@askexenow/exe-os 0.9.65 → 0.9.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/deploy/stack-manifests/v0.9.json +54 -5
  2. package/dist/bin/age-ontology-load.js +61 -0
  3. package/dist/bin/agentic-ontology-backfill.js +4708 -0
  4. package/dist/bin/agentic-reflection-backfill.js +4144 -0
  5. package/dist/bin/{exe-link.js → agentic-semantic-label.js} +1532 -2173
  6. package/dist/bin/backfill-conversations.js +528 -20
  7. package/dist/bin/backfill-responses.js +528 -20
  8. package/dist/bin/backfill-vectors.js +255 -20
  9. package/dist/bin/bulk-sync-postgres.js +4876 -0
  10. package/dist/bin/cleanup-stale-review-tasks.js +529 -21
  11. package/dist/bin/cli.js +3471 -1491
  12. package/dist/bin/exe-agent-config.js +4 -0
  13. package/dist/bin/exe-agent.js +16 -0
  14. package/dist/bin/exe-assign.js +528 -20
  15. package/dist/bin/exe-boot.js +492 -54
  16. package/dist/bin/exe-call.js +16 -0
  17. package/dist/bin/exe-cloud.js +7415 -518
  18. package/dist/bin/exe-dispatch.js +540 -22
  19. package/dist/bin/exe-doctor.js +3404 -1225
  20. package/dist/bin/exe-export-behaviors.js +542 -24
  21. package/dist/bin/exe-forget.js +529 -21
  22. package/dist/bin/exe-gateway.js +595 -25
  23. package/dist/bin/exe-heartbeat.js +541 -24
  24. package/dist/bin/exe-kill.js +529 -21
  25. package/dist/bin/exe-launch-agent.js +2334 -1067
  26. package/dist/bin/exe-new-employee.js +324 -166
  27. package/dist/bin/exe-pending-messages.js +529 -21
  28. package/dist/bin/exe-pending-notifications.js +529 -21
  29. package/dist/bin/exe-pending-reviews.js +529 -21
  30. package/dist/bin/exe-rename.js +529 -21
  31. package/dist/bin/exe-review.js +529 -21
  32. package/dist/bin/exe-search.js +542 -24
  33. package/dist/bin/exe-session-cleanup.js +540 -22
  34. package/dist/bin/exe-settings.js +14 -0
  35. package/dist/bin/exe-start-codex.js +817 -144
  36. package/dist/bin/exe-start-opencode.js +776 -80
  37. package/dist/bin/exe-status.js +529 -21
  38. package/dist/bin/exe-team.js +529 -21
  39. package/dist/bin/git-sweep.js +540 -22
  40. package/dist/bin/graph-backfill.js +580 -21
  41. package/dist/bin/graph-export.js +529 -21
  42. package/dist/bin/graph-layer-benchmark.js +109 -0
  43. package/dist/bin/install.js +420 -289
  44. package/dist/bin/intercom-check.js +540 -22
  45. package/dist/bin/postgres-agentic-reflection-backfill.js +187 -0
  46. package/dist/bin/postgres-agentic-semantic-backfill.js +237 -0
  47. package/dist/bin/scan-tasks.js +540 -22
  48. package/dist/bin/setup.js +790 -206
  49. package/dist/bin/shard-migrate.js +528 -20
  50. package/dist/bin/update.js +4 -0
  51. package/dist/gateway/index.js +593 -23
  52. package/dist/hooks/bug-report-worker.js +651 -64
  53. package/dist/hooks/codex-stop-task-finalizer.js +540 -22
  54. package/dist/hooks/commit-complete.js +540 -22
  55. package/dist/hooks/error-recall.js +542 -24
  56. package/dist/hooks/exe-heartbeat-hook.js +4 -0
  57. package/dist/hooks/ingest-worker.js +4 -0
  58. package/dist/hooks/ingest.js +539 -22
  59. package/dist/hooks/instructions-loaded.js +529 -21
  60. package/dist/hooks/notification.js +529 -21
  61. package/dist/hooks/post-compact.js +529 -21
  62. package/dist/hooks/post-tool-combined.js +543 -25
  63. package/dist/hooks/pre-compact.js +772 -127
  64. package/dist/hooks/pre-tool-use.js +529 -21
  65. package/dist/hooks/prompt-submit.js +543 -25
  66. package/dist/hooks/session-end.js +673 -140
  67. package/dist/hooks/session-start.js +662 -26
  68. package/dist/hooks/stop.js +540 -23
  69. package/dist/hooks/subagent-stop.js +529 -21
  70. package/dist/hooks/summary-worker.js +571 -126
  71. package/dist/index.js +593 -23
  72. package/dist/lib/agent-config.js +4 -0
  73. package/dist/lib/cloud-sync.js +408 -47
  74. package/dist/lib/config.js +25 -1
  75. package/dist/lib/consolidation.js +5 -1
  76. package/dist/lib/database.js +128 -0
  77. package/dist/lib/db-daemon-client.js +4 -0
  78. package/dist/lib/db.js +128 -0
  79. package/dist/lib/device-registry.js +128 -0
  80. package/dist/lib/embedder.js +25 -1
  81. package/dist/lib/employee-templates.js +16 -0
  82. package/dist/lib/employees.js +4 -0
  83. package/dist/lib/exe-daemon-client.js +4 -0
  84. package/dist/lib/exe-daemon.js +3158 -930
  85. package/dist/lib/hybrid-search.js +542 -24
  86. package/dist/lib/identity.js +7 -0
  87. package/dist/lib/keychain.js +178 -22
  88. package/dist/lib/license.js +4 -0
  89. package/dist/lib/messaging.js +7 -0
  90. package/dist/lib/reminders.js +7 -0
  91. package/dist/lib/schedules.js +255 -20
  92. package/dist/lib/skill-learning.js +28 -1
  93. package/dist/lib/status-brief.js +39 -0
  94. package/dist/lib/store.js +528 -20
  95. package/dist/lib/task-router.js +4 -0
  96. package/dist/lib/tasks.js +28 -1
  97. package/dist/lib/tmux-routing.js +28 -1
  98. package/dist/lib/token-spend.js +7 -0
  99. package/dist/mcp/server.js +2739 -813
  100. package/dist/mcp/tools/complete-reminder.js +7 -0
  101. package/dist/mcp/tools/create-reminder.js +7 -0
  102. package/dist/mcp/tools/create-task.js +28 -1
  103. package/dist/mcp/tools/deactivate-behavior.js +7 -0
  104. package/dist/mcp/tools/list-reminders.js +7 -0
  105. package/dist/mcp/tools/list-tasks.js +7 -0
  106. package/dist/mcp/tools/send-message.js +7 -0
  107. package/dist/mcp/tools/update-task.js +28 -1
  108. package/dist/runtime/index.js +540 -22
  109. package/dist/tui/App.js +618 -29
  110. package/package.json +9 -5
  111. package/src/commands/exe/cloud.md +11 -8
  112. package/stack.release.json +3 -3
  113. package/src/commands/exe/link.md +0 -17
package/dist/bin/exe-review.js CHANGED
@@ -124,6 +124,11 @@ function normalizeAutoUpdate(raw) {
124
124
  const userAU = raw.autoUpdate ?? {};
125
125
  raw.autoUpdate = { ...defaultAU, ...userAU };
126
126
  }
127
+ function normalizeOrchestration(raw) {
128
+ const defaultOrg = DEFAULT_CONFIG.orchestration;
129
+ const userOrg = raw.orchestration ?? {};
130
+ raw.orchestration = { ...defaultOrg, ...userOrg };
131
+ }
127
132
  async function loadConfig() {
128
133
  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
129
134
  await ensurePrivateDir(dir);
@@ -148,10 +153,15 @@ async function loadConfig() {
148
153
  normalizeScalingRoadmap(migratedCfg);
149
154
  normalizeSessionLifecycle(migratedCfg);
150
155
  normalizeAutoUpdate(migratedCfg);
156
+ normalizeOrchestration(migratedCfg);
151
157
  const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
152
158
  if (config.dbPath.startsWith("~")) {
153
159
  config.dbPath = config.dbPath.replace(/^~/, os.homedir());
154
160
  }
161
+ const envDbPath = path.join(dir, "memories.db");
162
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
163
+ config.dbPath = envDbPath;
164
+ }
155
165
  return config;
156
166
  } catch {
157
167
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
@@ -223,6 +233,10 @@ var init_config = __esm({
223
233
  checkOnBoot: true,
224
234
  autoInstall: false,
225
235
  checkIntervalMs: 24 * 60 * 60 * 1e3
236
+ },
237
+ orchestration: {
238
+ phase: "phase_1_coo",
239
+ phaseSetBy: "default"
226
240
  }
227
241
  };
228
242
  CONFIG_MIGRATIONS = [
@@ -1748,6 +1762,9 @@ function getClient() {
1748
1762
  if (_daemonClient && _daemonClient._isDaemonActive()) {
1749
1763
  return _daemonClient;
1750
1764
  }
1765
+ if (!_resilientClient) {
1766
+ return _adapterClient;
1767
+ }
1751
1768
  return _resilientClient;
1752
1769
  }
1753
1770
  async function initDaemonClient() {
@@ -2780,6 +2797,127 @@ async function ensureSchema() {
2780
2797
  VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
2781
2798
  END;
2782
2799
  `);
2800
+ await client.executeMultiple(`
2801
+ CREATE TABLE IF NOT EXISTS agent_sessions (
2802
+ id TEXT PRIMARY KEY,
2803
+ agent_id TEXT NOT NULL,
2804
+ project_name TEXT,
2805
+ started_at TEXT NOT NULL,
2806
+ last_event_at TEXT NOT NULL,
2807
+ event_count INTEGER NOT NULL DEFAULT 0,
2808
+ properties TEXT DEFAULT '{}'
2809
+ );
2810
+
2811
+ CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
2812
+ ON agent_sessions(agent_id, started_at);
2813
+
2814
+ CREATE TABLE IF NOT EXISTS agent_goals (
2815
+ id TEXT PRIMARY KEY,
2816
+ statement TEXT NOT NULL,
2817
+ owner_agent_id TEXT,
2818
+ project_name TEXT,
2819
+ status TEXT NOT NULL DEFAULT 'open',
2820
+ priority INTEGER NOT NULL DEFAULT 5,
2821
+ success_criteria TEXT,
2822
+ parent_goal_id TEXT,
2823
+ due_at TEXT,
2824
+ achieved_at TEXT,
2825
+ supersedes_id TEXT,
2826
+ created_at TEXT NOT NULL,
2827
+ updated_at TEXT NOT NULL,
2828
+ source_memory_id TEXT
2829
+ );
2830
+
2831
+ CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
2832
+ ON agent_goals(project_name, status, priority);
2833
+
2834
+ CREATE TABLE IF NOT EXISTS agent_events (
2835
+ id TEXT PRIMARY KEY,
2836
+ event_type TEXT NOT NULL,
2837
+ occurred_at TEXT NOT NULL,
2838
+ sequence_index INTEGER NOT NULL,
2839
+ actor_agent_id TEXT,
2840
+ agent_role TEXT,
2841
+ project_name TEXT,
2842
+ session_id TEXT,
2843
+ task_id TEXT,
2844
+ goal_id TEXT,
2845
+ parent_event_id TEXT,
2846
+ intention TEXT,
2847
+ outcome TEXT,
2848
+ evidence_memory_id TEXT,
2849
+ impact TEXT,
2850
+ payload TEXT DEFAULT '{}',
2851
+ created_at TEXT NOT NULL
2852
+ );
2853
+
2854
+ CREATE INDEX IF NOT EXISTS idx_agent_events_time
2855
+ ON agent_events(occurred_at, sequence_index);
2856
+
2857
+ CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
2858
+ ON agent_events(session_id, sequence_index);
2859
+
2860
+ CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
2861
+ ON agent_events(goal_id, occurred_at);
2862
+
2863
+ CREATE INDEX IF NOT EXISTS idx_agent_events_memory
2864
+ ON agent_events(evidence_memory_id);
2865
+
2866
+ CREATE TABLE IF NOT EXISTS agent_goal_links (
2867
+ id TEXT PRIMARY KEY,
2868
+ goal_id TEXT NOT NULL,
2869
+ link_type TEXT NOT NULL,
2870
+ target_id TEXT NOT NULL,
2871
+ target_type TEXT NOT NULL,
2872
+ created_at TEXT NOT NULL
2873
+ );
2874
+
2875
+ CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
2876
+ ON agent_goal_links(goal_id, target_type);
2877
+
2878
+ CREATE TABLE IF NOT EXISTS agent_semantic_labels (
2879
+ id TEXT PRIMARY KEY,
2880
+ source_memory_id TEXT NOT NULL,
2881
+ event_id TEXT,
2882
+ labeler TEXT NOT NULL,
2883
+ schema_version INTEGER NOT NULL DEFAULT 1,
2884
+ confidence REAL NOT NULL DEFAULT 0,
2885
+ labels TEXT NOT NULL,
2886
+ created_at TEXT NOT NULL,
2887
+ updated_at TEXT NOT NULL
2888
+ );
2889
+
2890
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
2891
+ ON agent_semantic_labels(source_memory_id, labeler);
2892
+
2893
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
2894
+ ON agent_semantic_labels(event_id);
2895
+
2896
+ CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
2897
+ id TEXT PRIMARY KEY,
2898
+ project_name TEXT,
2899
+ session_id TEXT,
2900
+ window_start_at TEXT NOT NULL,
2901
+ window_end_at TEXT NOT NULL,
2902
+ event_count INTEGER NOT NULL DEFAULT 0,
2903
+ goal_count INTEGER NOT NULL DEFAULT 0,
2904
+ success_count INTEGER NOT NULL DEFAULT 0,
2905
+ failure_count INTEGER NOT NULL DEFAULT 0,
2906
+ risk_count INTEGER NOT NULL DEFAULT 0,
2907
+ summary TEXT NOT NULL,
2908
+ learnings TEXT NOT NULL DEFAULT '[]',
2909
+ next_actions TEXT NOT NULL DEFAULT '[]',
2910
+ evidence_event_ids TEXT NOT NULL DEFAULT '[]',
2911
+ confidence REAL NOT NULL DEFAULT 0,
2912
+ created_at TEXT NOT NULL
2913
+ );
2914
+
2915
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
2916
+ ON agent_reflection_checkpoints(project_name, window_end_at);
2917
+
2918
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
2919
+ ON agent_reflection_checkpoints(session_id, window_end_at);
2920
+ `);
2783
2921
  try {
2784
2922
  await client.execute({
2785
2923
  sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -2929,7 +3067,7 @@ var init_database = __esm({
2929
3067
 
2930
3068
  // src/lib/keychain.ts
2931
3069
  import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
2932
- import { existsSync as existsSync6 } from "fs";
3070
+ import { existsSync as existsSync6, statSync as statSync2 } from "fs";
2933
3071
  import { execSync as execSync2 } from "child_process";
2934
3072
  import path6 from "path";
2935
3073
  import os5 from "os";
@@ -2939,29 +3077,78 @@ function getKeyDir() {
2939
3077
  function getKeyPath() {
2940
3078
  return path6.join(getKeyDir(), "master.key");
2941
3079
  }
2942
- function macKeychainGet() {
3080
+ function nativeKeychainAllowed() {
3081
+ return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
3082
+ }
3083
+ function linuxSecretAvailable() {
3084
+ if (!nativeKeychainAllowed()) return false;
3085
+ if (process.platform !== "linux") return false;
3086
+ if (linuxSecretAvailability !== null) return linuxSecretAvailability;
3087
+ try {
3088
+ execSync2("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
3089
+ } catch {
3090
+ linuxSecretAvailability = false;
3091
+ return false;
3092
+ }
3093
+ try {
3094
+ execSync2("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
3095
+ linuxSecretAvailability = true;
3096
+ } catch {
3097
+ linuxSecretAvailability = false;
3098
+ }
3099
+ return linuxSecretAvailability;
3100
+ }
3101
+ function isRootOnlyTrustedServerKeyFile(keyPath) {
3102
+ if (process.platform !== "linux") return false;
3103
+ try {
3104
+ const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
3105
+ const st = statSync2(keyPath);
3106
+ if (!st.isFile() || (st.mode & 63) !== 0) return false;
3107
+ if (uid === 0) return true;
3108
+ const exeOsDir = process.env.EXE_OS_DIR;
3109
+ return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
3110
+ } catch {
3111
+ return false;
3112
+ }
3113
+ }
3114
+ function macKeychainGet(service = SERVICE) {
3115
+ if (!nativeKeychainAllowed()) return null;
2943
3116
  if (process.platform !== "darwin") return null;
2944
3117
  try {
2945
3118
  return execSync2(
2946
- `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
3119
+ `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
2947
3120
  { encoding: "utf-8", timeout: 5e3 }
2948
3121
  ).trim();
2949
3122
  } catch {
2950
3123
  return null;
2951
3124
  }
2952
3125
  }
2953
- function macKeychainSet(value) {
3126
+ function macKeychainSet(value, service = SERVICE) {
3127
+ if (!nativeKeychainAllowed()) return false;
2954
3128
  if (process.platform !== "darwin") return false;
2955
3129
  try {
2956
3130
  try {
2957
3131
  execSync2(
2958
- `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
3132
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
2959
3133
  { timeout: 5e3 }
2960
3134
  );
2961
3135
  } catch {
2962
3136
  }
2963
3137
  execSync2(
2964
- `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
3138
+ `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
3139
+ { timeout: 5e3 }
3140
+ );
3141
+ return true;
3142
+ } catch {
3143
+ return false;
3144
+ }
3145
+ }
3146
+ function macKeychainDelete(service = SERVICE) {
3147
+ if (!nativeKeychainAllowed()) return false;
3148
+ if (process.platform !== "darwin") return false;
3149
+ try {
3150
+ execSync2(
3151
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
2965
3152
  { timeout: 5e3 }
2966
3153
  );
2967
3154
  return true;
@@ -2969,22 +3156,35 @@ function macKeychainSet(value) {
2969
3156
  return false;
2970
3157
  }
2971
3158
  }
2972
- function linuxSecretGet() {
2973
- if (process.platform !== "linux") return null;
3159
+ function linuxSecretGet(service = SERVICE) {
3160
+ if (!linuxSecretAvailable()) return null;
2974
3161
  try {
2975
3162
  return execSync2(
2976
- `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
3163
+ `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
2977
3164
  { encoding: "utf-8", timeout: 5e3 }
2978
3165
  ).trim();
2979
3166
  } catch {
2980
3167
  return null;
2981
3168
  }
2982
3169
  }
2983
- function linuxSecretSet(value) {
3170
+ function linuxSecretSet(value, service = SERVICE) {
3171
+ if (!linuxSecretAvailable()) return false;
3172
+ try {
3173
+ execSync2(
3174
+ `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3175
+ { timeout: 5e3 }
3176
+ );
3177
+ return true;
3178
+ } catch {
3179
+ return false;
3180
+ }
3181
+ }
3182
+ function linuxSecretDelete(service = SERVICE) {
3183
+ if (!nativeKeychainAllowed()) return false;
2984
3184
  if (process.platform !== "linux") return false;
2985
3185
  try {
2986
3186
  execSync2(
2987
- `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
3187
+ `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
2988
3188
  { timeout: 5e3 }
2989
3189
  );
2990
3190
  return true;
@@ -2993,6 +3193,7 @@ function linuxSecretSet(value) {
2993
3193
  }
2994
3194
  }
2995
3195
  async function tryKeytar() {
3196
+ if (!nativeKeychainAllowed()) return null;
2996
3197
  try {
2997
3198
  return await import("keytar");
2998
3199
  } catch {
@@ -3066,7 +3267,19 @@ async function writeMachineBoundFileFallback(b64) {
3066
3267
  return "plaintext";
3067
3268
  }
3068
3269
  async function getMasterKey() {
3069
- const nativeValue = macKeychainGet() ?? linuxSecretGet();
3270
+ let nativeValue = macKeychainGet() ?? linuxSecretGet();
3271
+ if (!nativeValue) {
3272
+ const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
3273
+ if (legacyValue) {
3274
+ const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
3275
+ if (migrated) {
3276
+ macKeychainDelete(LEGACY_SERVICE);
3277
+ linuxSecretDelete(LEGACY_SERVICE);
3278
+ process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
3279
+ }
3280
+ nativeValue = legacyValue;
3281
+ }
3282
+ }
3070
3283
  if (nativeValue) {
3071
3284
  return Buffer.from(nativeValue, "base64");
3072
3285
  }
@@ -3074,12 +3287,17 @@ async function getMasterKey() {
3074
3287
  if (keytar) {
3075
3288
  try {
3076
3289
  const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
3077
- if (keytarValue) {
3078
- const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
3290
+ const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
3291
+ if (legacyKeytarValue) {
3292
+ const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
3079
3293
  if (migrated) {
3080
3294
  process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
3295
+ try {
3296
+ await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
3297
+ } catch {
3298
+ }
3081
3299
  }
3082
- return Buffer.from(keytarValue, "base64");
3300
+ return Buffer.from(legacyKeytarValue, "base64");
3083
3301
  }
3084
3302
  } catch {
3085
3303
  }
@@ -3104,7 +3322,7 @@ async function getMasterKey() {
3104
3322
  const decrypted = decryptWithMachineKey(content, machineKey);
3105
3323
  if (!decrypted) {
3106
3324
  process.stderr.write(
3107
- "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase: exe-os link import\n"
3325
+ "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase during setup: exe-os setup\n"
3108
3326
  );
3109
3327
  return null;
3110
3328
  }
@@ -3113,6 +3331,9 @@ async function getMasterKey() {
3113
3331
  b64Value = content;
3114
3332
  }
3115
3333
  const key = Buffer.from(b64Value, "base64");
3334
+ if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
3335
+ return key;
3336
+ }
3116
3337
  const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
3117
3338
  if (migrated) {
3118
3339
  process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -3140,12 +3361,14 @@ async function getMasterKey() {
3140
3361
  return null;
3141
3362
  }
3142
3363
  }
3143
- var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
3364
+ var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
3144
3365
  var init_keychain = __esm({
3145
3366
  "src/lib/keychain.ts"() {
3146
3367
  "use strict";
3147
- SERVICE = "exe-mem";
3368
+ SERVICE = "exe-os";
3369
+ LEGACY_SERVICE = "exe-mem";
3148
3370
  ACCOUNT = "master-key";
3371
+ linuxSecretAvailability = null;
3149
3372
  ENCRYPTED_PREFIX = "enc:";
3150
3373
  }
3151
3374
  });
@@ -3415,7 +3638,7 @@ __export(shard_manager_exports, {
3415
3638
  shardExists: () => shardExists
3416
3639
  });
3417
3640
  import path7 from "path";
3418
- import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync2 } from "fs";
3641
+ import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync3 } from "fs";
3419
3642
  import { createClient as createClient2 } from "@libsql/client";
3420
3643
  function initShardManager(encryptionKey) {
3421
3644
  _encryptionKey = encryptionKey;
@@ -3479,7 +3702,7 @@ async function auditShardHealth(options = {}) {
3479
3702
  const shards = [];
3480
3703
  for (const name of names) {
3481
3704
  const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
3482
- const stat = statSync2(dbPath);
3705
+ const stat = statSync3(dbPath);
3483
3706
  const item = {
3484
3707
  name,
3485
3708
  path: dbPath,
@@ -3732,7 +3955,7 @@ async function getReadyShardClient(projectName) {
3732
3955
  _shardLastAccess.delete(safeName);
3733
3956
  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
3734
3957
  if (existsSync7(dbPath)) {
3735
- const stat = statSync2(dbPath);
3958
+ const stat = statSync3(dbPath);
3736
3959
  const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
3737
3960
  const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
3738
3961
  renameSync3(dbPath, archivedPath);
@@ -3852,6 +4075,12 @@ var init_platform_procedures = __esm({
3852
4075
  priority: "p0",
3853
4076
  content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
3854
4077
  },
4078
+ {
4079
+ title: "Customer orchestration maturity \u2014 recommend, never trap",
4080
+ domain: "workflow",
4081
+ priority: "p1",
4082
+ content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
4083
+ },
3855
4084
  {
3856
4085
  title: "Single dispatch path \u2014 create_task only",
3857
4086
  domain: "workflow",
@@ -3910,6 +4139,12 @@ var init_platform_procedures = __esm({
3910
4139
  priority: "p0",
3911
4140
  content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
3912
4141
  },
4142
+ {
4143
+ title: "Commit discipline \u2014 never leave verified work floating",
4144
+ domain: "workflow",
4145
+ priority: "p1",
4146
+ content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
4147
+ },
3913
4148
  {
3914
4149
  title: "Desktop and TUI are the same product",
3915
4150
  domain: "architecture",
@@ -4227,6 +4462,274 @@ var init_memory_cards = __esm({
4227
4462
  }
4228
4463
  });
4229
4464
 
4465
+ // src/lib/agentic-ontology.ts
4466
+ var agentic_ontology_exports = {};
4467
+ __export(agentic_ontology_exports, {
4468
+ clean: () => clean,
4469
+ extractGoalCandidates: () => extractGoalCandidates,
4470
+ inferIntention: () => inferIntention,
4471
+ inferOntologyEventType: () => inferOntologyEventType,
4472
+ inferOutcome: () => inferOutcome,
4473
+ inferSemanticLabel: () => inferSemanticLabel,
4474
+ insertOntologyForBatch: () => insertOntologyForBatch,
4475
+ insertOntologyForMemory: () => insertOntologyForMemory,
4476
+ ontologyPayload: () => ontologyPayload,
4477
+ stableId: () => stableId2
4478
+ });
4479
+ import { createHash as createHash3 } from "crypto";
4480
+ function stableId2(...parts) {
4481
+ return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
4482
+ }
4483
+ function clean(text, max = 240) {
4484
+ return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
4485
+ }
4486
+ function inferOntologyEventType(row) {
4487
+ const lower = row.raw_text.toLowerCase();
4488
+ if (row.has_error) return "error";
4489
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
4490
+ if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
4491
+ if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
4492
+ if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
4493
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
4494
+ if (row.tool_name.startsWith("memory_card")) return "memory_card";
4495
+ return "memory_observation";
4496
+ }
4497
+ function inferIntention(row) {
4498
+ if (row.intent) return clean(row.intent, 220);
4499
+ const text = clean(row.raw_text, 1e3);
4500
+ const patterns = [
4501
+ /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
4502
+ /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
4503
+ /(?:task|plan):\s*([^.!?\n]{8,220})/i
4504
+ ];
4505
+ for (const p of patterns) {
4506
+ const m = text.match(p);
4507
+ if (m?.[1]) return clean(m[1], 220);
4508
+ }
4509
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
4510
+ return `${row.tool_name} during ${row.project_name}`;
4511
+ }
4512
+ return null;
4513
+ }
4514
+ function inferOutcome(row) {
4515
+ if (row.outcome) return clean(row.outcome, 220);
4516
+ if (row.has_error) return "error";
4517
+ const lower = row.raw_text.toLowerCase();
4518
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
4519
+ if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
4520
+ if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
4521
+ return null;
4522
+ }
4523
+ function extractGoalCandidates(row) {
4524
+ const text = clean(row.raw_text, 1600);
4525
+ const patterns = [
4526
+ /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
4527
+ /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
4528
+ ];
4529
+ const out = [];
4530
+ for (const pattern of patterns) {
4531
+ for (const m of text.matchAll(pattern)) {
4532
+ const candidate = clean(m[1] ?? "", 220);
4533
+ if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
4534
+ if (out.length >= 3) return out;
4535
+ }
4536
+ }
4537
+ return out;
4538
+ }
4539
+ function uniq(values, max = 6) {
4540
+ const out = [];
4541
+ for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
4542
+ if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
4543
+ if (out.length >= max) break;
4544
+ }
4545
+ return out;
4546
+ }
4547
+ function extractMatches(text, patterns, max = 5) {
4548
+ const out = [];
4549
+ for (const pattern of patterns) {
4550
+ for (const match of text.matchAll(pattern)) {
4551
+ const value = match[1] ?? match[0];
4552
+ if (value) out.push(value);
4553
+ if (out.length >= max) return uniq(out, max);
4554
+ }
4555
+ }
4556
+ return uniq(out, max);
4557
+ }
4558
+ function inferSemanticLabel(row) {
4559
+ const text = clean(row.raw_text, 2400);
4560
+ const eventType = inferOntologyEventType(row);
4561
+ const intention = inferIntention(row);
4562
+ const outcome = inferOutcome(row);
4563
+ const goals = extractGoalCandidates(row);
4564
+ const milestones = extractMatches(text, [
4565
+ /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
4566
+ /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
4567
+ ]);
4568
+ const problems = extractMatches(text, [
4569
+ /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
4570
+ /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
4571
+ ]);
4572
+ const decisions = extractMatches(text, [
4573
+ /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
4574
+ ]);
4575
+ const temporalAnchors = extractMatches(text, [
4576
+ /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
4577
+ /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
4578
+ ], 8);
4579
+ const nextActions = extractMatches(text, [
4580
+ /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
4581
+ ]);
4582
+ const actors = uniq([
4583
+ row.agent_id,
4584
+ ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
4585
+ ], 6);
4586
+ const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
4587
+ const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
4588
+ const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
4589
+ const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
4590
+ return {
4591
+ labeler: "deterministic",
4592
+ schemaVersion: 1,
4593
+ eventType,
4594
+ intention,
4595
+ outcome,
4596
+ impact,
4597
+ confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
4598
+ goals,
4599
+ milestones,
4600
+ problems,
4601
+ decisions,
4602
+ actors,
4603
+ temporalAnchors,
4604
+ successSignals,
4605
+ failureSignals,
4606
+ nextActions,
4607
+ summary: clean(text, 280)
4608
+ };
4609
+ }
4610
+ function ontologyPayload(row) {
4611
+ const semantic = inferSemanticLabel(row);
4612
+ return {
4613
+ tool_name: row.tool_name,
4614
+ memory_version: row.version ?? null,
4615
+ domain: row.domain ?? null,
4616
+ trajectory: row.trajectory ? safeJson(row.trajectory) : null,
4617
+ semantic
4618
+ };
4619
+ }
4620
+ function safeJson(value) {
4621
+ try {
4622
+ return JSON.parse(value);
4623
+ } catch {
4624
+ return value.slice(0, 1e3);
4625
+ }
4626
+ }
4627
+ async function resolveClient(client) {
4628
+ if (client) return client;
4629
+ const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
4630
+ return getClient2();
4631
+ }
4632
+ async function insertOntologyForMemory(row, client) {
4633
+ const db = await resolveClient(client);
4634
+ const occurredAt = row.timestamp;
4635
+ const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
4636
+ const eventType = inferOntologyEventType(row);
4637
+ const intention = inferIntention(row);
4638
+ const outcome = inferOutcome(row);
4639
+ const eventId = stableId2("event", row.id);
4640
+ const now = (/* @__PURE__ */ new Date()).toISOString();
4641
+ await db.execute({
4642
+ sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
4643
+ VALUES (?, ?, ?, ?, ?, 1, ?)
4644
+ ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
4645
+ event_count = event_count + 1`,
4646
+ args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
4647
+ });
4648
+ await db.execute({
4649
+ sql: `INSERT OR IGNORE INTO agent_events
4650
+ (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
4651
+ session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
4652
+ impact, payload, created_at)
4653
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
4654
+ args: [
4655
+ eventId,
4656
+ eventType,
4657
+ occurredAt,
4658
+ sequence,
4659
+ row.agent_id,
4660
+ row.agent_role,
4661
+ row.project_name,
4662
+ row.session_id,
4663
+ row.task_id ?? null,
4664
+ intention,
4665
+ outcome,
4666
+ row.id,
4667
+ row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
4668
+ JSON.stringify(ontologyPayload(row)),
4669
+ now
4670
+ ]
4671
+ });
4672
+ const semantic = inferSemanticLabel(row);
4673
+ await db.execute({
4674
+ sql: `INSERT INTO agent_semantic_labels
4675
+ (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
4676
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
4677
+ ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
4678
+ labels = excluded.labels, updated_at = excluded.updated_at`,
4679
+ args: [
4680
+ stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
4681
+ row.id,
4682
+ eventId,
4683
+ semantic.labeler,
4684
+ semantic.schemaVersion,
4685
+ semantic.confidence,
4686
+ JSON.stringify(semantic),
4687
+ now,
4688
+ now
4689
+ ]
4690
+ });
4691
+ for (const statement of extractGoalCandidates(row)) {
4692
+ const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
4693
+ await db.execute({
4694
+ sql: `INSERT INTO agent_goals
4695
+ (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
4696
+ parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
4697
+ VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
4698
+ ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
4699
+ args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
4700
+ });
4701
+ await db.execute({
4702
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4703
+ (id, goal_id, link_type, target_id, target_type, created_at)
4704
+ VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
4705
+ args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
4706
+ });
4707
+ await db.execute({
4708
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4709
+ (id, goal_id, link_type, target_id, target_type, created_at)
4710
+ VALUES (?, ?, 'event', ?, 'event', ?)`,
4711
+ args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
4712
+ });
4713
+ }
4714
+ }
4715
+ async function insertOntologyForBatch(rows, client) {
4716
+ const db = await resolveClient(client);
4717
+ let count = 0;
4718
+ for (const row of rows) {
4719
+ try {
4720
+ await insertOntologyForMemory(row, db);
4721
+ count++;
4722
+ } catch {
4723
+ }
4724
+ }
4725
+ return count;
4726
+ }
4727
+ var init_agentic_ontology = __esm({
4728
+ "src/lib/agentic-ontology.ts"() {
4729
+ "use strict";
4730
+ }
4731
+ });
4732
+
4230
4733
  // src/lib/store.ts
4231
4734
  var store_exports = {};
4232
4735
  __export(store_exports, {
@@ -4570,6 +5073,11 @@ async function flushBatch() {
4570
5073
  await insertMemoryCardsForBatch2(batch);
4571
5074
  } catch {
4572
5075
  }
5076
+ try {
5077
+ const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
5078
+ await insertOntologyForBatch2(batch);
5079
+ } catch {
5080
+ }
4573
5081
  schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
4574
5082
  _pendingRecords.splice(0, batch.length);
4575
5083
  try {