710
  if (keytar) {
3498
3711
  try {
3499
3712
  const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
3500
- if (keytarValue) {
3501
- const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
3713
+ const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
3714
+ if (legacyKeytarValue) {
3715
+ const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
3502
3716
  if (migrated) {
3503
3717
  process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
3718
+ try {
3719
+ await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
3720
+ } catch {
3721
+ }
3504
3722
  }
3505
- return Buffer.from(keytarValue, "base64");
3723
+ return Buffer.from(legacyKeytarValue, "base64");
3506
3724
  }
3507
3725
  } catch {
3508
3726
  }
@@ -3527,7 +3745,7 @@ async function getMasterKey() {
3527
3745
  const decrypted = decryptWithMachineKey(content, machineKey);
3528
3746
  if (!decrypted) {
3529
3747
  process.stderr.write(
3530
- "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase: exe-os link import\n"
3748
+ "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase during setup: exe-os setup\n"
3531
3749
  );
3532
3750
  return null;
3533
3751
  }
@@ -3536,6 +3754,9 @@ async function getMasterKey() {
3536
3754
  b64Value = content;
3537
3755
  }
3538
3756
  const key = Buffer.from(b64Value, "base64");
3757
+ if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
3758
+ return key;
3759
+ }
3539
3760
  const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
3540
3761
  if (migrated) {
3541
3762
  process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -3563,12 +3784,14 @@ async function getMasterKey() {
3563
3784
  return null;
3564
3785
  }
3565
3786
  }
3566
- var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
3787
+ var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
3567
3788
  var init_keychain = __esm({
3568
3789
  "src/lib/keychain.ts"() {
3569
3790
  "use strict";
3570
- SERVICE = "exe-mem";
3791
+ SERVICE = "exe-os";
3792
+ LEGACY_SERVICE = "exe-mem";
3571
3793
  ACCOUNT = "master-key";
3794
+ linuxSecretAvailability = null;
3572
3795
  ENCRYPTED_PREFIX = "enc:";
3573
3796
  }
3574
3797
  });
@@ -3838,7 +4061,7 @@ __export(shard_manager_exports, {
3838
4061
  shardExists: () => shardExists
3839
4062
  });
3840
4063
  import path14 from "path";
3841
- import { existsSync as existsSync13, mkdirSync as mkdirSync6, readdirSync as readdirSync2, renameSync as renameSync4, statSync as statSync2 } from "fs";
4064
+ import { existsSync as existsSync13, mkdirSync as mkdirSync6, readdirSync as readdirSync2, renameSync as renameSync4, statSync as statSync3 } from "fs";
3842
4065
  import { createClient as createClient2 } from "@libsql/client";
3843
4066
  function initShardManager(encryptionKey) {
3844
4067
  _encryptionKey = encryptionKey;
@@ -3902,7 +4125,7 @@ async function auditShardHealth(options = {}) {
3902
4125
  const shards = [];
3903
4126
  for (const name of names) {
3904
4127
  const dbPath = path14.join(SHARDS_DIR, `${name}.db`);
3905
- const stat = statSync2(dbPath);
4128
+ const stat = statSync3(dbPath);
3906
4129
  const item = {
3907
4130
  name,
3908
4131
  path: dbPath,
@@ -4155,7 +4378,7 @@ async function getReadyShardClient(projectName) {
4155
4378
  _shardLastAccess.delete(safeName);
4156
4379
  const dbPath = path14.join(SHARDS_DIR, `${safeName}.db`);
4157
4380
  if (existsSync13(dbPath)) {
4158
- const stat = statSync2(dbPath);
4381
+ const stat = statSync3(dbPath);
4159
4382
  const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
4160
4383
  const archivedPath = path14.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
4161
4384
  renameSync4(dbPath, archivedPath);
@@ -4275,6 +4498,12 @@ var init_platform_procedures = __esm({
4275
4498
  priority: "p0",
4276
4499
  content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
4277
4500
  },
4501
+ {
4502
+ title: "Customer orchestration maturity \u2014 recommend, never trap",
4503
+ domain: "workflow",
4504
+ priority: "p1",
4505
+ content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
4506
+ },
4278
4507
  {
4279
4508
  title: "Single dispatch path \u2014 create_task only",
4280
4509
  domain: "workflow",
@@ -4333,6 +4562,12 @@ var init_platform_procedures = __esm({
4333
4562
  priority: "p0",
4334
4563
  content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
4335
4564
  },
4565
+ {
4566
+ title: "Commit discipline \u2014 never leave verified work floating",
4567
+ domain: "workflow",
4568
+ priority: "p1",
4569
+ content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
4570
+ },
4336
4571
  {
4337
4572
  title: "Desktop and TUI are the same product",
4338
4573
  domain: "architecture",
@@ -4650,6 +4885,274 @@ var init_memory_cards = __esm({
4650
4885
  }
4651
4886
  });
4652
4887
 
4888
+ // src/lib/agentic-ontology.ts
4889
+ var agentic_ontology_exports = {};
4890
+ __export(agentic_ontology_exports, {
4891
+ clean: () => clean,
4892
+ extractGoalCandidates: () => extractGoalCandidates,
4893
+ inferIntention: () => inferIntention,
4894
+ inferOntologyEventType: () => inferOntologyEventType,
4895
+ inferOutcome: () => inferOutcome,
4896
+ inferSemanticLabel: () => inferSemanticLabel,
4897
+ insertOntologyForBatch: () => insertOntologyForBatch,
4898
+ insertOntologyForMemory: () => insertOntologyForMemory,
4899
+ ontologyPayload: () => ontologyPayload,
4900
+ stableId: () => stableId2
4901
+ });
4902
+ import { createHash as createHash3 } from "crypto";
4903
+ function stableId2(...parts) {
4904
+ return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
4905
+ }
4906
+ function clean(text, max = 240) {
4907
+ return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
4908
+ }
4909
+ function inferOntologyEventType(row) {
4910
+ const lower = row.raw_text.toLowerCase();
4911
+ if (row.has_error) return "error";
4912
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
4913
+ if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
4914
+ if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
4915
+ if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
4916
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
4917
+ if (row.tool_name.startsWith("memory_card")) return "memory_card";
4918
+ return "memory_observation";
4919
+ }
4920
+ function inferIntention(row) {
4921
+ if (row.intent) return clean(row.intent, 220);
4922
+ const text = clean(row.raw_text, 1e3);
4923
+ const patterns = [
4924
+ /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
4925
+ /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
4926
+ /(?:task|plan):\s*([^.!?\n]{8,220})/i
4927
+ ];
4928
+ for (const p of patterns) {
4929
+ const m = text.match(p);
4930
+ if (m?.[1]) return clean(m[1], 220);
4931
+ }
4932
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
4933
+ return `${row.tool_name} during ${row.project_name}`;
4934
+ }
4935
+ return null;
4936
+ }
4937
+ function inferOutcome(row) {
4938
+ if (row.outcome) return clean(row.outcome, 220);
4939
+ if (row.has_error) return "error";
4940
+ const lower = row.raw_text.toLowerCase();
4941
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
4942
+ if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
4943
+ if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
4944
+ return null;
4945
+ }
4946
+ function extractGoalCandidates(row) {
4947
+ const text = clean(row.raw_text, 1600);
4948
+ const patterns = [
4949
+ /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
4950
+ /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
4951
+ ];
4952
+ const out = [];
4953
+ for (const pattern of patterns) {
4954
+ for (const m of text.matchAll(pattern)) {
4955
+ const candidate = clean(m[1] ?? "", 220);
4956
+ if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
4957
+ if (out.length >= 3) return out;
4958
+ }
4959
+ }
4960
+ return out;
4961
+ }
4962
+ function uniq(values, max = 6) {
4963
+ const out = [];
4964
+ for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
4965
+ if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
4966
+ if (out.length >= max) break;
4967
+ }
4968
+ return out;
4969
+ }
4970
+ function extractMatches(text, patterns, max = 5) {
4971
+ const out = [];
4972
+ for (const pattern of patterns) {
4973
+ for (const match of text.matchAll(pattern)) {
4974
+ const value = match[1] ?? match[0];
4975
+ if (value) out.push(value);
4976
+ if (out.length >= max) return uniq(out, max);
4977
+ }
4978
+ }
4979
+ return uniq(out, max);
4980
+ }
4981
+ function inferSemanticLabel(row) {
4982
+ const text = clean(row.raw_text, 2400);
4983
+ const eventType = inferOntologyEventType(row);
4984
+ const intention = inferIntention(row);
4985
+ const outcome = inferOutcome(row);
4986
+ const goals = extractGoalCandidates(row);
4987
+ const milestones = extractMatches(text, [
4988
+ /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
4989
+ /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
4990
+ ]);
4991
+ const problems = extractMatches(text, [
4992
+ /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
4993
+ /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
4994
+ ]);
4995
+ const decisions = extractMatches(text, [
4996
+ /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
4997
+ ]);
4998
+ const temporalAnchors = extractMatches(text, [
4999
+ /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
5000
+ /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
5001
+ ], 8);
5002
+ const nextActions = extractMatches(text, [
5003
+ /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
5004
+ ]);
5005
+ const actors = uniq([
5006
+ row.agent_id,
5007
+ ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
5008
+ ], 6);
5009
+ const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
5010
+ const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
5011
+ const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
5012
+ const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
5013
+ return {
5014
+ labeler: "deterministic",
5015
+ schemaVersion: 1,
5016
+ eventType,
5017
+ intention,
5018
+ outcome,
5019
+ impact,
5020
+ confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
5021
+ goals,
5022
+ milestones,
5023
+ problems,
5024
+ decisions,
5025
+ actors,
5026
+ temporalAnchors,
5027
+ successSignals,
5028
+ failureSignals,
5029
+ nextActions,
5030
+ summary: clean(text, 280)
5031
+ };
5032
+ }
5033
+ function ontologyPayload(row) {
5034
+ const semantic = inferSemanticLabel(row);
5035
+ return {
5036
+ tool_name: row.tool_name,
5037
+ memory_version: row.version ?? null,
5038
+ domain: row.domain ?? null,
5039
+ trajectory: row.trajectory ? safeJson(row.trajectory) : null,
5040
+ semantic
5041
+ };
5042
+ }
5043
+ function safeJson(value) {
5044
+ try {
5045
+ return JSON.parse(value);
5046
+ } catch {
5047
+ return value.slice(0, 1e3);
5048
+ }
5049
+ }
5050
+ async function resolveClient(client) {
5051
+ if (client) return client;
5052
+ const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
5053
+ return getClient2();
5054
+ }
5055
+ async function insertOntologyForMemory(row, client) {
5056
+ const db = await resolveClient(client);
5057
+ const occurredAt = row.timestamp;
5058
+ const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
5059
+ const eventType = inferOntologyEventType(row);
5060
+ const intention = inferIntention(row);
5061
+ const outcome = inferOutcome(row);
5062
+ const eventId = stableId2("event", row.id);
5063
+ const now = (/* @__PURE__ */ new Date()).toISOString();
5064
+ await db.execute({
5065
+ sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
5066
+ VALUES (?, ?, ?, ?, ?, 1, ?)
5067
+ ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
5068
+ event_count = event_count + 1`,
5069
+ args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
5070
+ });
5071
+ await db.execute({
5072
+ sql: `INSERT OR IGNORE INTO agent_events
5073
+ (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
5074
+ session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
5075
+ impact, payload, created_at)
5076
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
5077
+ args: [
5078
+ eventId,
5079
+ eventType,
5080
+ occurredAt,
5081
+ sequence,
5082
+ row.agent_id,
5083
+ row.agent_role,
5084
+ row.project_name,
5085
+ row.session_id,
5086
+ row.task_id ?? null,
5087
+ intention,
5088
+ outcome,
5089
+ row.id,
5090
+ row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
5091
+ JSON.stringify(ontologyPayload(row)),
5092
+ now
5093
+ ]
5094
+ });
5095
+ const semantic = inferSemanticLabel(row);
5096
+ await db.execute({
5097
+ sql: `INSERT INTO agent_semantic_labels
5098
+ (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
5099
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
5100
+ ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
5101
+ labels = excluded.labels, updated_at = excluded.updated_at`,
5102
+ args: [
5103
+ stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
5104
+ row.id,
5105
+ eventId,
5106
+ semantic.labeler,
5107
+ semantic.schemaVersion,
5108
+ semantic.confidence,
5109
+ JSON.stringify(semantic),
5110
+ now,
5111
+ now
5112
+ ]
5113
+ });
5114
+ for (const statement of extractGoalCandidates(row)) {
5115
+ const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
5116
+ await db.execute({
5117
+ sql: `INSERT INTO agent_goals
5118
+ (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
5119
+ parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
5120
+ VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
5121
+ ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
5122
+ args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
5123
+ });
5124
+ await db.execute({
5125
+ sql: `INSERT OR IGNORE INTO agent_goal_links
5126
+ (id, goal_id, link_type, target_id, target_type, created_at)
5127
+ VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
5128
+ args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
5129
+ });
5130
+ await db.execute({
5131
+ sql: `INSERT OR IGNORE INTO agent_goal_links
5132
+ (id, goal_id, link_type, target_id, target_type, created_at)
5133
+ VALUES (?, ?, 'event', ?, 'event', ?)`,
5134
+ args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
5135
+ });
5136
+ }
5137
+ }
5138
+ async function insertOntologyForBatch(rows, client) {
5139
+ const db = await resolveClient(client);
5140
+ let count = 0;
5141
+ for (const row of rows) {
5142
+ try {
5143
+ await insertOntologyForMemory(row, db);
5144
+ count++;
5145
+ } catch {
5146
+ }
5147
+ }
5148
+ return count;
5149
+ }
5150
+ var init_agentic_ontology = __esm({
5151
+ "src/lib/agentic-ontology.ts"() {
5152
+ "use strict";
5153
+ }
5154
+ });
5155
+
4653
5156
  // src/lib/store.ts
4654
5157
  var store_exports = {};
4655
5158
  __export(store_exports, {
@@ -4993,6 +5496,11 @@ async function flushBatch() {
4993
5496
  await insertMemoryCardsForBatch2(batch);
4994
5497
  } catch {
4995
5498
  }
5499
+ try {
5500
+ const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
5501
+ await insertOntologyForBatch2(batch);
5502
+ } catch {
5503
+ }
4996
5504
  schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
4997
5505
  _pendingRecords.splice(0, batch.length);
4998
5506
  try {