@askexenow/exe-os 0.9.65 → 0.9.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/deploy/stack-manifests/v0.9.json +54 -5
  2. package/dist/bin/age-ontology-load.js +61 -0
  3. package/dist/bin/agentic-ontology-backfill.js +4708 -0
  4. package/dist/bin/agentic-reflection-backfill.js +4144 -0
  5. package/dist/bin/{exe-link.js → agentic-semantic-label.js} +1532 -2173
  6. package/dist/bin/backfill-conversations.js +528 -20
  7. package/dist/bin/backfill-responses.js +528 -20
  8. package/dist/bin/backfill-vectors.js +255 -20
  9. package/dist/bin/bulk-sync-postgres.js +4876 -0
  10. package/dist/bin/cleanup-stale-review-tasks.js +529 -21
  11. package/dist/bin/cli.js +3471 -1491
  12. package/dist/bin/exe-agent-config.js +4 -0
  13. package/dist/bin/exe-agent.js +16 -0
  14. package/dist/bin/exe-assign.js +528 -20
  15. package/dist/bin/exe-boot.js +492 -54
  16. package/dist/bin/exe-call.js +16 -0
  17. package/dist/bin/exe-cloud.js +7415 -518
  18. package/dist/bin/exe-dispatch.js +540 -22
  19. package/dist/bin/exe-doctor.js +3404 -1225
  20. package/dist/bin/exe-export-behaviors.js +542 -24
  21. package/dist/bin/exe-forget.js +529 -21
  22. package/dist/bin/exe-gateway.js +595 -25
  23. package/dist/bin/exe-heartbeat.js +541 -24
  24. package/dist/bin/exe-kill.js +529 -21
  25. package/dist/bin/exe-launch-agent.js +2334 -1067
  26. package/dist/bin/exe-new-employee.js +324 -166
  27. package/dist/bin/exe-pending-messages.js +529 -21
  28. package/dist/bin/exe-pending-notifications.js +529 -21
  29. package/dist/bin/exe-pending-reviews.js +529 -21
  30. package/dist/bin/exe-rename.js +529 -21
  31. package/dist/bin/exe-review.js +529 -21
  32. package/dist/bin/exe-search.js +542 -24
  33. package/dist/bin/exe-session-cleanup.js +540 -22
  34. package/dist/bin/exe-settings.js +14 -0
  35. package/dist/bin/exe-start-codex.js +817 -144
  36. package/dist/bin/exe-start-opencode.js +776 -80
  37. package/dist/bin/exe-status.js +529 -21
  38. package/dist/bin/exe-team.js +529 -21
  39. package/dist/bin/git-sweep.js +540 -22
  40. package/dist/bin/graph-backfill.js +580 -21
  41. package/dist/bin/graph-export.js +529 -21
  42. package/dist/bin/graph-layer-benchmark.js +109 -0
  43. package/dist/bin/install.js +420 -289
  44. package/dist/bin/intercom-check.js +540 -22
  45. package/dist/bin/postgres-agentic-reflection-backfill.js +187 -0
  46. package/dist/bin/postgres-agentic-semantic-backfill.js +237 -0
  47. package/dist/bin/scan-tasks.js +540 -22
  48. package/dist/bin/setup.js +790 -206
  49. package/dist/bin/shard-migrate.js +528 -20
  50. package/dist/bin/update.js +4 -0
  51. package/dist/gateway/index.js +593 -23
  52. package/dist/hooks/bug-report-worker.js +651 -64
  53. package/dist/hooks/codex-stop-task-finalizer.js +540 -22
  54. package/dist/hooks/commit-complete.js +540 -22
  55. package/dist/hooks/error-recall.js +542 -24
  56. package/dist/hooks/exe-heartbeat-hook.js +4 -0
  57. package/dist/hooks/ingest-worker.js +4 -0
  58. package/dist/hooks/ingest.js +539 -22
  59. package/dist/hooks/instructions-loaded.js +529 -21
  60. package/dist/hooks/notification.js +529 -21
  61. package/dist/hooks/post-compact.js +529 -21
  62. package/dist/hooks/post-tool-combined.js +543 -25
  63. package/dist/hooks/pre-compact.js +772 -127
  64. package/dist/hooks/pre-tool-use.js +529 -21
  65. package/dist/hooks/prompt-submit.js +543 -25
  66. package/dist/hooks/session-end.js +673 -140
  67. package/dist/hooks/session-start.js +662 -26
  68. package/dist/hooks/stop.js +540 -23
  69. package/dist/hooks/subagent-stop.js +529 -21
  70. package/dist/hooks/summary-worker.js +571 -126
  71. package/dist/index.js +593 -23
  72. package/dist/lib/agent-config.js +4 -0
  73. package/dist/lib/cloud-sync.js +408 -47
  74. package/dist/lib/config.js +25 -1
  75. package/dist/lib/consolidation.js +5 -1
  76. package/dist/lib/database.js +128 -0
  77. package/dist/lib/db-daemon-client.js +4 -0
  78. package/dist/lib/db.js +128 -0
  79. package/dist/lib/device-registry.js +128 -0
  80. package/dist/lib/embedder.js +25 -1
  81. package/dist/lib/employee-templates.js +16 -0
  82. package/dist/lib/employees.js +4 -0
  83. package/dist/lib/exe-daemon-client.js +4 -0
  84. package/dist/lib/exe-daemon.js +3158 -930
  85. package/dist/lib/hybrid-search.js +542 -24
  86. package/dist/lib/identity.js +7 -0
  87. package/dist/lib/keychain.js +178 -22
  88. package/dist/lib/license.js +4 -0
  89. package/dist/lib/messaging.js +7 -0
  90. package/dist/lib/reminders.js +7 -0
  91. package/dist/lib/schedules.js +255 -20
  92. package/dist/lib/skill-learning.js +28 -1
  93. package/dist/lib/status-brief.js +39 -0
  94. package/dist/lib/store.js +528 -20
  95. package/dist/lib/task-router.js +4 -0
  96. package/dist/lib/tasks.js +28 -1
  97. package/dist/lib/tmux-routing.js +28 -1
  98. package/dist/lib/token-spend.js +7 -0
  99. package/dist/mcp/server.js +2739 -813
  100. package/dist/mcp/tools/complete-reminder.js +7 -0
  101. package/dist/mcp/tools/create-reminder.js +7 -0
  102. package/dist/mcp/tools/create-task.js +28 -1
  103. package/dist/mcp/tools/deactivate-behavior.js +7 -0
  104. package/dist/mcp/tools/list-reminders.js +7 -0
  105. package/dist/mcp/tools/list-tasks.js +7 -0
  106. package/dist/mcp/tools/send-message.js +7 -0
  107. package/dist/mcp/tools/update-task.js +28 -1
  108. package/dist/runtime/index.js +540 -22
  109. package/dist/tui/App.js +618 -29
  110. package/package.json +9 -5
  111. package/src/commands/exe/cloud.md +11 -8
  112. package/stack.release.json +3 -3
  113. package/src/commands/exe/link.md +0 -17
@@ -205,6 +205,11 @@ function normalizeAutoUpdate(raw) {
205
205
  const userAU = raw.autoUpdate ?? {};
206
206
  raw.autoUpdate = { ...defaultAU, ...userAU };
207
207
  }
208
+ function normalizeOrchestration(raw) {
209
+ const defaultOrg = DEFAULT_CONFIG.orchestration;
210
+ const userOrg = raw.orchestration ?? {};
211
+ raw.orchestration = { ...defaultOrg, ...userOrg };
212
+ }
208
213
  async function loadConfig() {
209
214
  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
210
215
  await ensurePrivateDir(dir);
@@ -229,10 +234,15 @@ async function loadConfig() {
229
234
  normalizeScalingRoadmap(migratedCfg);
230
235
  normalizeSessionLifecycle(migratedCfg);
231
236
  normalizeAutoUpdate(migratedCfg);
237
+ normalizeOrchestration(migratedCfg);
232
238
  const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
233
239
  if (config.dbPath.startsWith("~")) {
234
240
  config.dbPath = config.dbPath.replace(/^~/, os.homedir());
235
241
  }
242
+ const envDbPath = path.join(dir, "memories.db");
243
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
244
+ config.dbPath = envDbPath;
245
+ }
236
246
  return config;
237
247
  } catch {
238
248
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
@@ -252,7 +262,16 @@ function loadConfigSync() {
252
262
  normalizeScalingRoadmap(migratedCfg);
253
263
  normalizeSessionLifecycle(migratedCfg);
254
264
  normalizeAutoUpdate(migratedCfg);
255
- return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
265
+ normalizeOrchestration(migratedCfg);
266
+ const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
267
+ if (config.dbPath.startsWith("~")) {
268
+ config.dbPath = config.dbPath.replace(/^~/, os.homedir());
269
+ }
270
+ const envDbPath = path.join(dir, "memories.db");
271
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
272
+ config.dbPath = envDbPath;
273
+ }
274
+ return config;
256
275
  } catch {
257
276
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
258
277
  }
@@ -273,6 +292,7 @@ async function loadConfigFrom(configPath) {
273
292
  normalizeScalingRoadmap(migratedCfg);
274
293
  normalizeSessionLifecycle(migratedCfg);
275
294
  normalizeAutoUpdate(migratedCfg);
295
+ normalizeOrchestration(migratedCfg);
276
296
  return { ...DEFAULT_CONFIG, ...migratedCfg };
277
297
  } catch {
278
298
  return { ...DEFAULT_CONFIG };
@@ -344,6 +364,10 @@ var init_config = __esm({
344
364
  checkOnBoot: true,
345
365
  autoInstall: false,
346
366
  checkIntervalMs: 24 * 60 * 60 * 1e3
367
+ },
368
+ orchestration: {
369
+ phase: "phase_1_coo",
370
+ phaseSetBy: "default"
347
371
  }
348
372
  };
349
373
  CONFIG_MIGRATIONS = [
@@ -1833,6 +1857,9 @@ function getClient() {
1833
1857
  if (_daemonClient && _daemonClient._isDaemonActive()) {
1834
1858
  return _daemonClient;
1835
1859
  }
1860
+ if (!_resilientClient) {
1861
+ return _adapterClient;
1862
+ }
1836
1863
  return _resilientClient;
1837
1864
  }
1838
1865
  async function initDaemonClient() {
@@ -2865,6 +2892,127 @@ async function ensureSchema() {
2865
2892
  VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
2866
2893
  END;
2867
2894
  `);
2895
+ await client.executeMultiple(`
2896
+ CREATE TABLE IF NOT EXISTS agent_sessions (
2897
+ id TEXT PRIMARY KEY,
2898
+ agent_id TEXT NOT NULL,
2899
+ project_name TEXT,
2900
+ started_at TEXT NOT NULL,
2901
+ last_event_at TEXT NOT NULL,
2902
+ event_count INTEGER NOT NULL DEFAULT 0,
2903
+ properties TEXT DEFAULT '{}'
2904
+ );
2905
+
2906
+ CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
2907
+ ON agent_sessions(agent_id, started_at);
2908
+
2909
+ CREATE TABLE IF NOT EXISTS agent_goals (
2910
+ id TEXT PRIMARY KEY,
2911
+ statement TEXT NOT NULL,
2912
+ owner_agent_id TEXT,
2913
+ project_name TEXT,
2914
+ status TEXT NOT NULL DEFAULT 'open',
2915
+ priority INTEGER NOT NULL DEFAULT 5,
2916
+ success_criteria TEXT,
2917
+ parent_goal_id TEXT,
2918
+ due_at TEXT,
2919
+ achieved_at TEXT,
2920
+ supersedes_id TEXT,
2921
+ created_at TEXT NOT NULL,
2922
+ updated_at TEXT NOT NULL,
2923
+ source_memory_id TEXT
2924
+ );
2925
+
2926
+ CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
2927
+ ON agent_goals(project_name, status, priority);
2928
+
2929
+ CREATE TABLE IF NOT EXISTS agent_events (
2930
+ id TEXT PRIMARY KEY,
2931
+ event_type TEXT NOT NULL,
2932
+ occurred_at TEXT NOT NULL,
2933
+ sequence_index INTEGER NOT NULL,
2934
+ actor_agent_id TEXT,
2935
+ agent_role TEXT,
2936
+ project_name TEXT,
2937
+ session_id TEXT,
2938
+ task_id TEXT,
2939
+ goal_id TEXT,
2940
+ parent_event_id TEXT,
2941
+ intention TEXT,
2942
+ outcome TEXT,
2943
+ evidence_memory_id TEXT,
2944
+ impact TEXT,
2945
+ payload TEXT DEFAULT '{}',
2946
+ created_at TEXT NOT NULL
2947
+ );
2948
+
2949
+ CREATE INDEX IF NOT EXISTS idx_agent_events_time
2950
+ ON agent_events(occurred_at, sequence_index);
2951
+
2952
+ CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
2953
+ ON agent_events(session_id, sequence_index);
2954
+
2955
+ CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
2956
+ ON agent_events(goal_id, occurred_at);
2957
+
2958
+ CREATE INDEX IF NOT EXISTS idx_agent_events_memory
2959
+ ON agent_events(evidence_memory_id);
2960
+
2961
+ CREATE TABLE IF NOT EXISTS agent_goal_links (
2962
+ id TEXT PRIMARY KEY,
2963
+ goal_id TEXT NOT NULL,
2964
+ link_type TEXT NOT NULL,
2965
+ target_id TEXT NOT NULL,
2966
+ target_type TEXT NOT NULL,
2967
+ created_at TEXT NOT NULL
2968
+ );
2969
+
2970
+ CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
2971
+ ON agent_goal_links(goal_id, target_type);
2972
+
2973
+ CREATE TABLE IF NOT EXISTS agent_semantic_labels (
2974
+ id TEXT PRIMARY KEY,
2975
+ source_memory_id TEXT NOT NULL,
2976
+ event_id TEXT,
2977
+ labeler TEXT NOT NULL,
2978
+ schema_version INTEGER NOT NULL DEFAULT 1,
2979
+ confidence REAL NOT NULL DEFAULT 0,
2980
+ labels TEXT NOT NULL,
2981
+ created_at TEXT NOT NULL,
2982
+ updated_at TEXT NOT NULL
2983
+ );
2984
+
2985
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
2986
+ ON agent_semantic_labels(source_memory_id, labeler);
2987
+
2988
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
2989
+ ON agent_semantic_labels(event_id);
2990
+
2991
+ CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
2992
+ id TEXT PRIMARY KEY,
2993
+ project_name TEXT,
2994
+ session_id TEXT,
2995
+ window_start_at TEXT NOT NULL,
2996
+ window_end_at TEXT NOT NULL,
2997
+ event_count INTEGER NOT NULL DEFAULT 0,
2998
+ goal_count INTEGER NOT NULL DEFAULT 0,
2999
+ success_count INTEGER NOT NULL DEFAULT 0,
3000
+ failure_count INTEGER NOT NULL DEFAULT 0,
3001
+ risk_count INTEGER NOT NULL DEFAULT 0,
3002
+ summary TEXT NOT NULL,
3003
+ learnings TEXT NOT NULL DEFAULT '[]',
3004
+ next_actions TEXT NOT NULL DEFAULT '[]',
3005
+ evidence_event_ids TEXT NOT NULL DEFAULT '[]',
3006
+ confidence REAL NOT NULL DEFAULT 0,
3007
+ created_at TEXT NOT NULL
3008
+ );
3009
+
3010
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
3011
+ ON agent_reflection_checkpoints(project_name, window_end_at);
3012
+
3013
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
3014
+ ON agent_reflection_checkpoints(session_id, window_end_at);
3015
+ `);
2868
3016
  try {
2869
3017
  await client.execute({
2870
3018
  sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -3014,7 +3162,7 @@ var init_database = __esm({
3014
3162
 
3015
3163
  // src/lib/keychain.ts
3016
3164
  import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
3017
- import { existsSync as existsSync6 } from "fs";
3165
+ import { existsSync as existsSync6, statSync as statSync2 } from "fs";
3018
3166
  import { execSync as execSync2 } from "child_process";
3019
3167
  import path6 from "path";
3020
3168
  import os5 from "os";
@@ -3024,29 +3172,78 @@ function getKeyDir() {
3024
3172
  function getKeyPath() {
3025
3173
  return path6.join(getKeyDir(), "master.key");
3026
3174
  }
3027
- function macKeychainGet() {
3175
+ function nativeKeychainAllowed() {
3176
+ return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
3177
+ }
3178
+ function linuxSecretAvailable() {
3179
+ if (!nativeKeychainAllowed()) return false;
3180
+ if (process.platform !== "linux") return false;
3181
+ if (linuxSecretAvailability !== null) return linuxSecretAvailability;
3182
+ try {
3183
+ execSync2("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
3184
+ } catch {
3185
+ linuxSecretAvailability = false;
3186
+ return false;
3187
+ }
3188
+ try {
3189
+ execSync2("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
3190
+ linuxSecretAvailability = true;
3191
+ } catch {
3192
+ linuxSecretAvailability = false;
3193
+ }
3194
+ return linuxSecretAvailability;
3195
+ }
3196
+ function isRootOnlyTrustedServerKeyFile(keyPath) {
3197
+ if (process.platform !== "linux") return false;
3198
+ try {
3199
+ const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
3200
+ const st = statSync2(keyPath);
3201
+ if (!st.isFile() || (st.mode & 63) !== 0) return false;
3202
+ if (uid === 0) return true;
3203
+ const exeOsDir = process.env.EXE_OS_DIR;
3204
+ return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
3205
+ } catch {
3206
+ return false;
3207
+ }
3208
+ }
3209
+ function macKeychainGet(service = SERVICE) {
3210
+ if (!nativeKeychainAllowed()) return null;
3028
3211
  if (process.platform !== "darwin") return null;
3029
3212
  try {
3030
3213
  return execSync2(
3031
- `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
3214
+ `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
3032
3215
  { encoding: "utf-8", timeout: 5e3 }
3033
3216
  ).trim();
3034
3217
  } catch {
3035
3218
  return null;
3036
3219
  }
3037
3220
  }
3038
- function macKeychainSet(value) {
3221
+ function macKeychainSet(value, service = SERVICE) {
3222
+ if (!nativeKeychainAllowed()) return false;
3039
3223
  if (process.platform !== "darwin") return false;
3040
3224
  try {
3041
3225
  try {
3042
3226
  execSync2(
3043
- `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
3227
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3044
3228
  { timeout: 5e3 }
3045
3229
  );
3046
3230
  } catch {
3047
3231
  }
3048
3232
  execSync2(
3049
- `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
3233
+ `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
3234
+ { timeout: 5e3 }
3235
+ );
3236
+ return true;
3237
+ } catch {
3238
+ return false;
3239
+ }
3240
+ }
3241
+ function macKeychainDelete(service = SERVICE) {
3242
+ if (!nativeKeychainAllowed()) return false;
3243
+ if (process.platform !== "darwin") return false;
3244
+ try {
3245
+ execSync2(
3246
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3050
3247
  { timeout: 5e3 }
3051
3248
  );
3052
3249
  return true;
@@ -3054,22 +3251,35 @@ function macKeychainSet(value) {
3054
3251
  return false;
3055
3252
  }
3056
3253
  }
3057
- function linuxSecretGet() {
3058
- if (process.platform !== "linux") return null;
3254
+ function linuxSecretGet(service = SERVICE) {
3255
+ if (!linuxSecretAvailable()) return null;
3059
3256
  try {
3060
3257
  return execSync2(
3061
- `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
3258
+ `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3062
3259
  { encoding: "utf-8", timeout: 5e3 }
3063
3260
  ).trim();
3064
3261
  } catch {
3065
3262
  return null;
3066
3263
  }
3067
3264
  }
3068
- function linuxSecretSet(value) {
3265
+ function linuxSecretSet(value, service = SERVICE) {
3266
+ if (!linuxSecretAvailable()) return false;
3267
+ try {
3268
+ execSync2(
3269
+ `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3270
+ { timeout: 5e3 }
3271
+ );
3272
+ return true;
3273
+ } catch {
3274
+ return false;
3275
+ }
3276
+ }
3277
+ function linuxSecretDelete(service = SERVICE) {
3278
+ if (!nativeKeychainAllowed()) return false;
3069
3279
  if (process.platform !== "linux") return false;
3070
3280
  try {
3071
3281
  execSync2(
3072
- `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
3282
+ `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3073
3283
  { timeout: 5e3 }
3074
3284
  );
3075
3285
  return true;
@@ -3078,6 +3288,7 @@ function linuxSecretSet(value) {
3078
3288
  }
3079
3289
  }
3080
3290
  async function tryKeytar() {
3291
+ if (!nativeKeychainAllowed()) return null;
3081
3292
  try {
3082
3293
  return await import("keytar");
3083
3294
  } catch {
@@ -3151,7 +3362,19 @@ async function writeMachineBoundFileFallback(b64) {
3151
3362
  return "plaintext";
3152
3363
  }
3153
3364
  async function getMasterKey() {
3154
- const nativeValue = macKeychainGet() ?? linuxSecretGet();
3365
+ let nativeValue = macKeychainGet() ?? linuxSecretGet();
3366
+ if (!nativeValue) {
3367
+ const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
3368
+ if (legacyValue) {
3369
+ const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
3370
+ if (migrated) {
3371
+ macKeychainDelete(LEGACY_SERVICE);
3372
+ linuxSecretDelete(LEGACY_SERVICE);
3373
+ process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
3374
+ }
3375
+ nativeValue = legacyValue;
3376
+ }
3377
+ }
3155
3378
  if (nativeValue) {
3156
3379
  return Buffer.from(nativeValue, "base64");
3157
3380
  }
@@ -3159,12 +3382,17 @@ async function getMasterKey() {
3159
3382
  if (keytar) {
3160
3383
  try {
3161
3384
  const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
3162
- if (keytarValue) {
3163
- const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
3385
+ const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
3386
+ if (legacyKeytarValue) {
3387
+ const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
3164
3388
  if (migrated) {
3165
3389
  process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
3390
+ try {
3391
+ await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
3392
+ } catch {
3393
+ }
3166
3394
  }
3167
- return Buffer.from(keytarValue, "base64");
3395
+ return Buffer.from(legacyKeytarValue, "base64");
3168
3396
  }
3169
3397
  } catch {
3170
3398
  }
@@ -3189,7 +3417,7 @@ async function getMasterKey() {
3189
3417
  const decrypted = decryptWithMachineKey(content, machineKey);
3190
3418
  if (!decrypted) {
3191
3419
  process.stderr.write(
3192
- "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase: exe-os link import\n"
3420
+ "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase during setup: exe-os setup\n"
3193
3421
  );
3194
3422
  return null;
3195
3423
  }
@@ -3198,6 +3426,9 @@ async function getMasterKey() {
3198
3426
  b64Value = content;
3199
3427
  }
3200
3428
  const key = Buffer.from(b64Value, "base64");
3429
+ if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
3430
+ return key;
3431
+ }
3201
3432
  const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
3202
3433
  if (migrated) {
3203
3434
  process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -3225,12 +3456,14 @@ async function getMasterKey() {
3225
3456
  return null;
3226
3457
  }
3227
3458
  }
3228
- var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
3459
+ var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
3229
3460
  var init_keychain = __esm({
3230
3461
  "src/lib/keychain.ts"() {
3231
3462
  "use strict";
3232
- SERVICE = "exe-mem";
3463
+ SERVICE = "exe-os";
3464
+ LEGACY_SERVICE = "exe-mem";
3233
3465
  ACCOUNT = "master-key";
3466
+ linuxSecretAvailability = null;
3234
3467
  ENCRYPTED_PREFIX = "enc:";
3235
3468
  }
3236
3469
  });
@@ -3500,7 +3733,7 @@ __export(shard_manager_exports, {
3500
3733
  shardExists: () => shardExists
3501
3734
  });
3502
3735
  import path7 from "path";
3503
- import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync2 } from "fs";
3736
+ import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync3 } from "fs";
3504
3737
  import { createClient as createClient2 } from "@libsql/client";
3505
3738
  function initShardManager(encryptionKey) {
3506
3739
  _encryptionKey = encryptionKey;
@@ -3564,7 +3797,7 @@ async function auditShardHealth(options = {}) {
3564
3797
  const shards = [];
3565
3798
  for (const name of names) {
3566
3799
  const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
3567
- const stat = statSync2(dbPath);
3800
+ const stat = statSync3(dbPath);
3568
3801
  const item = {
3569
3802
  name,
3570
3803
  path: dbPath,
@@ -3817,7 +4050,7 @@ async function getReadyShardClient(projectName) {
3817
4050
  _shardLastAccess.delete(safeName);
3818
4051
  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
3819
4052
  if (existsSync7(dbPath)) {
3820
- const stat = statSync2(dbPath);
4053
+ const stat = statSync3(dbPath);
3821
4054
  const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
3822
4055
  const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
3823
4056
  renameSync3(dbPath, archivedPath);
@@ -3937,6 +4170,12 @@ var init_platform_procedures = __esm({
3937
4170
  priority: "p0",
3938
4171
  content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
3939
4172
  },
4173
+ {
4174
+ title: "Customer orchestration maturity \u2014 recommend, never trap",
4175
+ domain: "workflow",
4176
+ priority: "p1",
4177
+ content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
4178
+ },
3940
4179
  {
3941
4180
  title: "Single dispatch path \u2014 create_task only",
3942
4181
  domain: "workflow",
@@ -3995,6 +4234,12 @@ var init_platform_procedures = __esm({
3995
4234
  priority: "p0",
3996
4235
  content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
3997
4236
  },
4237
+ {
4238
+ title: "Commit discipline \u2014 never leave verified work floating",
4239
+ domain: "workflow",
4240
+ priority: "p1",
4241
+ content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
4242
+ },
3998
4243
  {
3999
4244
  title: "Desktop and TUI are the same product",
4000
4245
  domain: "architecture",
@@ -4312,6 +4557,274 @@ var init_memory_cards = __esm({
4312
4557
  }
4313
4558
  });
4314
4559
 
4560
+ // src/lib/agentic-ontology.ts
4561
+ var agentic_ontology_exports = {};
4562
+ __export(agentic_ontology_exports, {
4563
+ clean: () => clean,
4564
+ extractGoalCandidates: () => extractGoalCandidates,
4565
+ inferIntention: () => inferIntention,
4566
+ inferOntologyEventType: () => inferOntologyEventType,
4567
+ inferOutcome: () => inferOutcome,
4568
+ inferSemanticLabel: () => inferSemanticLabel,
4569
+ insertOntologyForBatch: () => insertOntologyForBatch,
4570
+ insertOntologyForMemory: () => insertOntologyForMemory,
4571
+ ontologyPayload: () => ontologyPayload,
4572
+ stableId: () => stableId2
4573
+ });
4574
+ import { createHash as createHash3 } from "crypto";
4575
+ function stableId2(...parts) {
4576
+ return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
4577
+ }
4578
+ function clean(text, max = 240) {
4579
+ return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
4580
+ }
4581
+ function inferOntologyEventType(row) {
4582
+ const lower = row.raw_text.toLowerCase();
4583
+ if (row.has_error) return "error";
4584
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
4585
+ if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
4586
+ if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
4587
+ if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
4588
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
4589
+ if (row.tool_name.startsWith("memory_card")) return "memory_card";
4590
+ return "memory_observation";
4591
+ }
4592
+ function inferIntention(row) {
4593
+ if (row.intent) return clean(row.intent, 220);
4594
+ const text = clean(row.raw_text, 1e3);
4595
+ const patterns = [
4596
+ /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
4597
+ /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
4598
+ /(?:task|plan):\s*([^.!?\n]{8,220})/i
4599
+ ];
4600
+ for (const p of patterns) {
4601
+ const m = text.match(p);
4602
+ if (m?.[1]) return clean(m[1], 220);
4603
+ }
4604
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
4605
+ return `${row.tool_name} during ${row.project_name}`;
4606
+ }
4607
+ return null;
4608
+ }
4609
+ function inferOutcome(row) {
4610
+ if (row.outcome) return clean(row.outcome, 220);
4611
+ if (row.has_error) return "error";
4612
+ const lower = row.raw_text.toLowerCase();
4613
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
4614
+ if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
4615
+ if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
4616
+ return null;
4617
+ }
4618
+ function extractGoalCandidates(row) {
4619
+ const text = clean(row.raw_text, 1600);
4620
+ const patterns = [
4621
+ /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
4622
+ /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
4623
+ ];
4624
+ const out = [];
4625
+ for (const pattern of patterns) {
4626
+ for (const m of text.matchAll(pattern)) {
4627
+ const candidate = clean(m[1] ?? "", 220);
4628
+ if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
4629
+ if (out.length >= 3) return out;
4630
+ }
4631
+ }
4632
+ return out;
4633
+ }
4634
+ function uniq(values, max = 6) {
4635
+ const out = [];
4636
+ for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
4637
+ if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
4638
+ if (out.length >= max) break;
4639
+ }
4640
+ return out;
4641
+ }
4642
+ function extractMatches(text, patterns, max = 5) {
4643
+ const out = [];
4644
+ for (const pattern of patterns) {
4645
+ for (const match of text.matchAll(pattern)) {
4646
+ const value = match[1] ?? match[0];
4647
+ if (value) out.push(value);
4648
+ if (out.length >= max) return uniq(out, max);
4649
+ }
4650
+ }
4651
+ return uniq(out, max);
4652
+ }
4653
+ function inferSemanticLabel(row) {
4654
+ const text = clean(row.raw_text, 2400);
4655
+ const eventType = inferOntologyEventType(row);
4656
+ const intention = inferIntention(row);
4657
+ const outcome = inferOutcome(row);
4658
+ const goals = extractGoalCandidates(row);
4659
+ const milestones = extractMatches(text, [
4660
+ /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
4661
+ /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
4662
+ ]);
4663
+ const problems = extractMatches(text, [
4664
+ /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
4665
+ /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
4666
+ ]);
4667
+ const decisions = extractMatches(text, [
4668
+ /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
4669
+ ]);
4670
+ const temporalAnchors = extractMatches(text, [
4671
+ /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
4672
+ /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
4673
+ ], 8);
4674
+ const nextActions = extractMatches(text, [
4675
+ /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
4676
+ ]);
4677
+ const actors = uniq([
4678
+ row.agent_id,
4679
+ ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
4680
+ ], 6);
4681
+ const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
4682
+ const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
4683
+ const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
4684
+ const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
4685
+ return {
4686
+ labeler: "deterministic",
4687
+ schemaVersion: 1,
4688
+ eventType,
4689
+ intention,
4690
+ outcome,
4691
+ impact,
4692
+ confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
4693
+ goals,
4694
+ milestones,
4695
+ problems,
4696
+ decisions,
4697
+ actors,
4698
+ temporalAnchors,
4699
+ successSignals,
4700
+ failureSignals,
4701
+ nextActions,
4702
+ summary: clean(text, 280)
4703
+ };
4704
+ }
4705
+ function ontologyPayload(row) {
4706
+ const semantic = inferSemanticLabel(row);
4707
+ return {
4708
+ tool_name: row.tool_name,
4709
+ memory_version: row.version ?? null,
4710
+ domain: row.domain ?? null,
4711
+ trajectory: row.trajectory ? safeJson(row.trajectory) : null,
4712
+ semantic
4713
+ };
4714
+ }
4715
+ function safeJson(value) {
4716
+ try {
4717
+ return JSON.parse(value);
4718
+ } catch {
4719
+ return value.slice(0, 1e3);
4720
+ }
4721
+ }
4722
+ async function resolveClient(client) {
4723
+ if (client) return client;
4724
+ const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
4725
+ return getClient2();
4726
+ }
4727
+ async function insertOntologyForMemory(row, client) {
4728
+ const db = await resolveClient(client);
4729
+ const occurredAt = row.timestamp;
4730
+ const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
4731
+ const eventType = inferOntologyEventType(row);
4732
+ const intention = inferIntention(row);
4733
+ const outcome = inferOutcome(row);
4734
+ const eventId = stableId2("event", row.id);
4735
+ const now = (/* @__PURE__ */ new Date()).toISOString();
4736
+ await db.execute({
4737
+ sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
4738
+ VALUES (?, ?, ?, ?, ?, 1, ?)
4739
+ ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
4740
+ event_count = event_count + 1`,
4741
+ args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
4742
+ });
4743
+ await db.execute({
4744
+ sql: `INSERT OR IGNORE INTO agent_events
4745
+ (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
4746
+ session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
4747
+ impact, payload, created_at)
4748
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
4749
+ args: [
4750
+ eventId,
4751
+ eventType,
4752
+ occurredAt,
4753
+ sequence,
4754
+ row.agent_id,
4755
+ row.agent_role,
4756
+ row.project_name,
4757
+ row.session_id,
4758
+ row.task_id ?? null,
4759
+ intention,
4760
+ outcome,
4761
+ row.id,
4762
+ row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
4763
+ JSON.stringify(ontologyPayload(row)),
4764
+ now
4765
+ ]
4766
+ });
4767
+ const semantic = inferSemanticLabel(row);
4768
+ await db.execute({
4769
+ sql: `INSERT INTO agent_semantic_labels
4770
+ (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
4771
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
4772
+ ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
4773
+ labels = excluded.labels, updated_at = excluded.updated_at`,
4774
+ args: [
4775
+ stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
4776
+ row.id,
4777
+ eventId,
4778
+ semantic.labeler,
4779
+ semantic.schemaVersion,
4780
+ semantic.confidence,
4781
+ JSON.stringify(semantic),
4782
+ now,
4783
+ now
4784
+ ]
4785
+ });
4786
+ for (const statement of extractGoalCandidates(row)) {
4787
+ const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
4788
+ await db.execute({
4789
+ sql: `INSERT INTO agent_goals
4790
+ (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
4791
+ parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
4792
+ VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
4793
+ ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
4794
+ args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
4795
+ });
4796
+ await db.execute({
4797
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4798
+ (id, goal_id, link_type, target_id, target_type, created_at)
4799
+ VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
4800
+ args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
4801
+ });
4802
+ await db.execute({
4803
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4804
+ (id, goal_id, link_type, target_id, target_type, created_at)
4805
+ VALUES (?, ?, 'event', ?, 'event', ?)`,
4806
+ args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
4807
+ });
4808
+ }
4809
+ }
4810
+ async function insertOntologyForBatch(rows, client) {
4811
+ const db = await resolveClient(client);
4812
+ let count = 0;
4813
+ for (const row of rows) {
4814
+ try {
4815
+ await insertOntologyForMemory(row, db);
4816
+ count++;
4817
+ } catch {
4818
+ }
4819
+ }
4820
+ return count;
4821
+ }
4822
+ var init_agentic_ontology = __esm({
4823
+ "src/lib/agentic-ontology.ts"() {
4824
+ "use strict";
4825
+ }
4826
+ });
4827
+
4315
4828
  // src/lib/store.ts
4316
4829
  var store_exports = {};
4317
4830
  __export(store_exports, {
@@ -4655,6 +5168,11 @@ async function flushBatch() {
4655
5168
  await insertMemoryCardsForBatch2(batch);
4656
5169
  } catch {
4657
5170
  }
5171
+ try {
5172
+ const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
5173
+ await insertOntologyForBatch2(batch);
5174
+ } catch {
5175
+ }
4658
5176
  schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
4659
5177
  _pendingRecords.splice(0, batch.length);
4660
5178
  try {