@askexenow/exe-os 0.9.65 → 0.9.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/deploy/stack-manifests/v0.9.json +54 -5
  2. package/dist/bin/age-ontology-load.js +61 -0
  3. package/dist/bin/agentic-ontology-backfill.js +4708 -0
  4. package/dist/bin/agentic-reflection-backfill.js +4144 -0
  5. package/dist/bin/{exe-link.js → agentic-semantic-label.js} +1532 -2173
  6. package/dist/bin/backfill-conversations.js +528 -20
  7. package/dist/bin/backfill-responses.js +528 -20
  8. package/dist/bin/backfill-vectors.js +255 -20
  9. package/dist/bin/bulk-sync-postgres.js +4876 -0
  10. package/dist/bin/cleanup-stale-review-tasks.js +529 -21
  11. package/dist/bin/cli.js +3471 -1491
  12. package/dist/bin/exe-agent-config.js +4 -0
  13. package/dist/bin/exe-agent.js +16 -0
  14. package/dist/bin/exe-assign.js +528 -20
  15. package/dist/bin/exe-boot.js +492 -54
  16. package/dist/bin/exe-call.js +16 -0
  17. package/dist/bin/exe-cloud.js +7415 -518
  18. package/dist/bin/exe-dispatch.js +540 -22
  19. package/dist/bin/exe-doctor.js +3404 -1225
  20. package/dist/bin/exe-export-behaviors.js +542 -24
  21. package/dist/bin/exe-forget.js +529 -21
  22. package/dist/bin/exe-gateway.js +595 -25
  23. package/dist/bin/exe-heartbeat.js +541 -24
  24. package/dist/bin/exe-kill.js +529 -21
  25. package/dist/bin/exe-launch-agent.js +2334 -1067
  26. package/dist/bin/exe-new-employee.js +324 -166
  27. package/dist/bin/exe-pending-messages.js +529 -21
  28. package/dist/bin/exe-pending-notifications.js +529 -21
  29. package/dist/bin/exe-pending-reviews.js +529 -21
  30. package/dist/bin/exe-rename.js +529 -21
  31. package/dist/bin/exe-review.js +529 -21
  32. package/dist/bin/exe-search.js +542 -24
  33. package/dist/bin/exe-session-cleanup.js +540 -22
  34. package/dist/bin/exe-settings.js +14 -0
  35. package/dist/bin/exe-start-codex.js +817 -144
  36. package/dist/bin/exe-start-opencode.js +776 -80
  37. package/dist/bin/exe-status.js +529 -21
  38. package/dist/bin/exe-team.js +529 -21
  39. package/dist/bin/git-sweep.js +540 -22
  40. package/dist/bin/graph-backfill.js +580 -21
  41. package/dist/bin/graph-export.js +529 -21
  42. package/dist/bin/graph-layer-benchmark.js +109 -0
  43. package/dist/bin/install.js +420 -289
  44. package/dist/bin/intercom-check.js +540 -22
  45. package/dist/bin/postgres-agentic-reflection-backfill.js +187 -0
  46. package/dist/bin/postgres-agentic-semantic-backfill.js +237 -0
  47. package/dist/bin/scan-tasks.js +540 -22
  48. package/dist/bin/setup.js +790 -206
  49. package/dist/bin/shard-migrate.js +528 -20
  50. package/dist/bin/update.js +4 -0
  51. package/dist/gateway/index.js +593 -23
  52. package/dist/hooks/bug-report-worker.js +651 -64
  53. package/dist/hooks/codex-stop-task-finalizer.js +540 -22
  54. package/dist/hooks/commit-complete.js +540 -22
  55. package/dist/hooks/error-recall.js +542 -24
  56. package/dist/hooks/exe-heartbeat-hook.js +4 -0
  57. package/dist/hooks/ingest-worker.js +4 -0
  58. package/dist/hooks/ingest.js +539 -22
  59. package/dist/hooks/instructions-loaded.js +529 -21
  60. package/dist/hooks/notification.js +529 -21
  61. package/dist/hooks/post-compact.js +529 -21
  62. package/dist/hooks/post-tool-combined.js +543 -25
  63. package/dist/hooks/pre-compact.js +772 -127
  64. package/dist/hooks/pre-tool-use.js +529 -21
  65. package/dist/hooks/prompt-submit.js +543 -25
  66. package/dist/hooks/session-end.js +673 -140
  67. package/dist/hooks/session-start.js +662 -26
  68. package/dist/hooks/stop.js +540 -23
  69. package/dist/hooks/subagent-stop.js +529 -21
  70. package/dist/hooks/summary-worker.js +571 -126
  71. package/dist/index.js +593 -23
  72. package/dist/lib/agent-config.js +4 -0
  73. package/dist/lib/cloud-sync.js +408 -47
  74. package/dist/lib/config.js +25 -1
  75. package/dist/lib/consolidation.js +5 -1
  76. package/dist/lib/database.js +128 -0
  77. package/dist/lib/db-daemon-client.js +4 -0
  78. package/dist/lib/db.js +128 -0
  79. package/dist/lib/device-registry.js +128 -0
  80. package/dist/lib/embedder.js +25 -1
  81. package/dist/lib/employee-templates.js +16 -0
  82. package/dist/lib/employees.js +4 -0
  83. package/dist/lib/exe-daemon-client.js +4 -0
  84. package/dist/lib/exe-daemon.js +3158 -930
  85. package/dist/lib/hybrid-search.js +542 -24
  86. package/dist/lib/identity.js +7 -0
  87. package/dist/lib/keychain.js +178 -22
  88. package/dist/lib/license.js +4 -0
  89. package/dist/lib/messaging.js +7 -0
  90. package/dist/lib/reminders.js +7 -0
  91. package/dist/lib/schedules.js +255 -20
  92. package/dist/lib/skill-learning.js +28 -1
  93. package/dist/lib/status-brief.js +39 -0
  94. package/dist/lib/store.js +528 -20
  95. package/dist/lib/task-router.js +4 -0
  96. package/dist/lib/tasks.js +28 -1
  97. package/dist/lib/tmux-routing.js +28 -1
  98. package/dist/lib/token-spend.js +7 -0
  99. package/dist/mcp/server.js +2739 -813
  100. package/dist/mcp/tools/complete-reminder.js +7 -0
  101. package/dist/mcp/tools/create-reminder.js +7 -0
  102. package/dist/mcp/tools/create-task.js +28 -1
  103. package/dist/mcp/tools/deactivate-behavior.js +7 -0
  104. package/dist/mcp/tools/list-reminders.js +7 -0
  105. package/dist/mcp/tools/list-tasks.js +7 -0
  106. package/dist/mcp/tools/send-message.js +7 -0
  107. package/dist/mcp/tools/update-task.js +28 -1
  108. package/dist/runtime/index.js +540 -22
  109. package/dist/tui/App.js +618 -29
  110. package/package.json +9 -5
  111. package/src/commands/exe/cloud.md +11 -8
  112. package/stack.release.json +3 -3
  113. package/src/commands/exe/link.md +0 -17
package/dist/bin/exe-rename.js CHANGED
@@ -124,6 +124,11 @@ function normalizeAutoUpdate(raw) {
124
124
  const userAU = raw.autoUpdate ?? {};
125
125
  raw.autoUpdate = { ...defaultAU, ...userAU };
126
126
  }
127
+ function normalizeOrchestration(raw) {
128
+ const defaultOrg = DEFAULT_CONFIG.orchestration;
129
+ const userOrg = raw.orchestration ?? {};
130
+ raw.orchestration = { ...defaultOrg, ...userOrg };
131
+ }
127
132
  async function loadConfig() {
128
133
  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
129
134
  await ensurePrivateDir(dir);
@@ -148,10 +153,15 @@ async function loadConfig() {
148
153
  normalizeScalingRoadmap(migratedCfg);
149
154
  normalizeSessionLifecycle(migratedCfg);
150
155
  normalizeAutoUpdate(migratedCfg);
156
+ normalizeOrchestration(migratedCfg);
151
157
  const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
152
158
  if (config.dbPath.startsWith("~")) {
153
159
  config.dbPath = config.dbPath.replace(/^~/, os.homedir());
154
160
  }
161
+ const envDbPath = path.join(dir, "memories.db");
162
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
163
+ config.dbPath = envDbPath;
164
+ }
155
165
  return config;
156
166
  } catch {
157
167
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
@@ -223,6 +233,10 @@ var init_config = __esm({
223
233
  checkOnBoot: true,
224
234
  autoInstall: false,
225
235
  checkIntervalMs: 24 * 60 * 60 * 1e3
236
+ },
237
+ orchestration: {
238
+ phase: "phase_1_coo",
239
+ phaseSetBy: "default"
226
240
  }
227
241
  };
228
242
  CONFIG_MIGRATIONS = [
@@ -1589,6 +1603,9 @@ function getClient() {
1589
1603
  if (_daemonClient && _daemonClient._isDaemonActive()) {
1590
1604
  return _daemonClient;
1591
1605
  }
1606
+ if (!_resilientClient) {
1607
+ return _adapterClient;
1608
+ }
1592
1609
  return _resilientClient;
1593
1610
  }
1594
1611
  async function initDaemonClient() {
@@ -2621,6 +2638,127 @@ async function ensureSchema() {
2621
2638
  VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
2622
2639
  END;
2623
2640
  `);
2641
+ await client.executeMultiple(`
2642
+ CREATE TABLE IF NOT EXISTS agent_sessions (
2643
+ id TEXT PRIMARY KEY,
2644
+ agent_id TEXT NOT NULL,
2645
+ project_name TEXT,
2646
+ started_at TEXT NOT NULL,
2647
+ last_event_at TEXT NOT NULL,
2648
+ event_count INTEGER NOT NULL DEFAULT 0,
2649
+ properties TEXT DEFAULT '{}'
2650
+ );
2651
+
2652
+ CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
2653
+ ON agent_sessions(agent_id, started_at);
2654
+
2655
+ CREATE TABLE IF NOT EXISTS agent_goals (
2656
+ id TEXT PRIMARY KEY,
2657
+ statement TEXT NOT NULL,
2658
+ owner_agent_id TEXT,
2659
+ project_name TEXT,
2660
+ status TEXT NOT NULL DEFAULT 'open',
2661
+ priority INTEGER NOT NULL DEFAULT 5,
2662
+ success_criteria TEXT,
2663
+ parent_goal_id TEXT,
2664
+ due_at TEXT,
2665
+ achieved_at TEXT,
2666
+ supersedes_id TEXT,
2667
+ created_at TEXT NOT NULL,
2668
+ updated_at TEXT NOT NULL,
2669
+ source_memory_id TEXT
2670
+ );
2671
+
2672
+ CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
2673
+ ON agent_goals(project_name, status, priority);
2674
+
2675
+ CREATE TABLE IF NOT EXISTS agent_events (
2676
+ id TEXT PRIMARY KEY,
2677
+ event_type TEXT NOT NULL,
2678
+ occurred_at TEXT NOT NULL,
2679
+ sequence_index INTEGER NOT NULL,
2680
+ actor_agent_id TEXT,
2681
+ agent_role TEXT,
2682
+ project_name TEXT,
2683
+ session_id TEXT,
2684
+ task_id TEXT,
2685
+ goal_id TEXT,
2686
+ parent_event_id TEXT,
2687
+ intention TEXT,
2688
+ outcome TEXT,
2689
+ evidence_memory_id TEXT,
2690
+ impact TEXT,
2691
+ payload TEXT DEFAULT '{}',
2692
+ created_at TEXT NOT NULL
2693
+ );
2694
+
2695
+ CREATE INDEX IF NOT EXISTS idx_agent_events_time
2696
+ ON agent_events(occurred_at, sequence_index);
2697
+
2698
+ CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
2699
+ ON agent_events(session_id, sequence_index);
2700
+
2701
+ CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
2702
+ ON agent_events(goal_id, occurred_at);
2703
+
2704
+ CREATE INDEX IF NOT EXISTS idx_agent_events_memory
2705
+ ON agent_events(evidence_memory_id);
2706
+
2707
+ CREATE TABLE IF NOT EXISTS agent_goal_links (
2708
+ id TEXT PRIMARY KEY,
2709
+ goal_id TEXT NOT NULL,
2710
+ link_type TEXT NOT NULL,
2711
+ target_id TEXT NOT NULL,
2712
+ target_type TEXT NOT NULL,
2713
+ created_at TEXT NOT NULL
2714
+ );
2715
+
2716
+ CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
2717
+ ON agent_goal_links(goal_id, target_type);
2718
+
2719
+ CREATE TABLE IF NOT EXISTS agent_semantic_labels (
2720
+ id TEXT PRIMARY KEY,
2721
+ source_memory_id TEXT NOT NULL,
2722
+ event_id TEXT,
2723
+ labeler TEXT NOT NULL,
2724
+ schema_version INTEGER NOT NULL DEFAULT 1,
2725
+ confidence REAL NOT NULL DEFAULT 0,
2726
+ labels TEXT NOT NULL,
2727
+ created_at TEXT NOT NULL,
2728
+ updated_at TEXT NOT NULL
2729
+ );
2730
+
2731
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
2732
+ ON agent_semantic_labels(source_memory_id, labeler);
2733
+
2734
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
2735
+ ON agent_semantic_labels(event_id);
2736
+
2737
+ CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
2738
+ id TEXT PRIMARY KEY,
2739
+ project_name TEXT,
2740
+ session_id TEXT,
2741
+ window_start_at TEXT NOT NULL,
2742
+ window_end_at TEXT NOT NULL,
2743
+ event_count INTEGER NOT NULL DEFAULT 0,
2744
+ goal_count INTEGER NOT NULL DEFAULT 0,
2745
+ success_count INTEGER NOT NULL DEFAULT 0,
2746
+ failure_count INTEGER NOT NULL DEFAULT 0,
2747
+ risk_count INTEGER NOT NULL DEFAULT 0,
2748
+ summary TEXT NOT NULL,
2749
+ learnings TEXT NOT NULL DEFAULT '[]',
2750
+ next_actions TEXT NOT NULL DEFAULT '[]',
2751
+ evidence_event_ids TEXT NOT NULL DEFAULT '[]',
2752
+ confidence REAL NOT NULL DEFAULT 0,
2753
+ created_at TEXT NOT NULL
2754
+ );
2755
+
2756
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
2757
+ ON agent_reflection_checkpoints(project_name, window_end_at);
2758
+
2759
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
2760
+ ON agent_reflection_checkpoints(session_id, window_end_at);
2761
+ `);
2624
2762
  try {
2625
2763
  await client.execute({
2626
2764
  sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -2806,6 +2944,12 @@ var init_platform_procedures = __esm({
2806
2944
  priority: "p0",
2807
2945
  content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
2808
2946
  },
2947
+ {
2948
+ title: "Customer orchestration maturity \u2014 recommend, never trap",
2949
+ domain: "workflow",
2950
+ priority: "p1",
2951
+ content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
2952
+ },
2809
2953
  {
2810
2954
  title: "Single dispatch path \u2014 create_task only",
2811
2955
  domain: "workflow",
@@ -2864,6 +3008,12 @@ var init_platform_procedures = __esm({
2864
3008
  priority: "p0",
2865
3009
  content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
2866
3010
  },
3011
+ {
3012
+ title: "Commit discipline \u2014 never leave verified work floating",
3013
+ domain: "workflow",
3014
+ priority: "p1",
3015
+ content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
3016
+ },
2867
3017
  {
2868
3018
  title: "Desktop and TUI are the same product",
2869
3019
  domain: "architecture",
@@ -3025,7 +3175,7 @@ ${p.content}`).join("\n\n");
3025
3175
 
3026
3176
  // src/lib/keychain.ts
3027
3177
  import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
3028
- import { existsSync as existsSync6 } from "fs";
3178
+ import { existsSync as existsSync6, statSync as statSync2 } from "fs";
3029
3179
  import { execSync as execSync2 } from "child_process";
3030
3180
  import path6 from "path";
3031
3181
  import os5 from "os";
@@ -3035,29 +3185,65 @@ function getKeyDir() {
3035
3185
  function getKeyPath() {
3036
3186
  return path6.join(getKeyDir(), "master.key");
3037
3187
  }
3038
- function macKeychainGet() {
3188
+ function nativeKeychainAllowed() {
3189
+ return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
3190
+ }
3191
+ function linuxSecretAvailable() {
3192
+ if (!nativeKeychainAllowed()) return false;
3193
+ if (process.platform !== "linux") return false;
3194
+ if (linuxSecretAvailability !== null) return linuxSecretAvailability;
3195
+ try {
3196
+ execSync2("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
3197
+ } catch {
3198
+ linuxSecretAvailability = false;
3199
+ return false;
3200
+ }
3201
+ try {
3202
+ execSync2("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
3203
+ linuxSecretAvailability = true;
3204
+ } catch {
3205
+ linuxSecretAvailability = false;
3206
+ }
3207
+ return linuxSecretAvailability;
3208
+ }
3209
+ function isRootOnlyTrustedServerKeyFile(keyPath) {
3210
+ if (process.platform !== "linux") return false;
3211
+ try {
3212
+ const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
3213
+ const st = statSync2(keyPath);
3214
+ if (!st.isFile() || (st.mode & 63) !== 0) return false;
3215
+ if (uid === 0) return true;
3216
+ const exeOsDir = process.env.EXE_OS_DIR;
3217
+ return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
3218
+ } catch {
3219
+ return false;
3220
+ }
3221
+ }
3222
+ function macKeychainGet(service = SERVICE) {
3223
+ if (!nativeKeychainAllowed()) return null;
3039
3224
  if (process.platform !== "darwin") return null;
3040
3225
  try {
3041
3226
  return execSync2(
3042
- `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
3227
+ `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
3043
3228
  { encoding: "utf-8", timeout: 5e3 }
3044
3229
  ).trim();
3045
3230
  } catch {
3046
3231
  return null;
3047
3232
  }
3048
3233
  }
3049
- function macKeychainSet(value) {
3234
+ function macKeychainSet(value, service = SERVICE) {
3235
+ if (!nativeKeychainAllowed()) return false;
3050
3236
  if (process.platform !== "darwin") return false;
3051
3237
  try {
3052
3238
  try {
3053
3239
  execSync2(
3054
- `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
3240
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3055
3241
  { timeout: 5e3 }
3056
3242
  );
3057
3243
  } catch {
3058
3244
  }
3059
3245
  execSync2(
3060
- `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
3246
+ `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
3061
3247
  { timeout: 5e3 }
3062
3248
  );
3063
3249
  return true;
@@ -3065,22 +3251,48 @@ function macKeychainSet(value) {
3065
3251
  return false;
3066
3252
  }
3067
3253
  }
3068
- function linuxSecretGet() {
3069
- if (process.platform !== "linux") return null;
3254
+ function macKeychainDelete(service = SERVICE) {
3255
+ if (!nativeKeychainAllowed()) return false;
3256
+ if (process.platform !== "darwin") return false;
3257
+ try {
3258
+ execSync2(
3259
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3260
+ { timeout: 5e3 }
3261
+ );
3262
+ return true;
3263
+ } catch {
3264
+ return false;
3265
+ }
3266
+ }
3267
+ function linuxSecretGet(service = SERVICE) {
3268
+ if (!linuxSecretAvailable()) return null;
3070
3269
  try {
3071
3270
  return execSync2(
3072
- `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
3271
+ `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3073
3272
  { encoding: "utf-8", timeout: 5e3 }
3074
3273
  ).trim();
3075
3274
  } catch {
3076
3275
  return null;
3077
3276
  }
3078
3277
  }
3079
- function linuxSecretSet(value) {
3278
+ function linuxSecretSet(value, service = SERVICE) {
3279
+ if (!linuxSecretAvailable()) return false;
3280
+ try {
3281
+ execSync2(
3282
+ `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3283
+ { timeout: 5e3 }
3284
+ );
3285
+ return true;
3286
+ } catch {
3287
+ return false;
3288
+ }
3289
+ }
3290
+ function linuxSecretDelete(service = SERVICE) {
3291
+ if (!nativeKeychainAllowed()) return false;
3080
3292
  if (process.platform !== "linux") return false;
3081
3293
  try {
3082
3294
  execSync2(
3083
- `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
3295
+ `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3084
3296
  { timeout: 5e3 }
3085
3297
  );
3086
3298
  return true;
@@ -3089,6 +3301,7 @@ function linuxSecretSet(value) {
3089
3301
  }
3090
3302
  }
3091
3303
  async function tryKeytar() {
3304
+ if (!nativeKeychainAllowed()) return null;
3092
3305
  try {
3093
3306
  return await import("keytar");
3094
3307
  } catch {
@@ -3162,7 +3375,19 @@ async function writeMachineBoundFileFallback(b64) {
3162
3375
  return "plaintext";
3163
3376
  }
3164
3377
  async function getMasterKey() {
3165
- const nativeValue = macKeychainGet() ?? linuxSecretGet();
3378
+ let nativeValue = macKeychainGet() ?? linuxSecretGet();
3379
+ if (!nativeValue) {
3380
+ const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
3381
+ if (legacyValue) {
3382
+ const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
3383
+ if (migrated) {
3384
+ macKeychainDelete(LEGACY_SERVICE);
3385
+ linuxSecretDelete(LEGACY_SERVICE);
3386
+ process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
3387
+ }
3388
+ nativeValue = legacyValue;
3389
+ }
3390
+ }
3166
3391
  if (nativeValue) {
3167
3392
  return Buffer.from(nativeValue, "base64");
3168
3393
  }
@@ -3170,12 +3395,17 @@ async function getMasterKey() {
3170
3395
  if (keytar) {
3171
3396
  try {
3172
3397
  const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
3173
- if (keytarValue) {
3174
- const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
3398
+ const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
3399
+ if (legacyKeytarValue) {
3400
+ const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
3175
3401
  if (migrated) {
3176
3402
  process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
3403
+ try {
3404
+ await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
3405
+ } catch {
3406
+ }
3177
3407
  }
3178
- return Buffer.from(keytarValue, "base64");
3408
+ return Buffer.from(legacyKeytarValue, "base64");
3179
3409
  }
3180
3410
  } catch {
3181
3411
  }
@@ -3200,7 +3430,7 @@ async function getMasterKey() {
3200
3430
  const decrypted = decryptWithMachineKey(content, machineKey);
3201
3431
  if (!decrypted) {
3202
3432
  process.stderr.write(
3203
- "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase: exe-os link import\n"
3433
+ "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase during setup: exe-os setup\n"
3204
3434
  );
3205
3435
  return null;
3206
3436
  }
@@ -3209,6 +3439,9 @@ async function getMasterKey() {
3209
3439
  b64Value = content;
3210
3440
  }
3211
3441
  const key = Buffer.from(b64Value, "base64");
3442
+ if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
3443
+ return key;
3444
+ }
3212
3445
  const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
3213
3446
  if (migrated) {
3214
3447
  process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -3236,12 +3469,14 @@ async function getMasterKey() {
3236
3469
  return null;
3237
3470
  }
3238
3471
  }
3239
- var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
3472
+ var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
3240
3473
  var init_keychain = __esm({
3241
3474
  "src/lib/keychain.ts"() {
3242
3475
  "use strict";
3243
- SERVICE = "exe-mem";
3476
+ SERVICE = "exe-os";
3477
+ LEGACY_SERVICE = "exe-mem";
3244
3478
  ACCOUNT = "master-key";
3479
+ linuxSecretAvailability = null;
3245
3480
  ENCRYPTED_PREFIX = "enc:";
3246
3481
  }
3247
3482
  });
@@ -3511,7 +3746,7 @@ __export(shard_manager_exports, {
3511
3746
  shardExists: () => shardExists
3512
3747
  });
3513
3748
  import path7 from "path";
3514
- import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync2 } from "fs";
3749
+ import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync3 } from "fs";
3515
3750
  import { createClient as createClient2 } from "@libsql/client";
3516
3751
  function initShardManager(encryptionKey) {
3517
3752
  _encryptionKey = encryptionKey;
@@ -3575,7 +3810,7 @@ async function auditShardHealth(options = {}) {
3575
3810
  const shards = [];
3576
3811
  for (const name of names) {
3577
3812
  const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
3578
- const stat = statSync2(dbPath);
3813
+ const stat = statSync3(dbPath);
3579
3814
  const item = {
3580
3815
  name,
3581
3816
  path: dbPath,
@@ -3828,7 +4063,7 @@ async function getReadyShardClient(projectName) {
3828
4063
  _shardLastAccess.delete(safeName);
3829
4064
  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
3830
4065
  if (existsSync7(dbPath)) {
3831
- const stat = statSync2(dbPath);
4066
+ const stat = statSync3(dbPath);
3832
4067
  const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
3833
4068
  const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
3834
4069
  renameSync3(dbPath, archivedPath);
@@ -4068,6 +4303,274 @@ var init_memory_cards = __esm({
4068
4303
  }
4069
4304
  });
4070
4305
 
4306
+ // src/lib/agentic-ontology.ts
4307
+ var agentic_ontology_exports = {};
4308
+ __export(agentic_ontology_exports, {
4309
+ clean: () => clean,
4310
+ extractGoalCandidates: () => extractGoalCandidates,
4311
+ inferIntention: () => inferIntention,
4312
+ inferOntologyEventType: () => inferOntologyEventType,
4313
+ inferOutcome: () => inferOutcome,
4314
+ inferSemanticLabel: () => inferSemanticLabel,
4315
+ insertOntologyForBatch: () => insertOntologyForBatch,
4316
+ insertOntologyForMemory: () => insertOntologyForMemory,
4317
+ ontologyPayload: () => ontologyPayload,
4318
+ stableId: () => stableId2
4319
+ });
4320
+ import { createHash as createHash3 } from "crypto";
4321
+ function stableId2(...parts) {
4322
+ return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
4323
+ }
4324
+ function clean(text, max = 240) {
4325
+ return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
4326
+ }
4327
+ function inferOntologyEventType(row) {
4328
+ const lower = row.raw_text.toLowerCase();
4329
+ if (row.has_error) return "error";
4330
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
4331
+ if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
4332
+ if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
4333
+ if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
4334
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
4335
+ if (row.tool_name.startsWith("memory_card")) return "memory_card";
4336
+ return "memory_observation";
4337
+ }
4338
+ function inferIntention(row) {
4339
+ if (row.intent) return clean(row.intent, 220);
4340
+ const text = clean(row.raw_text, 1e3);
4341
+ const patterns = [
4342
+ /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
4343
+ /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
4344
+ /(?:task|plan):\s*([^.!?\n]{8,220})/i
4345
+ ];
4346
+ for (const p of patterns) {
4347
+ const m = text.match(p);
4348
+ if (m?.[1]) return clean(m[1], 220);
4349
+ }
4350
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
4351
+ return `${row.tool_name} during ${row.project_name}`;
4352
+ }
4353
+ return null;
4354
+ }
4355
+ function inferOutcome(row) {
4356
+ if (row.outcome) return clean(row.outcome, 220);
4357
+ if (row.has_error) return "error";
4358
+ const lower = row.raw_text.toLowerCase();
4359
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
4360
+ if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
4361
+ if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
4362
+ return null;
4363
+ }
4364
+ function extractGoalCandidates(row) {
4365
+ const text = clean(row.raw_text, 1600);
4366
+ const patterns = [
4367
+ /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
4368
+ /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
4369
+ ];
4370
+ const out = [];
4371
+ for (const pattern of patterns) {
4372
+ for (const m of text.matchAll(pattern)) {
4373
+ const candidate = clean(m[1] ?? "", 220);
4374
+ if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
4375
+ if (out.length >= 3) return out;
4376
+ }
4377
+ }
4378
+ return out;
4379
+ }
4380
+ function uniq(values, max = 6) {
4381
+ const out = [];
4382
+ for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
4383
+ if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
4384
+ if (out.length >= max) break;
4385
+ }
4386
+ return out;
4387
+ }
4388
+ function extractMatches(text, patterns, max = 5) {
4389
+ const out = [];
4390
+ for (const pattern of patterns) {
4391
+ for (const match of text.matchAll(pattern)) {
4392
+ const value = match[1] ?? match[0];
4393
+ if (value) out.push(value);
4394
+ if (out.length >= max) return uniq(out, max);
4395
+ }
4396
+ }
4397
+ return uniq(out, max);
4398
+ }
4399
+ function inferSemanticLabel(row) {
4400
+ const text = clean(row.raw_text, 2400);
4401
+ const eventType = inferOntologyEventType(row);
4402
+ const intention = inferIntention(row);
4403
+ const outcome = inferOutcome(row);
4404
+ const goals = extractGoalCandidates(row);
4405
+ const milestones = extractMatches(text, [
4406
+ /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
4407
+ /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
4408
+ ]);
4409
+ const problems = extractMatches(text, [
4410
+ /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
4411
+ /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
4412
+ ]);
4413
+ const decisions = extractMatches(text, [
4414
+ /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
4415
+ ]);
4416
+ const temporalAnchors = extractMatches(text, [
4417
+ /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
4418
+ /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
4419
+ ], 8);
4420
+ const nextActions = extractMatches(text, [
4421
+ /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
4422
+ ]);
4423
+ const actors = uniq([
4424
+ row.agent_id,
4425
+ ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
4426
+ ], 6);
4427
+ const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
4428
+ const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
4429
+ const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
4430
+ const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
4431
+ return {
4432
+ labeler: "deterministic",
4433
+ schemaVersion: 1,
4434
+ eventType,
4435
+ intention,
4436
+ outcome,
4437
+ impact,
4438
+ confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
4439
+ goals,
4440
+ milestones,
4441
+ problems,
4442
+ decisions,
4443
+ actors,
4444
+ temporalAnchors,
4445
+ successSignals,
4446
+ failureSignals,
4447
+ nextActions,
4448
+ summary: clean(text, 280)
4449
+ };
4450
+ }
4451
+ function ontologyPayload(row) {
4452
+ const semantic = inferSemanticLabel(row);
4453
+ return {
4454
+ tool_name: row.tool_name,
4455
+ memory_version: row.version ?? null,
4456
+ domain: row.domain ?? null,
4457
+ trajectory: row.trajectory ? safeJson(row.trajectory) : null,
4458
+ semantic
4459
+ };
4460
+ }
4461
+ function safeJson(value) {
4462
+ try {
4463
+ return JSON.parse(value);
4464
+ } catch {
4465
+ return value.slice(0, 1e3);
4466
+ }
4467
+ }
4468
+ async function resolveClient(client) {
4469
+ if (client) return client;
4470
+ const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
4471
+ return getClient2();
4472
+ }
4473
+ async function insertOntologyForMemory(row, client) {
4474
+ const db = await resolveClient(client);
4475
+ const occurredAt = row.timestamp;
4476
+ const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
4477
+ const eventType = inferOntologyEventType(row);
4478
+ const intention = inferIntention(row);
4479
+ const outcome = inferOutcome(row);
4480
+ const eventId = stableId2("event", row.id);
4481
+ const now = (/* @__PURE__ */ new Date()).toISOString();
4482
+ await db.execute({
4483
+ sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
4484
+ VALUES (?, ?, ?, ?, ?, 1, ?)
4485
+ ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
4486
+ event_count = event_count + 1`,
4487
+ args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
4488
+ });
4489
+ await db.execute({
4490
+ sql: `INSERT OR IGNORE INTO agent_events
4491
+ (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
4492
+ session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
4493
+ impact, payload, created_at)
4494
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
4495
+ args: [
4496
+ eventId,
4497
+ eventType,
4498
+ occurredAt,
4499
+ sequence,
4500
+ row.agent_id,
4501
+ row.agent_role,
4502
+ row.project_name,
4503
+ row.session_id,
4504
+ row.task_id ?? null,
4505
+ intention,
4506
+ outcome,
4507
+ row.id,
4508
+ row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
4509
+ JSON.stringify(ontologyPayload(row)),
4510
+ now
4511
+ ]
4512
+ });
4513
+ const semantic = inferSemanticLabel(row);
4514
+ await db.execute({
4515
+ sql: `INSERT INTO agent_semantic_labels
4516
+ (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
4517
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
4518
+ ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
4519
+ labels = excluded.labels, updated_at = excluded.updated_at`,
4520
+ args: [
4521
+ stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
4522
+ row.id,
4523
+ eventId,
4524
+ semantic.labeler,
4525
+ semantic.schemaVersion,
4526
+ semantic.confidence,
4527
+ JSON.stringify(semantic),
4528
+ now,
4529
+ now
4530
+ ]
4531
+ });
4532
+ for (const statement of extractGoalCandidates(row)) {
4533
+ const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
4534
+ await db.execute({
4535
+ sql: `INSERT INTO agent_goals
4536
+ (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
4537
+ parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
4538
+ VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
4539
+ ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
4540
+ args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
4541
+ });
4542
+ await db.execute({
4543
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4544
+ (id, goal_id, link_type, target_id, target_type, created_at)
4545
+ VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
4546
+ args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
4547
+ });
4548
+ await db.execute({
4549
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4550
+ (id, goal_id, link_type, target_id, target_type, created_at)
4551
+ VALUES (?, ?, 'event', ?, 'event', ?)`,
4552
+ args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
4553
+ });
4554
+ }
4555
+ }
4556
+ async function insertOntologyForBatch(rows, client) {
4557
+ const db = await resolveClient(client);
4558
+ let count = 0;
4559
+ for (const row of rows) {
4560
+ try {
4561
+ await insertOntologyForMemory(row, db);
4562
+ count++;
4563
+ } catch {
4564
+ }
4565
+ }
4566
+ return count;
4567
+ }
4568
+ var init_agentic_ontology = __esm({
4569
+ "src/lib/agentic-ontology.ts"() {
4570
+ "use strict";
4571
+ }
4572
+ });
4573
+
4071
4574
  // src/lib/store.ts
4072
4575
  var store_exports = {};
4073
4576
  __export(store_exports, {
@@ -4411,6 +4914,11 @@ async function flushBatch() {
4411
4914
  await insertMemoryCardsForBatch2(batch);
4412
4915
  } catch {
4413
4916
  }
4917
+ try {
4918
+ const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
4919
+ await insertOntologyForBatch2(batch);
4920
+ } catch {
4921
+ }
4414
4922
  schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
4415
4923
  _pendingRecords.splice(0, batch.length);
4416
4924
  try {