@askexenow/exe-os 0.9.65 → 0.9.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/deploy/stack-manifests/v0.9.json +54 -5
  2. package/dist/bin/age-ontology-load.js +61 -0
  3. package/dist/bin/agentic-ontology-backfill.js +4708 -0
  4. package/dist/bin/agentic-reflection-backfill.js +4144 -0
  5. package/dist/bin/{exe-link.js → agentic-semantic-label.js} +1532 -2173
  6. package/dist/bin/backfill-conversations.js +528 -20
  7. package/dist/bin/backfill-responses.js +528 -20
  8. package/dist/bin/backfill-vectors.js +255 -20
  9. package/dist/bin/bulk-sync-postgres.js +4876 -0
  10. package/dist/bin/cleanup-stale-review-tasks.js +529 -21
  11. package/dist/bin/cli.js +3471 -1491
  12. package/dist/bin/exe-agent-config.js +4 -0
  13. package/dist/bin/exe-agent.js +16 -0
  14. package/dist/bin/exe-assign.js +528 -20
  15. package/dist/bin/exe-boot.js +492 -54
  16. package/dist/bin/exe-call.js +16 -0
  17. package/dist/bin/exe-cloud.js +7415 -518
  18. package/dist/bin/exe-dispatch.js +540 -22
  19. package/dist/bin/exe-doctor.js +3404 -1225
  20. package/dist/bin/exe-export-behaviors.js +542 -24
  21. package/dist/bin/exe-forget.js +529 -21
  22. package/dist/bin/exe-gateway.js +595 -25
  23. package/dist/bin/exe-heartbeat.js +541 -24
  24. package/dist/bin/exe-kill.js +529 -21
  25. package/dist/bin/exe-launch-agent.js +2334 -1067
  26. package/dist/bin/exe-new-employee.js +324 -166
  27. package/dist/bin/exe-pending-messages.js +529 -21
  28. package/dist/bin/exe-pending-notifications.js +529 -21
  29. package/dist/bin/exe-pending-reviews.js +529 -21
  30. package/dist/bin/exe-rename.js +529 -21
  31. package/dist/bin/exe-review.js +529 -21
  32. package/dist/bin/exe-search.js +542 -24
  33. package/dist/bin/exe-session-cleanup.js +540 -22
  34. package/dist/bin/exe-settings.js +14 -0
  35. package/dist/bin/exe-start-codex.js +817 -144
  36. package/dist/bin/exe-start-opencode.js +776 -80
  37. package/dist/bin/exe-status.js +529 -21
  38. package/dist/bin/exe-team.js +529 -21
  39. package/dist/bin/git-sweep.js +540 -22
  40. package/dist/bin/graph-backfill.js +580 -21
  41. package/dist/bin/graph-export.js +529 -21
  42. package/dist/bin/graph-layer-benchmark.js +109 -0
  43. package/dist/bin/install.js +420 -289
  44. package/dist/bin/intercom-check.js +540 -22
  45. package/dist/bin/postgres-agentic-reflection-backfill.js +187 -0
  46. package/dist/bin/postgres-agentic-semantic-backfill.js +237 -0
  47. package/dist/bin/scan-tasks.js +540 -22
  48. package/dist/bin/setup.js +790 -206
  49. package/dist/bin/shard-migrate.js +528 -20
  50. package/dist/bin/update.js +4 -0
  51. package/dist/gateway/index.js +593 -23
  52. package/dist/hooks/bug-report-worker.js +651 -64
  53. package/dist/hooks/codex-stop-task-finalizer.js +540 -22
  54. package/dist/hooks/commit-complete.js +540 -22
  55. package/dist/hooks/error-recall.js +542 -24
  56. package/dist/hooks/exe-heartbeat-hook.js +4 -0
  57. package/dist/hooks/ingest-worker.js +4 -0
  58. package/dist/hooks/ingest.js +539 -22
  59. package/dist/hooks/instructions-loaded.js +529 -21
  60. package/dist/hooks/notification.js +529 -21
  61. package/dist/hooks/post-compact.js +529 -21
  62. package/dist/hooks/post-tool-combined.js +543 -25
  63. package/dist/hooks/pre-compact.js +772 -127
  64. package/dist/hooks/pre-tool-use.js +529 -21
  65. package/dist/hooks/prompt-submit.js +543 -25
  66. package/dist/hooks/session-end.js +673 -140
  67. package/dist/hooks/session-start.js +662 -26
  68. package/dist/hooks/stop.js +540 -23
  69. package/dist/hooks/subagent-stop.js +529 -21
  70. package/dist/hooks/summary-worker.js +571 -126
  71. package/dist/index.js +593 -23
  72. package/dist/lib/agent-config.js +4 -0
  73. package/dist/lib/cloud-sync.js +408 -47
  74. package/dist/lib/config.js +25 -1
  75. package/dist/lib/consolidation.js +5 -1
  76. package/dist/lib/database.js +128 -0
  77. package/dist/lib/db-daemon-client.js +4 -0
  78. package/dist/lib/db.js +128 -0
  79. package/dist/lib/device-registry.js +128 -0
  80. package/dist/lib/embedder.js +25 -1
  81. package/dist/lib/employee-templates.js +16 -0
  82. package/dist/lib/employees.js +4 -0
  83. package/dist/lib/exe-daemon-client.js +4 -0
  84. package/dist/lib/exe-daemon.js +3158 -930
  85. package/dist/lib/hybrid-search.js +542 -24
  86. package/dist/lib/identity.js +7 -0
  87. package/dist/lib/keychain.js +178 -22
  88. package/dist/lib/license.js +4 -0
  89. package/dist/lib/messaging.js +7 -0
  90. package/dist/lib/reminders.js +7 -0
  91. package/dist/lib/schedules.js +255 -20
  92. package/dist/lib/skill-learning.js +28 -1
  93. package/dist/lib/status-brief.js +39 -0
  94. package/dist/lib/store.js +528 -20
  95. package/dist/lib/task-router.js +4 -0
  96. package/dist/lib/tasks.js +28 -1
  97. package/dist/lib/tmux-routing.js +28 -1
  98. package/dist/lib/token-spend.js +7 -0
  99. package/dist/mcp/server.js +2739 -813
  100. package/dist/mcp/tools/complete-reminder.js +7 -0
  101. package/dist/mcp/tools/create-reminder.js +7 -0
  102. package/dist/mcp/tools/create-task.js +28 -1
  103. package/dist/mcp/tools/deactivate-behavior.js +7 -0
  104. package/dist/mcp/tools/list-reminders.js +7 -0
  105. package/dist/mcp/tools/list-tasks.js +7 -0
  106. package/dist/mcp/tools/send-message.js +7 -0
  107. package/dist/mcp/tools/update-task.js +28 -1
  108. package/dist/runtime/index.js +540 -22
  109. package/dist/tui/App.js +618 -29
  110. package/package.json +9 -5
  111. package/src/commands/exe/cloud.md +11 -8
  112. package/stack.release.json +3 -3
  113. package/src/commands/exe/link.md +0 -17
package/dist/bin/exe-status.js CHANGED
@@ -135,6 +135,11 @@ function normalizeAutoUpdate(raw) {
135
135
  const userAU = raw.autoUpdate ?? {};
136
136
  raw.autoUpdate = { ...defaultAU, ...userAU };
137
137
  }
138
+ function normalizeOrchestration(raw) {
139
+ const defaultOrg = DEFAULT_CONFIG.orchestration;
140
+ const userOrg = raw.orchestration ?? {};
141
+ raw.orchestration = { ...defaultOrg, ...userOrg };
142
+ }
138
143
  async function loadConfig() {
139
144
  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
140
145
  await ensurePrivateDir(dir);
@@ -159,10 +164,15 @@ async function loadConfig() {
159
164
  normalizeScalingRoadmap(migratedCfg);
160
165
  normalizeSessionLifecycle(migratedCfg);
161
166
  normalizeAutoUpdate(migratedCfg);
167
+ normalizeOrchestration(migratedCfg);
162
168
  const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
163
169
  if (config.dbPath.startsWith("~")) {
164
170
  config.dbPath = config.dbPath.replace(/^~/, os.homedir());
165
171
  }
172
+ const envDbPath = path.join(dir, "memories.db");
173
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
174
+ config.dbPath = envDbPath;
175
+ }
166
176
  return config;
167
177
  } catch {
168
178
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
@@ -234,6 +244,10 @@ var init_config = __esm({
234
244
  checkOnBoot: true,
235
245
  autoInstall: false,
236
246
  checkIntervalMs: 24 * 60 * 60 * 1e3
247
+ },
248
+ orchestration: {
249
+ phase: "phase_1_coo",
250
+ phaseSetBy: "default"
237
251
  }
238
252
  };
239
253
  CONFIG_MIGRATIONS = [
@@ -1756,6 +1770,9 @@ function getClient() {
1756
1770
  if (_daemonClient && _daemonClient._isDaemonActive()) {
1757
1771
  return _daemonClient;
1758
1772
  }
1773
+ if (!_resilientClient) {
1774
+ return _adapterClient;
1775
+ }
1759
1776
  return _resilientClient;
1760
1777
  }
1761
1778
  async function initDaemonClient() {
@@ -2788,6 +2805,127 @@ async function ensureSchema() {
2788
2805
  VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
2789
2806
  END;
2790
2807
  `);
2808
+ await client.executeMultiple(`
2809
+ CREATE TABLE IF NOT EXISTS agent_sessions (
2810
+ id TEXT PRIMARY KEY,
2811
+ agent_id TEXT NOT NULL,
2812
+ project_name TEXT,
2813
+ started_at TEXT NOT NULL,
2814
+ last_event_at TEXT NOT NULL,
2815
+ event_count INTEGER NOT NULL DEFAULT 0,
2816
+ properties TEXT DEFAULT '{}'
2817
+ );
2818
+
2819
+ CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
2820
+ ON agent_sessions(agent_id, started_at);
2821
+
2822
+ CREATE TABLE IF NOT EXISTS agent_goals (
2823
+ id TEXT PRIMARY KEY,
2824
+ statement TEXT NOT NULL,
2825
+ owner_agent_id TEXT,
2826
+ project_name TEXT,
2827
+ status TEXT NOT NULL DEFAULT 'open',
2828
+ priority INTEGER NOT NULL DEFAULT 5,
2829
+ success_criteria TEXT,
2830
+ parent_goal_id TEXT,
2831
+ due_at TEXT,
2832
+ achieved_at TEXT,
2833
+ supersedes_id TEXT,
2834
+ created_at TEXT NOT NULL,
2835
+ updated_at TEXT NOT NULL,
2836
+ source_memory_id TEXT
2837
+ );
2838
+
2839
+ CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
2840
+ ON agent_goals(project_name, status, priority);
2841
+
2842
+ CREATE TABLE IF NOT EXISTS agent_events (
2843
+ id TEXT PRIMARY KEY,
2844
+ event_type TEXT NOT NULL,
2845
+ occurred_at TEXT NOT NULL,
2846
+ sequence_index INTEGER NOT NULL,
2847
+ actor_agent_id TEXT,
2848
+ agent_role TEXT,
2849
+ project_name TEXT,
2850
+ session_id TEXT,
2851
+ task_id TEXT,
2852
+ goal_id TEXT,
2853
+ parent_event_id TEXT,
2854
+ intention TEXT,
2855
+ outcome TEXT,
2856
+ evidence_memory_id TEXT,
2857
+ impact TEXT,
2858
+ payload TEXT DEFAULT '{}',
2859
+ created_at TEXT NOT NULL
2860
+ );
2861
+
2862
+ CREATE INDEX IF NOT EXISTS idx_agent_events_time
2863
+ ON agent_events(occurred_at, sequence_index);
2864
+
2865
+ CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
2866
+ ON agent_events(session_id, sequence_index);
2867
+
2868
+ CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
2869
+ ON agent_events(goal_id, occurred_at);
2870
+
2871
+ CREATE INDEX IF NOT EXISTS idx_agent_events_memory
2872
+ ON agent_events(evidence_memory_id);
2873
+
2874
+ CREATE TABLE IF NOT EXISTS agent_goal_links (
2875
+ id TEXT PRIMARY KEY,
2876
+ goal_id TEXT NOT NULL,
2877
+ link_type TEXT NOT NULL,
2878
+ target_id TEXT NOT NULL,
2879
+ target_type TEXT NOT NULL,
2880
+ created_at TEXT NOT NULL
2881
+ );
2882
+
2883
+ CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
2884
+ ON agent_goal_links(goal_id, target_type);
2885
+
2886
+ CREATE TABLE IF NOT EXISTS agent_semantic_labels (
2887
+ id TEXT PRIMARY KEY,
2888
+ source_memory_id TEXT NOT NULL,
2889
+ event_id TEXT,
2890
+ labeler TEXT NOT NULL,
2891
+ schema_version INTEGER NOT NULL DEFAULT 1,
2892
+ confidence REAL NOT NULL DEFAULT 0,
2893
+ labels TEXT NOT NULL,
2894
+ created_at TEXT NOT NULL,
2895
+ updated_at TEXT NOT NULL
2896
+ );
2897
+
2898
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
2899
+ ON agent_semantic_labels(source_memory_id, labeler);
2900
+
2901
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
2902
+ ON agent_semantic_labels(event_id);
2903
+
2904
+ CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
2905
+ id TEXT PRIMARY KEY,
2906
+ project_name TEXT,
2907
+ session_id TEXT,
2908
+ window_start_at TEXT NOT NULL,
2909
+ window_end_at TEXT NOT NULL,
2910
+ event_count INTEGER NOT NULL DEFAULT 0,
2911
+ goal_count INTEGER NOT NULL DEFAULT 0,
2912
+ success_count INTEGER NOT NULL DEFAULT 0,
2913
+ failure_count INTEGER NOT NULL DEFAULT 0,
2914
+ risk_count INTEGER NOT NULL DEFAULT 0,
2915
+ summary TEXT NOT NULL,
2916
+ learnings TEXT NOT NULL DEFAULT '[]',
2917
+ next_actions TEXT NOT NULL DEFAULT '[]',
2918
+ evidence_event_ids TEXT NOT NULL DEFAULT '[]',
2919
+ confidence REAL NOT NULL DEFAULT 0,
2920
+ created_at TEXT NOT NULL
2921
+ );
2922
+
2923
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
2924
+ ON agent_reflection_checkpoints(project_name, window_end_at);
2925
+
2926
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
2927
+ ON agent_reflection_checkpoints(session_id, window_end_at);
2928
+ `);
2791
2929
  try {
2792
2930
  await client.execute({
2793
2931
  sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -2937,7 +3075,7 @@ var init_database = __esm({
2937
3075
 
2938
3076
  // src/lib/keychain.ts
2939
3077
  import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
2940
- import { existsSync as existsSync6 } from "fs";
3078
+ import { existsSync as existsSync6, statSync as statSync2 } from "fs";
2941
3079
  import { execSync as execSync2 } from "child_process";
2942
3080
  import path6 from "path";
2943
3081
  import os5 from "os";
@@ -2947,29 +3085,78 @@ function getKeyDir() {
2947
3085
  function getKeyPath() {
2948
3086
  return path6.join(getKeyDir(), "master.key");
2949
3087
  }
2950
- function macKeychainGet() {
3088
+ function nativeKeychainAllowed() {
3089
+ return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
3090
+ }
3091
+ function linuxSecretAvailable() {
3092
+ if (!nativeKeychainAllowed()) return false;
3093
+ if (process.platform !== "linux") return false;
3094
+ if (linuxSecretAvailability !== null) return linuxSecretAvailability;
3095
+ try {
3096
+ execSync2("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
3097
+ } catch {
3098
+ linuxSecretAvailability = false;
3099
+ return false;
3100
+ }
3101
+ try {
3102
+ execSync2("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
3103
+ linuxSecretAvailability = true;
3104
+ } catch {
3105
+ linuxSecretAvailability = false;
3106
+ }
3107
+ return linuxSecretAvailability;
3108
+ }
3109
+ function isRootOnlyTrustedServerKeyFile(keyPath) {
3110
+ if (process.platform !== "linux") return false;
3111
+ try {
3112
+ const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
3113
+ const st = statSync2(keyPath);
3114
+ if (!st.isFile() || (st.mode & 63) !== 0) return false;
3115
+ if (uid === 0) return true;
3116
+ const exeOsDir = process.env.EXE_OS_DIR;
3117
+ return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
3118
+ } catch {
3119
+ return false;
3120
+ }
3121
+ }
3122
+ function macKeychainGet(service = SERVICE) {
3123
+ if (!nativeKeychainAllowed()) return null;
2951
3124
  if (process.platform !== "darwin") return null;
2952
3125
  try {
2953
3126
  return execSync2(
2954
- `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
3127
+ `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
2955
3128
  { encoding: "utf-8", timeout: 5e3 }
2956
3129
  ).trim();
2957
3130
  } catch {
2958
3131
  return null;
2959
3132
  }
2960
3133
  }
2961
- function macKeychainSet(value) {
3134
+ function macKeychainSet(value, service = SERVICE) {
3135
+ if (!nativeKeychainAllowed()) return false;
2962
3136
  if (process.platform !== "darwin") return false;
2963
3137
  try {
2964
3138
  try {
2965
3139
  execSync2(
2966
- `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
3140
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
2967
3141
  { timeout: 5e3 }
2968
3142
  );
2969
3143
  } catch {
2970
3144
  }
2971
3145
  execSync2(
2972
- `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
3146
+ `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
3147
+ { timeout: 5e3 }
3148
+ );
3149
+ return true;
3150
+ } catch {
3151
+ return false;
3152
+ }
3153
+ }
3154
+ function macKeychainDelete(service = SERVICE) {
3155
+ if (!nativeKeychainAllowed()) return false;
3156
+ if (process.platform !== "darwin") return false;
3157
+ try {
3158
+ execSync2(
3159
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
2973
3160
  { timeout: 5e3 }
2974
3161
  );
2975
3162
  return true;
@@ -2977,22 +3164,35 @@ function macKeychainSet(value) {
2977
3164
  return false;
2978
3165
  }
2979
3166
  }
2980
- function linuxSecretGet() {
2981
- if (process.platform !== "linux") return null;
3167
+ function linuxSecretGet(service = SERVICE) {
3168
+ if (!linuxSecretAvailable()) return null;
2982
3169
  try {
2983
3170
  return execSync2(
2984
- `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
3171
+ `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
2985
3172
  { encoding: "utf-8", timeout: 5e3 }
2986
3173
  ).trim();
2987
3174
  } catch {
2988
3175
  return null;
2989
3176
  }
2990
3177
  }
2991
- function linuxSecretSet(value) {
3178
+ function linuxSecretSet(value, service = SERVICE) {
3179
+ if (!linuxSecretAvailable()) return false;
3180
+ try {
3181
+ execSync2(
3182
+ `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3183
+ { timeout: 5e3 }
3184
+ );
3185
+ return true;
3186
+ } catch {
3187
+ return false;
3188
+ }
3189
+ }
3190
+ function linuxSecretDelete(service = SERVICE) {
3191
+ if (!nativeKeychainAllowed()) return false;
2992
3192
  if (process.platform !== "linux") return false;
2993
3193
  try {
2994
3194
  execSync2(
2995
- `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
3195
+ `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
2996
3196
  { timeout: 5e3 }
2997
3197
  );
2998
3198
  return true;
@@ -3001,6 +3201,7 @@ function linuxSecretSet(value) {
3001
3201
  }
3002
3202
  }
3003
3203
  async function tryKeytar() {
3204
+ if (!nativeKeychainAllowed()) return null;
3004
3205
  try {
3005
3206
  return await import("keytar");
3006
3207
  } catch {
@@ -3074,7 +3275,19 @@ async function writeMachineBoundFileFallback(b64) {
3074
3275
  return "plaintext";
3075
3276
  }
3076
3277
  async function getMasterKey() {
3077
- const nativeValue = macKeychainGet() ?? linuxSecretGet();
3278
+ let nativeValue = macKeychainGet() ?? linuxSecretGet();
3279
+ if (!nativeValue) {
3280
+ const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
3281
+ if (legacyValue) {
3282
+ const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
3283
+ if (migrated) {
3284
+ macKeychainDelete(LEGACY_SERVICE);
3285
+ linuxSecretDelete(LEGACY_SERVICE);
3286
+ process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
3287
+ }
3288
+ nativeValue = legacyValue;
3289
+ }
3290
+ }
3078
3291
  if (nativeValue) {
3079
3292
  return Buffer.from(nativeValue, "base64");
3080
3293
  }
@@ -3082,12 +3295,17 @@ async function getMasterKey() {
3082
3295
  if (keytar) {
3083
3296
  try {
3084
3297
  const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
3085
- if (keytarValue) {
3086
- const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
3298
+ const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
3299
+ if (legacyKeytarValue) {
3300
+ const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
3087
3301
  if (migrated) {
3088
3302
  process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
3303
+ try {
3304
+ await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
3305
+ } catch {
3306
+ }
3089
3307
  }
3090
- return Buffer.from(keytarValue, "base64");
3308
+ return Buffer.from(legacyKeytarValue, "base64");
3091
3309
  }
3092
3310
  } catch {
3093
3311
  }
@@ -3112,7 +3330,7 @@ async function getMasterKey() {
3112
3330
  const decrypted = decryptWithMachineKey(content, machineKey);
3113
3331
  if (!decrypted) {
3114
3332
  process.stderr.write(
3115
- "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase: exe-os link import\n"
3333
+ "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase during setup: exe-os setup\n"
3116
3334
  );
3117
3335
  return null;
3118
3336
  }
@@ -3121,6 +3339,9 @@ async function getMasterKey() {
3121
3339
  b64Value = content;
3122
3340
  }
3123
3341
  const key = Buffer.from(b64Value, "base64");
3342
+ if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
3343
+ return key;
3344
+ }
3124
3345
  const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
3125
3346
  if (migrated) {
3126
3347
  process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -3148,12 +3369,14 @@ async function getMasterKey() {
3148
3369
  return null;
3149
3370
  }
3150
3371
  }
3151
- var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
3372
+ var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
3152
3373
  var init_keychain = __esm({
3153
3374
  "src/lib/keychain.ts"() {
3154
3375
  "use strict";
3155
- SERVICE = "exe-mem";
3376
+ SERVICE = "exe-os";
3377
+ LEGACY_SERVICE = "exe-mem";
3156
3378
  ACCOUNT = "master-key";
3379
+ linuxSecretAvailability = null;
3157
3380
  ENCRYPTED_PREFIX = "enc:";
3158
3381
  }
3159
3382
  });
@@ -3423,7 +3646,7 @@ __export(shard_manager_exports, {
3423
3646
  shardExists: () => shardExists
3424
3647
  });
3425
3648
  import path7 from "path";
3426
- import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync2 } from "fs";
3649
+ import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync3 } from "fs";
3427
3650
  import { createClient as createClient2 } from "@libsql/client";
3428
3651
  function initShardManager(encryptionKey) {
3429
3652
  _encryptionKey = encryptionKey;
@@ -3487,7 +3710,7 @@ async function auditShardHealth(options = {}) {
3487
3710
  const shards = [];
3488
3711
  for (const name of names) {
3489
3712
  const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
3490
- const stat = statSync2(dbPath);
3713
+ const stat = statSync3(dbPath);
3491
3714
  const item = {
3492
3715
  name,
3493
3716
  path: dbPath,
@@ -3740,7 +3963,7 @@ async function getReadyShardClient(projectName) {
3740
3963
  _shardLastAccess.delete(safeName);
3741
3964
  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
3742
3965
  if (existsSync7(dbPath)) {
3743
- const stat = statSync2(dbPath);
3966
+ const stat = statSync3(dbPath);
3744
3967
  const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
3745
3968
  const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
3746
3969
  renameSync3(dbPath, archivedPath);
@@ -3860,6 +4083,12 @@ var init_platform_procedures = __esm({
3860
4083
  priority: "p0",
3861
4084
  content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
3862
4085
  },
4086
+ {
4087
+ title: "Customer orchestration maturity \u2014 recommend, never trap",
4088
+ domain: "workflow",
4089
+ priority: "p1",
4090
+ content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
4091
+ },
3863
4092
  {
3864
4093
  title: "Single dispatch path \u2014 create_task only",
3865
4094
  domain: "workflow",
@@ -3918,6 +4147,12 @@ var init_platform_procedures = __esm({
3918
4147
  priority: "p0",
3919
4148
  content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
3920
4149
  },
4150
+ {
4151
+ title: "Commit discipline \u2014 never leave verified work floating",
4152
+ domain: "workflow",
4153
+ priority: "p1",
4154
+ content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
4155
+ },
3921
4156
  {
3922
4157
  title: "Desktop and TUI are the same product",
3923
4158
  domain: "architecture",
@@ -4235,6 +4470,274 @@ var init_memory_cards = __esm({
4235
4470
  }
4236
4471
  });
4237
4472
 
4473
+ // src/lib/agentic-ontology.ts
4474
+ var agentic_ontology_exports = {};
4475
+ __export(agentic_ontology_exports, {
4476
+ clean: () => clean,
4477
+ extractGoalCandidates: () => extractGoalCandidates,
4478
+ inferIntention: () => inferIntention,
4479
+ inferOntologyEventType: () => inferOntologyEventType,
4480
+ inferOutcome: () => inferOutcome,
4481
+ inferSemanticLabel: () => inferSemanticLabel,
4482
+ insertOntologyForBatch: () => insertOntologyForBatch,
4483
+ insertOntologyForMemory: () => insertOntologyForMemory,
4484
+ ontologyPayload: () => ontologyPayload,
4485
+ stableId: () => stableId2
4486
+ });
4487
+ import { createHash as createHash3 } from "crypto";
4488
+ function stableId2(...parts) {
4489
+ return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
4490
+ }
4491
+ function clean(text, max = 240) {
4492
+ return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
4493
+ }
4494
+ function inferOntologyEventType(row) {
4495
+ const lower = row.raw_text.toLowerCase();
4496
+ if (row.has_error) return "error";
4497
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
4498
+ if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
4499
+ if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
4500
+ if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
4501
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
4502
+ if (row.tool_name.startsWith("memory_card")) return "memory_card";
4503
+ return "memory_observation";
4504
+ }
4505
+ function inferIntention(row) {
4506
+ if (row.intent) return clean(row.intent, 220);
4507
+ const text = clean(row.raw_text, 1e3);
4508
+ const patterns = [
4509
+ /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
4510
+ /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
4511
+ /(?:task|plan):\s*([^.!?\n]{8,220})/i
4512
+ ];
4513
+ for (const p of patterns) {
4514
+ const m = text.match(p);
4515
+ if (m?.[1]) return clean(m[1], 220);
4516
+ }
4517
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
4518
+ return `${row.tool_name} during ${row.project_name}`;
4519
+ }
4520
+ return null;
4521
+ }
4522
+ function inferOutcome(row) {
4523
+ if (row.outcome) return clean(row.outcome, 220);
4524
+ if (row.has_error) return "error";
4525
+ const lower = row.raw_text.toLowerCase();
4526
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
4527
+ if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
4528
+ if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
4529
+ return null;
4530
+ }
4531
+ function extractGoalCandidates(row) {
4532
+ const text = clean(row.raw_text, 1600);
4533
+ const patterns = [
4534
+ /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
4535
+ /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
4536
+ ];
4537
+ const out = [];
4538
+ for (const pattern of patterns) {
4539
+ for (const m of text.matchAll(pattern)) {
4540
+ const candidate = clean(m[1] ?? "", 220);
4541
+ if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
4542
+ if (out.length >= 3) return out;
4543
+ }
4544
+ }
4545
+ return out;
4546
+ }
4547
+ function uniq(values, max = 6) {
4548
+ const out = [];
4549
+ for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
4550
+ if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
4551
+ if (out.length >= max) break;
4552
+ }
4553
+ return out;
4554
+ }
4555
+ function extractMatches(text, patterns, max = 5) {
4556
+ const out = [];
4557
+ for (const pattern of patterns) {
4558
+ for (const match of text.matchAll(pattern)) {
4559
+ const value = match[1] ?? match[0];
4560
+ if (value) out.push(value);
4561
+ if (out.length >= max) return uniq(out, max);
4562
+ }
4563
+ }
4564
+ return uniq(out, max);
4565
+ }
4566
+ function inferSemanticLabel(row) {
4567
+ const text = clean(row.raw_text, 2400);
4568
+ const eventType = inferOntologyEventType(row);
4569
+ const intention = inferIntention(row);
4570
+ const outcome = inferOutcome(row);
4571
+ const goals = extractGoalCandidates(row);
4572
+ const milestones = extractMatches(text, [
4573
+ /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
4574
+ /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
4575
+ ]);
4576
+ const problems = extractMatches(text, [
4577
+ /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
4578
+ /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
4579
+ ]);
4580
+ const decisions = extractMatches(text, [
4581
+ /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
4582
+ ]);
4583
+ const temporalAnchors = extractMatches(text, [
4584
+ /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
4585
+ /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
4586
+ ], 8);
4587
+ const nextActions = extractMatches(text, [
4588
+ /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
4589
+ ]);
4590
+ const actors = uniq([
4591
+ row.agent_id,
4592
+ ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
4593
+ ], 6);
4594
+ const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
4595
+ const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
4596
+ const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
4597
+ const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
4598
+ return {
4599
+ labeler: "deterministic",
4600
+ schemaVersion: 1,
4601
+ eventType,
4602
+ intention,
4603
+ outcome,
4604
+ impact,
4605
+ confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
4606
+ goals,
4607
+ milestones,
4608
+ problems,
4609
+ decisions,
4610
+ actors,
4611
+ temporalAnchors,
4612
+ successSignals,
4613
+ failureSignals,
4614
+ nextActions,
4615
+ summary: clean(text, 280)
4616
+ };
4617
+ }
4618
+ function ontologyPayload(row) {
4619
+ const semantic = inferSemanticLabel(row);
4620
+ return {
4621
+ tool_name: row.tool_name,
4622
+ memory_version: row.version ?? null,
4623
+ domain: row.domain ?? null,
4624
+ trajectory: row.trajectory ? safeJson(row.trajectory) : null,
4625
+ semantic
4626
+ };
4627
+ }
4628
+ function safeJson(value) {
4629
+ try {
4630
+ return JSON.parse(value);
4631
+ } catch {
4632
+ return value.slice(0, 1e3);
4633
+ }
4634
+ }
4635
+ async function resolveClient(client) {
4636
+ if (client) return client;
4637
+ const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
4638
+ return getClient2();
4639
+ }
4640
+ async function insertOntologyForMemory(row, client) {
4641
+ const db = await resolveClient(client);
4642
+ const occurredAt = row.timestamp;
4643
+ const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
4644
+ const eventType = inferOntologyEventType(row);
4645
+ const intention = inferIntention(row);
4646
+ const outcome = inferOutcome(row);
4647
+ const eventId = stableId2("event", row.id);
4648
+ const now = (/* @__PURE__ */ new Date()).toISOString();
4649
+ await db.execute({
4650
+ sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
4651
+ VALUES (?, ?, ?, ?, ?, 1, ?)
4652
+ ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
4653
+ event_count = event_count + 1`,
4654
+ args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
4655
+ });
4656
+ await db.execute({
4657
+ sql: `INSERT OR IGNORE INTO agent_events
4658
+ (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
4659
+ session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
4660
+ impact, payload, created_at)
4661
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
4662
+ args: [
4663
+ eventId,
4664
+ eventType,
4665
+ occurredAt,
4666
+ sequence,
4667
+ row.agent_id,
4668
+ row.agent_role,
4669
+ row.project_name,
4670
+ row.session_id,
4671
+ row.task_id ?? null,
4672
+ intention,
4673
+ outcome,
4674
+ row.id,
4675
+ row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
4676
+ JSON.stringify(ontologyPayload(row)),
4677
+ now
4678
+ ]
4679
+ });
4680
+ const semantic = inferSemanticLabel(row);
4681
+ await db.execute({
4682
+ sql: `INSERT INTO agent_semantic_labels
4683
+ (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
4684
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
4685
+ ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
4686
+ labels = excluded.labels, updated_at = excluded.updated_at`,
4687
+ args: [
4688
+ stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
4689
+ row.id,
4690
+ eventId,
4691
+ semantic.labeler,
4692
+ semantic.schemaVersion,
4693
+ semantic.confidence,
4694
+ JSON.stringify(semantic),
4695
+ now,
4696
+ now
4697
+ ]
4698
+ });
4699
+ for (const statement of extractGoalCandidates(row)) {
4700
+ const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
4701
+ await db.execute({
4702
+ sql: `INSERT INTO agent_goals
4703
+ (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
4704
+ parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
4705
+ VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
4706
+ ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
4707
+ args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
4708
+ });
4709
+ await db.execute({
4710
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4711
+ (id, goal_id, link_type, target_id, target_type, created_at)
4712
+ VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
4713
+ args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
4714
+ });
4715
+ await db.execute({
4716
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4717
+ (id, goal_id, link_type, target_id, target_type, created_at)
4718
+ VALUES (?, ?, 'event', ?, 'event', ?)`,
4719
+ args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
4720
+ });
4721
+ }
4722
+ }
4723
+ async function insertOntologyForBatch(rows, client) {
4724
+ const db = await resolveClient(client);
4725
+ let count = 0;
4726
+ for (const row of rows) {
4727
+ try {
4728
+ await insertOntologyForMemory(row, db);
4729
+ count++;
4730
+ } catch {
4731
+ }
4732
+ }
4733
+ return count;
4734
+ }
4735
+ var init_agentic_ontology = __esm({
4736
+ "src/lib/agentic-ontology.ts"() {
4737
+ "use strict";
4738
+ }
4739
+ });
4740
+
4238
4741
  // src/lib/store.ts
4239
4742
  var store_exports = {};
4240
4743
  __export(store_exports, {
@@ -4578,6 +5081,11 @@ async function flushBatch() {
4578
5081
  await insertMemoryCardsForBatch2(batch);
4579
5082
  } catch {
4580
5083
  }
5084
+ try {
5085
+ const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
5086
+ await insertOntologyForBatch2(batch);
5087
+ } catch {
5088
+ }
4581
5089
  schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
4582
5090
  _pendingRecords.splice(0, batch.length);
4583
5091
  try {