@askexenow/exe-os 0.9.65 → 0.9.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/deploy/stack-manifests/v0.9.json +54 -5
  2. package/dist/bin/age-ontology-load.js +61 -0
  3. package/dist/bin/agentic-ontology-backfill.js +4708 -0
  4. package/dist/bin/agentic-reflection-backfill.js +4144 -0
  5. package/dist/bin/{exe-link.js → agentic-semantic-label.js} +1532 -2173
  6. package/dist/bin/backfill-conversations.js +528 -20
  7. package/dist/bin/backfill-responses.js +528 -20
  8. package/dist/bin/backfill-vectors.js +255 -20
  9. package/dist/bin/bulk-sync-postgres.js +4876 -0
  10. package/dist/bin/cleanup-stale-review-tasks.js +529 -21
  11. package/dist/bin/cli.js +3471 -1491
  12. package/dist/bin/exe-agent-config.js +4 -0
  13. package/dist/bin/exe-agent.js +16 -0
  14. package/dist/bin/exe-assign.js +528 -20
  15. package/dist/bin/exe-boot.js +492 -54
  16. package/dist/bin/exe-call.js +16 -0
  17. package/dist/bin/exe-cloud.js +7415 -518
  18. package/dist/bin/exe-dispatch.js +540 -22
  19. package/dist/bin/exe-doctor.js +3404 -1225
  20. package/dist/bin/exe-export-behaviors.js +542 -24
  21. package/dist/bin/exe-forget.js +529 -21
  22. package/dist/bin/exe-gateway.js +595 -25
  23. package/dist/bin/exe-heartbeat.js +541 -24
  24. package/dist/bin/exe-kill.js +529 -21
  25. package/dist/bin/exe-launch-agent.js +2334 -1067
  26. package/dist/bin/exe-new-employee.js +324 -166
  27. package/dist/bin/exe-pending-messages.js +529 -21
  28. package/dist/bin/exe-pending-notifications.js +529 -21
  29. package/dist/bin/exe-pending-reviews.js +529 -21
  30. package/dist/bin/exe-rename.js +529 -21
  31. package/dist/bin/exe-review.js +529 -21
  32. package/dist/bin/exe-search.js +542 -24
  33. package/dist/bin/exe-session-cleanup.js +540 -22
  34. package/dist/bin/exe-settings.js +14 -0
  35. package/dist/bin/exe-start-codex.js +817 -144
  36. package/dist/bin/exe-start-opencode.js +776 -80
  37. package/dist/bin/exe-status.js +529 -21
  38. package/dist/bin/exe-team.js +529 -21
  39. package/dist/bin/git-sweep.js +540 -22
  40. package/dist/bin/graph-backfill.js +580 -21
  41. package/dist/bin/graph-export.js +529 -21
  42. package/dist/bin/graph-layer-benchmark.js +109 -0
  43. package/dist/bin/install.js +420 -289
  44. package/dist/bin/intercom-check.js +540 -22
  45. package/dist/bin/postgres-agentic-reflection-backfill.js +187 -0
  46. package/dist/bin/postgres-agentic-semantic-backfill.js +237 -0
  47. package/dist/bin/scan-tasks.js +540 -22
  48. package/dist/bin/setup.js +790 -206
  49. package/dist/bin/shard-migrate.js +528 -20
  50. package/dist/bin/update.js +4 -0
  51. package/dist/gateway/index.js +593 -23
  52. package/dist/hooks/bug-report-worker.js +651 -64
  53. package/dist/hooks/codex-stop-task-finalizer.js +540 -22
  54. package/dist/hooks/commit-complete.js +540 -22
  55. package/dist/hooks/error-recall.js +542 -24
  56. package/dist/hooks/exe-heartbeat-hook.js +4 -0
  57. package/dist/hooks/ingest-worker.js +4 -0
  58. package/dist/hooks/ingest.js +539 -22
  59. package/dist/hooks/instructions-loaded.js +529 -21
  60. package/dist/hooks/notification.js +529 -21
  61. package/dist/hooks/post-compact.js +529 -21
  62. package/dist/hooks/post-tool-combined.js +543 -25
  63. package/dist/hooks/pre-compact.js +772 -127
  64. package/dist/hooks/pre-tool-use.js +529 -21
  65. package/dist/hooks/prompt-submit.js +543 -25
  66. package/dist/hooks/session-end.js +673 -140
  67. package/dist/hooks/session-start.js +662 -26
  68. package/dist/hooks/stop.js +540 -23
  69. package/dist/hooks/subagent-stop.js +529 -21
  70. package/dist/hooks/summary-worker.js +571 -126
  71. package/dist/index.js +593 -23
  72. package/dist/lib/agent-config.js +4 -0
  73. package/dist/lib/cloud-sync.js +408 -47
  74. package/dist/lib/config.js +25 -1
  75. package/dist/lib/consolidation.js +5 -1
  76. package/dist/lib/database.js +128 -0
  77. package/dist/lib/db-daemon-client.js +4 -0
  78. package/dist/lib/db.js +128 -0
  79. package/dist/lib/device-registry.js +128 -0
  80. package/dist/lib/embedder.js +25 -1
  81. package/dist/lib/employee-templates.js +16 -0
  82. package/dist/lib/employees.js +4 -0
  83. package/dist/lib/exe-daemon-client.js +4 -0
  84. package/dist/lib/exe-daemon.js +3158 -930
  85. package/dist/lib/hybrid-search.js +542 -24
  86. package/dist/lib/identity.js +7 -0
  87. package/dist/lib/keychain.js +178 -22
  88. package/dist/lib/license.js +4 -0
  89. package/dist/lib/messaging.js +7 -0
  90. package/dist/lib/reminders.js +7 -0
  91. package/dist/lib/schedules.js +255 -20
  92. package/dist/lib/skill-learning.js +28 -1
  93. package/dist/lib/status-brief.js +39 -0
  94. package/dist/lib/store.js +528 -20
  95. package/dist/lib/task-router.js +4 -0
  96. package/dist/lib/tasks.js +28 -1
  97. package/dist/lib/tmux-routing.js +28 -1
  98. package/dist/lib/token-spend.js +7 -0
  99. package/dist/mcp/server.js +2739 -813
  100. package/dist/mcp/tools/complete-reminder.js +7 -0
  101. package/dist/mcp/tools/create-reminder.js +7 -0
  102. package/dist/mcp/tools/create-task.js +28 -1
  103. package/dist/mcp/tools/deactivate-behavior.js +7 -0
  104. package/dist/mcp/tools/list-reminders.js +7 -0
  105. package/dist/mcp/tools/list-tasks.js +7 -0
  106. package/dist/mcp/tools/send-message.js +7 -0
  107. package/dist/mcp/tools/update-task.js +28 -1
  108. package/dist/runtime/index.js +540 -22
  109. package/dist/tui/App.js +618 -29
  110. package/package.json +9 -5
  111. package/src/commands/exe/cloud.md +11 -8
  112. package/stack.release.json +3 -3
  113. package/src/commands/exe/link.md +0 -17
@@ -190,6 +190,11 @@ function normalizeAutoUpdate(raw) {
190
190
  const userAU = raw.autoUpdate ?? {};
191
191
  raw.autoUpdate = { ...defaultAU, ...userAU };
192
192
  }
193
+ function normalizeOrchestration(raw) {
194
+ const defaultOrg = DEFAULT_CONFIG.orchestration;
195
+ const userOrg = raw.orchestration ?? {};
196
+ raw.orchestration = { ...defaultOrg, ...userOrg };
197
+ }
193
198
  async function loadConfig() {
194
199
  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
195
200
  await ensurePrivateDir(dir);
@@ -214,10 +219,15 @@ async function loadConfig() {
214
219
  normalizeScalingRoadmap(migratedCfg);
215
220
  normalizeSessionLifecycle(migratedCfg);
216
221
  normalizeAutoUpdate(migratedCfg);
222
+ normalizeOrchestration(migratedCfg);
217
223
  const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
218
224
  if (config.dbPath.startsWith("~")) {
219
225
  config.dbPath = config.dbPath.replace(/^~/, os.homedir());
220
226
  }
227
+ const envDbPath = path.join(dir, "memories.db");
228
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
229
+ config.dbPath = envDbPath;
230
+ }
221
231
  return config;
222
232
  } catch {
223
233
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
@@ -289,6 +299,10 @@ var init_config = __esm({
289
299
  checkOnBoot: true,
290
300
  autoInstall: false,
291
301
  checkIntervalMs: 24 * 60 * 60 * 1e3
302
+ },
303
+ orchestration: {
304
+ phase: "phase_1_coo",
305
+ phaseSetBy: "default"
292
306
  }
293
307
  };
294
308
  CONFIG_MIGRATIONS = [
@@ -1745,6 +1759,9 @@ function getClient() {
1745
1759
  if (_daemonClient && _daemonClient._isDaemonActive()) {
1746
1760
  return _daemonClient;
1747
1761
  }
1762
+ if (!_resilientClient) {
1763
+ return _adapterClient;
1764
+ }
1748
1765
  return _resilientClient;
1749
1766
  }
1750
1767
  async function initDaemonClient() {
@@ -2777,6 +2794,127 @@ async function ensureSchema() {
2777
2794
  VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
2778
2795
  END;
2779
2796
  `);
2797
+ await client.executeMultiple(`
2798
+ CREATE TABLE IF NOT EXISTS agent_sessions (
2799
+ id TEXT PRIMARY KEY,
2800
+ agent_id TEXT NOT NULL,
2801
+ project_name TEXT,
2802
+ started_at TEXT NOT NULL,
2803
+ last_event_at TEXT NOT NULL,
2804
+ event_count INTEGER NOT NULL DEFAULT 0,
2805
+ properties TEXT DEFAULT '{}'
2806
+ );
2807
+
2808
+ CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
2809
+ ON agent_sessions(agent_id, started_at);
2810
+
2811
+ CREATE TABLE IF NOT EXISTS agent_goals (
2812
+ id TEXT PRIMARY KEY,
2813
+ statement TEXT NOT NULL,
2814
+ owner_agent_id TEXT,
2815
+ project_name TEXT,
2816
+ status TEXT NOT NULL DEFAULT 'open',
2817
+ priority INTEGER NOT NULL DEFAULT 5,
2818
+ success_criteria TEXT,
2819
+ parent_goal_id TEXT,
2820
+ due_at TEXT,
2821
+ achieved_at TEXT,
2822
+ supersedes_id TEXT,
2823
+ created_at TEXT NOT NULL,
2824
+ updated_at TEXT NOT NULL,
2825
+ source_memory_id TEXT
2826
+ );
2827
+
2828
+ CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
2829
+ ON agent_goals(project_name, status, priority);
2830
+
2831
+ CREATE TABLE IF NOT EXISTS agent_events (
2832
+ id TEXT PRIMARY KEY,
2833
+ event_type TEXT NOT NULL,
2834
+ occurred_at TEXT NOT NULL,
2835
+ sequence_index INTEGER NOT NULL,
2836
+ actor_agent_id TEXT,
2837
+ agent_role TEXT,
2838
+ project_name TEXT,
2839
+ session_id TEXT,
2840
+ task_id TEXT,
2841
+ goal_id TEXT,
2842
+ parent_event_id TEXT,
2843
+ intention TEXT,
2844
+ outcome TEXT,
2845
+ evidence_memory_id TEXT,
2846
+ impact TEXT,
2847
+ payload TEXT DEFAULT '{}',
2848
+ created_at TEXT NOT NULL
2849
+ );
2850
+
2851
+ CREATE INDEX IF NOT EXISTS idx_agent_events_time
2852
+ ON agent_events(occurred_at, sequence_index);
2853
+
2854
+ CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
2855
+ ON agent_events(session_id, sequence_index);
2856
+
2857
+ CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
2858
+ ON agent_events(goal_id, occurred_at);
2859
+
2860
+ CREATE INDEX IF NOT EXISTS idx_agent_events_memory
2861
+ ON agent_events(evidence_memory_id);
2862
+
2863
+ CREATE TABLE IF NOT EXISTS agent_goal_links (
2864
+ id TEXT PRIMARY KEY,
2865
+ goal_id TEXT NOT NULL,
2866
+ link_type TEXT NOT NULL,
2867
+ target_id TEXT NOT NULL,
2868
+ target_type TEXT NOT NULL,
2869
+ created_at TEXT NOT NULL
2870
+ );
2871
+
2872
+ CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
2873
+ ON agent_goal_links(goal_id, target_type);
2874
+
2875
+ CREATE TABLE IF NOT EXISTS agent_semantic_labels (
2876
+ id TEXT PRIMARY KEY,
2877
+ source_memory_id TEXT NOT NULL,
2878
+ event_id TEXT,
2879
+ labeler TEXT NOT NULL,
2880
+ schema_version INTEGER NOT NULL DEFAULT 1,
2881
+ confidence REAL NOT NULL DEFAULT 0,
2882
+ labels TEXT NOT NULL,
2883
+ created_at TEXT NOT NULL,
2884
+ updated_at TEXT NOT NULL
2885
+ );
2886
+
2887
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
2888
+ ON agent_semantic_labels(source_memory_id, labeler);
2889
+
2890
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
2891
+ ON agent_semantic_labels(event_id);
2892
+
2893
+ CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
2894
+ id TEXT PRIMARY KEY,
2895
+ project_name TEXT,
2896
+ session_id TEXT,
2897
+ window_start_at TEXT NOT NULL,
2898
+ window_end_at TEXT NOT NULL,
2899
+ event_count INTEGER NOT NULL DEFAULT 0,
2900
+ goal_count INTEGER NOT NULL DEFAULT 0,
2901
+ success_count INTEGER NOT NULL DEFAULT 0,
2902
+ failure_count INTEGER NOT NULL DEFAULT 0,
2903
+ risk_count INTEGER NOT NULL DEFAULT 0,
2904
+ summary TEXT NOT NULL,
2905
+ learnings TEXT NOT NULL DEFAULT '[]',
2906
+ next_actions TEXT NOT NULL DEFAULT '[]',
2907
+ evidence_event_ids TEXT NOT NULL DEFAULT '[]',
2908
+ confidence REAL NOT NULL DEFAULT 0,
2909
+ created_at TEXT NOT NULL
2910
+ );
2911
+
2912
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
2913
+ ON agent_reflection_checkpoints(project_name, window_end_at);
2914
+
2915
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
2916
+ ON agent_reflection_checkpoints(session_id, window_end_at);
2917
+ `);
2780
2918
  try {
2781
2919
  await client.execute({
2782
2920
  sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -3512,7 +3650,7 @@ var init_tasks_review = __esm({
3512
3650
 
3513
3651
  // src/lib/keychain.ts
3514
3652
  import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
3515
- import { existsSync as existsSync14 } from "fs";
3653
+ import { existsSync as existsSync14, statSync as statSync2 } from "fs";
3516
3654
  import { execSync as execSync4 } from "child_process";
3517
3655
  import path15 from "path";
3518
3656
  import os11 from "os";
@@ -3522,29 +3660,78 @@ function getKeyDir() {
3522
3660
  function getKeyPath() {
3523
3661
  return path15.join(getKeyDir(), "master.key");
3524
3662
  }
3525
- function macKeychainGet() {
3663
+ function nativeKeychainAllowed() {
3664
+ return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
3665
+ }
3666
+ function linuxSecretAvailable() {
3667
+ if (!nativeKeychainAllowed()) return false;
3668
+ if (process.platform !== "linux") return false;
3669
+ if (linuxSecretAvailability !== null) return linuxSecretAvailability;
3670
+ try {
3671
+ execSync4("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
3672
+ } catch {
3673
+ linuxSecretAvailability = false;
3674
+ return false;
3675
+ }
3676
+ try {
3677
+ execSync4("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
3678
+ linuxSecretAvailability = true;
3679
+ } catch {
3680
+ linuxSecretAvailability = false;
3681
+ }
3682
+ return linuxSecretAvailability;
3683
+ }
3684
+ function isRootOnlyTrustedServerKeyFile(keyPath) {
3685
+ if (process.platform !== "linux") return false;
3686
+ try {
3687
+ const uid = typeof os11.userInfo().uid === "number" ? os11.userInfo().uid : -1;
3688
+ const st = statSync2(keyPath);
3689
+ if (!st.isFile() || (st.mode & 63) !== 0) return false;
3690
+ if (uid === 0) return true;
3691
+ const exeOsDir = process.env.EXE_OS_DIR;
3692
+ return Boolean(exeOsDir && path15.resolve(keyPath).startsWith(path15.resolve(exeOsDir) + path15.sep));
3693
+ } catch {
3694
+ return false;
3695
+ }
3696
+ }
3697
+ function macKeychainGet(service = SERVICE) {
3698
+ if (!nativeKeychainAllowed()) return null;
3526
3699
  if (process.platform !== "darwin") return null;
3527
3700
  try {
3528
3701
  return execSync4(
3529
- `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
3702
+ `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
3530
3703
  { encoding: "utf-8", timeout: 5e3 }
3531
3704
  ).trim();
3532
3705
  } catch {
3533
3706
  return null;
3534
3707
  }
3535
3708
  }
3536
- function macKeychainSet(value) {
3709
+ function macKeychainSet(value, service = SERVICE) {
3710
+ if (!nativeKeychainAllowed()) return false;
3537
3711
  if (process.platform !== "darwin") return false;
3538
3712
  try {
3539
3713
  try {
3540
3714
  execSync4(
3541
- `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
3715
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3542
3716
  { timeout: 5e3 }
3543
3717
  );
3544
3718
  } catch {
3545
3719
  }
3546
3720
  execSync4(
3547
- `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
3721
+ `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
3722
+ { timeout: 5e3 }
3723
+ );
3724
+ return true;
3725
+ } catch {
3726
+ return false;
3727
+ }
3728
+ }
3729
+ function macKeychainDelete(service = SERVICE) {
3730
+ if (!nativeKeychainAllowed()) return false;
3731
+ if (process.platform !== "darwin") return false;
3732
+ try {
3733
+ execSync4(
3734
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3548
3735
  { timeout: 5e3 }
3549
3736
  );
3550
3737
  return true;
@@ -3552,22 +3739,35 @@ function macKeychainSet(value) {
3552
3739
  return false;
3553
3740
  }
3554
3741
  }
3555
- function linuxSecretGet() {
3556
- if (process.platform !== "linux") return null;
3742
+ function linuxSecretGet(service = SERVICE) {
3743
+ if (!linuxSecretAvailable()) return null;
3557
3744
  try {
3558
3745
  return execSync4(
3559
- `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
3746
+ `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3560
3747
  { encoding: "utf-8", timeout: 5e3 }
3561
3748
  ).trim();
3562
3749
  } catch {
3563
3750
  return null;
3564
3751
  }
3565
3752
  }
3566
- function linuxSecretSet(value) {
3753
+ function linuxSecretSet(value, service = SERVICE) {
3754
+ if (!linuxSecretAvailable()) return false;
3755
+ try {
3756
+ execSync4(
3757
+ `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3758
+ { timeout: 5e3 }
3759
+ );
3760
+ return true;
3761
+ } catch {
3762
+ return false;
3763
+ }
3764
+ }
3765
+ function linuxSecretDelete(service = SERVICE) {
3766
+ if (!nativeKeychainAllowed()) return false;
3567
3767
  if (process.platform !== "linux") return false;
3568
3768
  try {
3569
3769
  execSync4(
3570
- `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
3770
+ `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3571
3771
  { timeout: 5e3 }
3572
3772
  );
3573
3773
  return true;
@@ -3576,6 +3776,7 @@ function linuxSecretSet(value) {
3576
3776
  }
3577
3777
  }
3578
3778
  async function tryKeytar() {
3779
+ if (!nativeKeychainAllowed()) return null;
3579
3780
  try {
3580
3781
  return await import("keytar");
3581
3782
  } catch {
@@ -3649,7 +3850,19 @@ async function writeMachineBoundFileFallback(b64) {
3649
3850
  return "plaintext";
3650
3851
  }
3651
3852
  async function getMasterKey() {
3652
- const nativeValue = macKeychainGet() ?? linuxSecretGet();
3853
+ let nativeValue = macKeychainGet() ?? linuxSecretGet();
3854
+ if (!nativeValue) {
3855
+ const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
3856
+ if (legacyValue) {
3857
+ const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
3858
+ if (migrated) {
3859
+ macKeychainDelete(LEGACY_SERVICE);
3860
+ linuxSecretDelete(LEGACY_SERVICE);
3861
+ process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
3862
+ }
3863
+ nativeValue = legacyValue;
3864
+ }
3865
+ }
3653
3866
  if (nativeValue) {
3654
3867
  return Buffer.from(nativeValue, "base64");
3655
3868
  }
@@ -3657,12 +3870,17 @@ async function getMasterKey() {
3657
3870
  if (keytar) {
3658
3871
  try {
3659
3872
  const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
3660
- if (keytarValue) {
3661
- const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
3873
+ const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
3874
+ if (legacyKeytarValue) {
3875
+ const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
3662
3876
  if (migrated) {
3663
3877
  process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
3878
+ try {
3879
+ await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
3880
+ } catch {
3881
+ }
3664
3882
  }
3665
- return Buffer.from(keytarValue, "base64");
3883
+ return Buffer.from(legacyKeytarValue, "base64");
3666
3884
  }
3667
3885
  } catch {
3668
3886
  }
@@ -3687,7 +3905,7 @@ async function getMasterKey() {
3687
3905
  const decrypted = decryptWithMachineKey(content, machineKey);
3688
3906
  if (!decrypted) {
3689
3907
  process.stderr.write(
3690
- "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase: exe-os link import\n"
3908
+ "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase during setup: exe-os setup\n"
3691
3909
  );
3692
3910
  return null;
3693
3911
  }
@@ -3696,6 +3914,9 @@ async function getMasterKey() {
3696
3914
  b64Value = content;
3697
3915
  }
3698
3916
  const key = Buffer.from(b64Value, "base64");
3917
+ if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
3918
+ return key;
3919
+ }
3699
3920
  const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
3700
3921
  if (migrated) {
3701
3922
  process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -3723,12 +3944,14 @@ async function getMasterKey() {
3723
3944
  return null;
3724
3945
  }
3725
3946
  }
3726
- var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
3947
+ var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
3727
3948
  var init_keychain = __esm({
3728
3949
  "src/lib/keychain.ts"() {
3729
3950
  "use strict";
3730
- SERVICE = "exe-mem";
3951
+ SERVICE = "exe-os";
3952
+ LEGACY_SERVICE = "exe-mem";
3731
3953
  ACCOUNT = "master-key";
3954
+ linuxSecretAvailability = null;
3732
3955
  ENCRYPTED_PREFIX = "enc:";
3733
3956
  }
3734
3957
  });
@@ -3943,7 +4166,7 @@ __export(shard_manager_exports, {
3943
4166
  shardExists: () => shardExists
3944
4167
  });
3945
4168
  import path16 from "path";
3946
- import { existsSync as existsSync15, mkdirSync as mkdirSync6, readdirSync as readdirSync4, renameSync as renameSync4, statSync as statSync2 } from "fs";
4169
+ import { existsSync as existsSync15, mkdirSync as mkdirSync6, readdirSync as readdirSync4, renameSync as renameSync4, statSync as statSync3 } from "fs";
3947
4170
  import { createClient as createClient2 } from "@libsql/client";
3948
4171
  function initShardManager(encryptionKey) {
3949
4172
  _encryptionKey = encryptionKey;
@@ -4007,7 +4230,7 @@ async function auditShardHealth(options = {}) {
4007
4230
  const shards = [];
4008
4231
  for (const name of names) {
4009
4232
  const dbPath = path16.join(SHARDS_DIR, `${name}.db`);
4010
- const stat = statSync2(dbPath);
4233
+ const stat = statSync3(dbPath);
4011
4234
  const item = {
4012
4235
  name,
4013
4236
  path: dbPath,
@@ -4260,7 +4483,7 @@ async function getReadyShardClient(projectName) {
4260
4483
  _shardLastAccess.delete(safeName);
4261
4484
  const dbPath = path16.join(SHARDS_DIR, `${safeName}.db`);
4262
4485
  if (existsSync15(dbPath)) {
4263
- const stat = statSync2(dbPath);
4486
+ const stat = statSync3(dbPath);
4264
4487
  const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
4265
4488
  const archivedPath = path16.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
4266
4489
  renameSync4(dbPath, archivedPath);
@@ -4380,6 +4603,12 @@ var init_platform_procedures = __esm({
4380
4603
  priority: "p0",
4381
4604
  content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
4382
4605
  },
4606
+ {
4607
+ title: "Customer orchestration maturity \u2014 recommend, never trap",
4608
+ domain: "workflow",
4609
+ priority: "p1",
4610
+ content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
4611
+ },
4383
4612
  {
4384
4613
  title: "Single dispatch path \u2014 create_task only",
4385
4614
  domain: "workflow",
@@ -4438,6 +4667,12 @@ var init_platform_procedures = __esm({
4438
4667
  priority: "p0",
4439
4668
  content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
4440
4669
  },
4670
+ {
4671
+ title: "Commit discipline \u2014 never leave verified work floating",
4672
+ domain: "workflow",
4673
+ priority: "p1",
4674
+ content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
4675
+ },
4441
4676
  {
4442
4677
  title: "Desktop and TUI are the same product",
4443
4678
  domain: "architecture",
@@ -4755,6 +4990,274 @@ var init_memory_cards = __esm({
4755
4990
  }
4756
4991
  });
4757
4992
 
4993
+ // src/lib/agentic-ontology.ts
4994
+ var agentic_ontology_exports = {};
4995
+ __export(agentic_ontology_exports, {
4996
+ clean: () => clean,
4997
+ extractGoalCandidates: () => extractGoalCandidates,
4998
+ inferIntention: () => inferIntention,
4999
+ inferOntologyEventType: () => inferOntologyEventType,
5000
+ inferOutcome: () => inferOutcome,
5001
+ inferSemanticLabel: () => inferSemanticLabel,
5002
+ insertOntologyForBatch: () => insertOntologyForBatch,
5003
+ insertOntologyForMemory: () => insertOntologyForMemory,
5004
+ ontologyPayload: () => ontologyPayload,
5005
+ stableId: () => stableId2
5006
+ });
5007
+ import { createHash as createHash3 } from "crypto";
5008
+ function stableId2(...parts) {
5009
+ return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
5010
+ }
5011
+ function clean(text, max = 240) {
5012
+ return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
5013
+ }
5014
+ function inferOntologyEventType(row) {
5015
+ const lower = row.raw_text.toLowerCase();
5016
+ if (row.has_error) return "error";
5017
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
5018
+ if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
5019
+ if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
5020
+ if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
5021
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
5022
+ if (row.tool_name.startsWith("memory_card")) return "memory_card";
5023
+ return "memory_observation";
5024
+ }
5025
+ function inferIntention(row) {
5026
+ if (row.intent) return clean(row.intent, 220);
5027
+ const text = clean(row.raw_text, 1e3);
5028
+ const patterns = [
5029
+ /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
5030
+ /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
5031
+ /(?:task|plan):\s*([^.!?\n]{8,220})/i
5032
+ ];
5033
+ for (const p of patterns) {
5034
+ const m = text.match(p);
5035
+ if (m?.[1]) return clean(m[1], 220);
5036
+ }
5037
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
5038
+ return `${row.tool_name} during ${row.project_name}`;
5039
+ }
5040
+ return null;
5041
+ }
5042
+ function inferOutcome(row) {
5043
+ if (row.outcome) return clean(row.outcome, 220);
5044
+ if (row.has_error) return "error";
5045
+ const lower = row.raw_text.toLowerCase();
5046
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
5047
+ if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
5048
+ if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
5049
+ return null;
5050
+ }
5051
+ function extractGoalCandidates(row) {
5052
+ const text = clean(row.raw_text, 1600);
5053
+ const patterns = [
5054
+ /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
5055
+ /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
5056
+ ];
5057
+ const out = [];
5058
+ for (const pattern of patterns) {
5059
+ for (const m of text.matchAll(pattern)) {
5060
+ const candidate = clean(m[1] ?? "", 220);
5061
+ if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
5062
+ if (out.length >= 3) return out;
5063
+ }
5064
+ }
5065
+ return out;
5066
+ }
5067
+ function uniq(values, max = 6) {
5068
+ const out = [];
5069
+ for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
5070
+ if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
5071
+ if (out.length >= max) break;
5072
+ }
5073
+ return out;
5074
+ }
5075
+ function extractMatches(text, patterns, max = 5) {
5076
+ const out = [];
5077
+ for (const pattern of patterns) {
5078
+ for (const match of text.matchAll(pattern)) {
5079
+ const value = match[1] ?? match[0];
5080
+ if (value) out.push(value);
5081
+ if (out.length >= max) return uniq(out, max);
5082
+ }
5083
+ }
5084
+ return uniq(out, max);
5085
+ }
5086
+ function inferSemanticLabel(row) {
5087
+ const text = clean(row.raw_text, 2400);
5088
+ const eventType = inferOntologyEventType(row);
5089
+ const intention = inferIntention(row);
5090
+ const outcome = inferOutcome(row);
5091
+ const goals = extractGoalCandidates(row);
5092
+ const milestones = extractMatches(text, [
5093
+ /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
5094
+ /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
5095
+ ]);
5096
+ const problems = extractMatches(text, [
5097
+ /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
5098
+ /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
5099
+ ]);
5100
+ const decisions = extractMatches(text, [
5101
+ /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
5102
+ ]);
5103
+ const temporalAnchors = extractMatches(text, [
5104
+ /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
5105
+ /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
5106
+ ], 8);
5107
+ const nextActions = extractMatches(text, [
5108
+ /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
5109
+ ]);
5110
+ const actors = uniq([
5111
+ row.agent_id,
5112
+ ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
5113
+ ], 6);
5114
+ const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
5115
+ const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
5116
+ const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
5117
+ const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
5118
+ return {
5119
+ labeler: "deterministic",
5120
+ schemaVersion: 1,
5121
+ eventType,
5122
+ intention,
5123
+ outcome,
5124
+ impact,
5125
+ confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
5126
+ goals,
5127
+ milestones,
5128
+ problems,
5129
+ decisions,
5130
+ actors,
5131
+ temporalAnchors,
5132
+ successSignals,
5133
+ failureSignals,
5134
+ nextActions,
5135
+ summary: clean(text, 280)
5136
+ };
5137
+ }
5138
+ function ontologyPayload(row) {
5139
+ const semantic = inferSemanticLabel(row);
5140
+ return {
5141
+ tool_name: row.tool_name,
5142
+ memory_version: row.version ?? null,
5143
+ domain: row.domain ?? null,
5144
+ trajectory: row.trajectory ? safeJson(row.trajectory) : null,
5145
+ semantic
5146
+ };
5147
+ }
5148
+ function safeJson(value) {
5149
+ try {
5150
+ return JSON.parse(value);
5151
+ } catch {
5152
+ return value.slice(0, 1e3);
5153
+ }
5154
+ }
5155
+ async function resolveClient(client) {
5156
+ if (client) return client;
5157
+ const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
5158
+ return getClient2();
5159
+ }
5160
+ async function insertOntologyForMemory(row, client) {
5161
+ const db = await resolveClient(client);
5162
+ const occurredAt = row.timestamp;
5163
+ const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
5164
+ const eventType = inferOntologyEventType(row);
5165
+ const intention = inferIntention(row);
5166
+ const outcome = inferOutcome(row);
5167
+ const eventId = stableId2("event", row.id);
5168
+ const now = (/* @__PURE__ */ new Date()).toISOString();
5169
+ await db.execute({
5170
+ sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
5171
+ VALUES (?, ?, ?, ?, ?, 1, ?)
5172
+ ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
5173
+ event_count = event_count + 1`,
5174
+ args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
5175
+ });
5176
+ await db.execute({
5177
+ sql: `INSERT OR IGNORE INTO agent_events
5178
+ (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
5179
+ session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
5180
+ impact, payload, created_at)
5181
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
5182
+ args: [
5183
+ eventId,
5184
+ eventType,
5185
+ occurredAt,
5186
+ sequence,
5187
+ row.agent_id,
5188
+ row.agent_role,
5189
+ row.project_name,
5190
+ row.session_id,
5191
+ row.task_id ?? null,
5192
+ intention,
5193
+ outcome,
5194
+ row.id,
5195
+ row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
5196
+ JSON.stringify(ontologyPayload(row)),
5197
+ now
5198
+ ]
5199
+ });
5200
+ const semantic = inferSemanticLabel(row);
5201
+ await db.execute({
5202
+ sql: `INSERT INTO agent_semantic_labels
5203
+ (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
5204
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
5205
+ ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
5206
+ labels = excluded.labels, updated_at = excluded.updated_at`,
5207
+ args: [
5208
+ stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
5209
+ row.id,
5210
+ eventId,
5211
+ semantic.labeler,
5212
+ semantic.schemaVersion,
5213
+ semantic.confidence,
5214
+ JSON.stringify(semantic),
5215
+ now,
5216
+ now
5217
+ ]
5218
+ });
5219
+ for (const statement of extractGoalCandidates(row)) {
5220
+ const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
5221
+ await db.execute({
5222
+ sql: `INSERT INTO agent_goals
5223
+ (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
5224
+ parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
5225
+ VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
5226
+ ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
5227
+ args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
5228
+ });
5229
+ await db.execute({
5230
+ sql: `INSERT OR IGNORE INTO agent_goal_links
5231
+ (id, goal_id, link_type, target_id, target_type, created_at)
5232
+ VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
5233
+ args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
5234
+ });
5235
+ await db.execute({
5236
+ sql: `INSERT OR IGNORE INTO agent_goal_links
5237
+ (id, goal_id, link_type, target_id, target_type, created_at)
5238
+ VALUES (?, ?, 'event', ?, 'event', ?)`,
5239
+ args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
5240
+ });
5241
+ }
5242
+ }
5243
+ async function insertOntologyForBatch(rows, client) {
5244
+ const db = await resolveClient(client);
5245
+ let count = 0;
5246
+ for (const row of rows) {
5247
+ try {
5248
+ await insertOntologyForMemory(row, db);
5249
+ count++;
5250
+ } catch {
5251
+ }
5252
+ }
5253
+ return count;
5254
+ }
5255
+ var init_agentic_ontology = __esm({
5256
+ "src/lib/agentic-ontology.ts"() {
5257
+ "use strict";
5258
+ }
5259
+ });
5260
+
4758
5261
  // src/lib/store.ts
4759
5262
  var store_exports = {};
4760
5263
  __export(store_exports, {
@@ -5098,6 +5601,11 @@ async function flushBatch() {
5098
5601
  await insertMemoryCardsForBatch2(batch);
5099
5602
  } catch {
5100
5603
  }
5604
+ try {
5605
+ const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
5606
+ await insertOntologyForBatch2(batch);
5607
+ } catch {
5608
+ }
5101
5609
  schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
5102
5610
  _pendingRecords.splice(0, batch.length);
5103
5611
  try {