@askexenow/exe-os 0.9.65 → 0.9.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/deploy/stack-manifests/v0.9.json +54 -5
  2. package/dist/bin/age-ontology-load.js +61 -0
  3. package/dist/bin/agentic-ontology-backfill.js +4708 -0
  4. package/dist/bin/agentic-reflection-backfill.js +4144 -0
  5. package/dist/bin/{exe-link.js → agentic-semantic-label.js} +1532 -2173
  6. package/dist/bin/backfill-conversations.js +528 -20
  7. package/dist/bin/backfill-responses.js +528 -20
  8. package/dist/bin/backfill-vectors.js +255 -20
  9. package/dist/bin/bulk-sync-postgres.js +4876 -0
  10. package/dist/bin/cleanup-stale-review-tasks.js +529 -21
  11. package/dist/bin/cli.js +3471 -1491
  12. package/dist/bin/exe-agent-config.js +4 -0
  13. package/dist/bin/exe-agent.js +16 -0
  14. package/dist/bin/exe-assign.js +528 -20
  15. package/dist/bin/exe-boot.js +492 -54
  16. package/dist/bin/exe-call.js +16 -0
  17. package/dist/bin/exe-cloud.js +7415 -518
  18. package/dist/bin/exe-dispatch.js +540 -22
  19. package/dist/bin/exe-doctor.js +3404 -1225
  20. package/dist/bin/exe-export-behaviors.js +542 -24
  21. package/dist/bin/exe-forget.js +529 -21
  22. package/dist/bin/exe-gateway.js +595 -25
  23. package/dist/bin/exe-heartbeat.js +541 -24
  24. package/dist/bin/exe-kill.js +529 -21
  25. package/dist/bin/exe-launch-agent.js +2334 -1067
  26. package/dist/bin/exe-new-employee.js +324 -166
  27. package/dist/bin/exe-pending-messages.js +529 -21
  28. package/dist/bin/exe-pending-notifications.js +529 -21
  29. package/dist/bin/exe-pending-reviews.js +529 -21
  30. package/dist/bin/exe-rename.js +529 -21
  31. package/dist/bin/exe-review.js +529 -21
  32. package/dist/bin/exe-search.js +542 -24
  33. package/dist/bin/exe-session-cleanup.js +540 -22
  34. package/dist/bin/exe-settings.js +14 -0
  35. package/dist/bin/exe-start-codex.js +817 -144
  36. package/dist/bin/exe-start-opencode.js +776 -80
  37. package/dist/bin/exe-status.js +529 -21
  38. package/dist/bin/exe-team.js +529 -21
  39. package/dist/bin/git-sweep.js +540 -22
  40. package/dist/bin/graph-backfill.js +580 -21
  41. package/dist/bin/graph-export.js +529 -21
  42. package/dist/bin/graph-layer-benchmark.js +109 -0
  43. package/dist/bin/install.js +420 -289
  44. package/dist/bin/intercom-check.js +540 -22
  45. package/dist/bin/postgres-agentic-reflection-backfill.js +187 -0
  46. package/dist/bin/postgres-agentic-semantic-backfill.js +237 -0
  47. package/dist/bin/scan-tasks.js +540 -22
  48. package/dist/bin/setup.js +790 -206
  49. package/dist/bin/shard-migrate.js +528 -20
  50. package/dist/bin/update.js +4 -0
  51. package/dist/gateway/index.js +593 -23
  52. package/dist/hooks/bug-report-worker.js +651 -64
  53. package/dist/hooks/codex-stop-task-finalizer.js +540 -22
  54. package/dist/hooks/commit-complete.js +540 -22
  55. package/dist/hooks/error-recall.js +542 -24
  56. package/dist/hooks/exe-heartbeat-hook.js +4 -0
  57. package/dist/hooks/ingest-worker.js +4 -0
  58. package/dist/hooks/ingest.js +539 -22
  59. package/dist/hooks/instructions-loaded.js +529 -21
  60. package/dist/hooks/notification.js +529 -21
  61. package/dist/hooks/post-compact.js +529 -21
  62. package/dist/hooks/post-tool-combined.js +543 -25
  63. package/dist/hooks/pre-compact.js +772 -127
  64. package/dist/hooks/pre-tool-use.js +529 -21
  65. package/dist/hooks/prompt-submit.js +543 -25
  66. package/dist/hooks/session-end.js +673 -140
  67. package/dist/hooks/session-start.js +662 -26
  68. package/dist/hooks/stop.js +540 -23
  69. package/dist/hooks/subagent-stop.js +529 -21
  70. package/dist/hooks/summary-worker.js +571 -126
  71. package/dist/index.js +593 -23
  72. package/dist/lib/agent-config.js +4 -0
  73. package/dist/lib/cloud-sync.js +408 -47
  74. package/dist/lib/config.js +25 -1
  75. package/dist/lib/consolidation.js +5 -1
  76. package/dist/lib/database.js +128 -0
  77. package/dist/lib/db-daemon-client.js +4 -0
  78. package/dist/lib/db.js +128 -0
  79. package/dist/lib/device-registry.js +128 -0
  80. package/dist/lib/embedder.js +25 -1
  81. package/dist/lib/employee-templates.js +16 -0
  82. package/dist/lib/employees.js +4 -0
  83. package/dist/lib/exe-daemon-client.js +4 -0
  84. package/dist/lib/exe-daemon.js +3158 -930
  85. package/dist/lib/hybrid-search.js +542 -24
  86. package/dist/lib/identity.js +7 -0
  87. package/dist/lib/keychain.js +178 -22
  88. package/dist/lib/license.js +4 -0
  89. package/dist/lib/messaging.js +7 -0
  90. package/dist/lib/reminders.js +7 -0
  91. package/dist/lib/schedules.js +255 -20
  92. package/dist/lib/skill-learning.js +28 -1
  93. package/dist/lib/status-brief.js +39 -0
  94. package/dist/lib/store.js +528 -20
  95. package/dist/lib/task-router.js +4 -0
  96. package/dist/lib/tasks.js +28 -1
  97. package/dist/lib/tmux-routing.js +28 -1
  98. package/dist/lib/token-spend.js +7 -0
  99. package/dist/mcp/server.js +2739 -813
  100. package/dist/mcp/tools/complete-reminder.js +7 -0
  101. package/dist/mcp/tools/create-reminder.js +7 -0
  102. package/dist/mcp/tools/create-task.js +28 -1
  103. package/dist/mcp/tools/deactivate-behavior.js +7 -0
  104. package/dist/mcp/tools/list-reminders.js +7 -0
  105. package/dist/mcp/tools/list-tasks.js +7 -0
  106. package/dist/mcp/tools/send-message.js +7 -0
  107. package/dist/mcp/tools/update-task.js +28 -1
  108. package/dist/runtime/index.js +540 -22
  109. package/dist/tui/App.js +618 -29
  110. package/package.json +9 -5
  111. package/src/commands/exe/cloud.md +11 -8
  112. package/stack.release.json +3 -3
  113. package/src/commands/exe/link.md +0 -17
package/dist/bin/scan-tasks.js CHANGED
@@ -454,6 +454,11 @@ function normalizeAutoUpdate(raw) {
454
454
  const userAU = raw.autoUpdate ?? {};
455
455
  raw.autoUpdate = { ...defaultAU, ...userAU };
456
456
  }
457
+ function normalizeOrchestration(raw) {
458
+ const defaultOrg = DEFAULT_CONFIG.orchestration;
459
+ const userOrg = raw.orchestration ?? {};
460
+ raw.orchestration = { ...defaultOrg, ...userOrg };
461
+ }
457
462
  async function loadConfig() {
458
463
  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
459
464
  await ensurePrivateDir(dir);
@@ -478,10 +483,15 @@ async function loadConfig() {
478
483
  normalizeScalingRoadmap(migratedCfg);
479
484
  normalizeSessionLifecycle(migratedCfg);
480
485
  normalizeAutoUpdate(migratedCfg);
486
+ normalizeOrchestration(migratedCfg);
481
487
  const config = { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db"), ...migratedCfg };
482
488
  if (config.dbPath.startsWith("~")) {
483
489
  config.dbPath = config.dbPath.replace(/^~/, os2.homedir());
484
490
  }
491
+ const envDbPath = path2.join(dir, "memories.db");
492
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync3(config.dbPath) && existsSync3(envDbPath)) {
493
+ config.dbPath = envDbPath;
494
+ }
485
495
  return config;
486
496
  } catch {
487
497
  return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
@@ -501,7 +511,16 @@ function loadConfigSync() {
501
511
  normalizeScalingRoadmap(migratedCfg);
502
512
  normalizeSessionLifecycle(migratedCfg);
503
513
  normalizeAutoUpdate(migratedCfg);
504
- return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db"), ...migratedCfg };
514
+ normalizeOrchestration(migratedCfg);
515
+ const config = { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db"), ...migratedCfg };
516
+ if (config.dbPath.startsWith("~")) {
517
+ config.dbPath = config.dbPath.replace(/^~/, os2.homedir());
518
+ }
519
+ const envDbPath = path2.join(dir, "memories.db");
520
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync3(config.dbPath) && existsSync3(envDbPath)) {
521
+ config.dbPath = envDbPath;
522
+ }
523
+ return config;
505
524
  } catch {
506
525
  return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
507
526
  }
@@ -522,6 +541,7 @@ async function loadConfigFrom(configPath) {
522
541
  normalizeScalingRoadmap(migratedCfg);
523
542
  normalizeSessionLifecycle(migratedCfg);
524
543
  normalizeAutoUpdate(migratedCfg);
544
+ normalizeOrchestration(migratedCfg);
525
545
  return { ...DEFAULT_CONFIG, ...migratedCfg };
526
546
  } catch {
527
547
  return { ...DEFAULT_CONFIG };
@@ -593,6 +613,10 @@ var init_config = __esm({
593
613
  checkOnBoot: true,
594
614
  autoInstall: false,
595
615
  checkIntervalMs: 24 * 60 * 60 * 1e3
616
+ },
617
+ orchestration: {
618
+ phase: "phase_1_coo",
619
+ phaseSetBy: "default"
596
620
  }
597
621
  };
598
622
  CONFIG_MIGRATIONS = [
@@ -2325,6 +2349,9 @@ function getClient() {
2325
2349
  if (_daemonClient && _daemonClient._isDaemonActive()) {
2326
2350
  return _daemonClient;
2327
2351
  }
2352
+ if (!_resilientClient) {
2353
+ return _adapterClient;
2354
+ }
2328
2355
  return _resilientClient;
2329
2356
  }
2330
2357
  async function initDaemonClient() {
@@ -3357,6 +3384,127 @@ async function ensureSchema() {
3357
3384
  VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
3358
3385
  END;
3359
3386
  `);
3387
+ await client.executeMultiple(`
3388
+ CREATE TABLE IF NOT EXISTS agent_sessions (
3389
+ id TEXT PRIMARY KEY,
3390
+ agent_id TEXT NOT NULL,
3391
+ project_name TEXT,
3392
+ started_at TEXT NOT NULL,
3393
+ last_event_at TEXT NOT NULL,
3394
+ event_count INTEGER NOT NULL DEFAULT 0,
3395
+ properties TEXT DEFAULT '{}'
3396
+ );
3397
+
3398
+ CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
3399
+ ON agent_sessions(agent_id, started_at);
3400
+
3401
+ CREATE TABLE IF NOT EXISTS agent_goals (
3402
+ id TEXT PRIMARY KEY,
3403
+ statement TEXT NOT NULL,
3404
+ owner_agent_id TEXT,
3405
+ project_name TEXT,
3406
+ status TEXT NOT NULL DEFAULT 'open',
3407
+ priority INTEGER NOT NULL DEFAULT 5,
3408
+ success_criteria TEXT,
3409
+ parent_goal_id TEXT,
3410
+ due_at TEXT,
3411
+ achieved_at TEXT,
3412
+ supersedes_id TEXT,
3413
+ created_at TEXT NOT NULL,
3414
+ updated_at TEXT NOT NULL,
3415
+ source_memory_id TEXT
3416
+ );
3417
+
3418
+ CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
3419
+ ON agent_goals(project_name, status, priority);
3420
+
3421
+ CREATE TABLE IF NOT EXISTS agent_events (
3422
+ id TEXT PRIMARY KEY,
3423
+ event_type TEXT NOT NULL,
3424
+ occurred_at TEXT NOT NULL,
3425
+ sequence_index INTEGER NOT NULL,
3426
+ actor_agent_id TEXT,
3427
+ agent_role TEXT,
3428
+ project_name TEXT,
3429
+ session_id TEXT,
3430
+ task_id TEXT,
3431
+ goal_id TEXT,
3432
+ parent_event_id TEXT,
3433
+ intention TEXT,
3434
+ outcome TEXT,
3435
+ evidence_memory_id TEXT,
3436
+ impact TEXT,
3437
+ payload TEXT DEFAULT '{}',
3438
+ created_at TEXT NOT NULL
3439
+ );
3440
+
3441
+ CREATE INDEX IF NOT EXISTS idx_agent_events_time
3442
+ ON agent_events(occurred_at, sequence_index);
3443
+
3444
+ CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
3445
+ ON agent_events(session_id, sequence_index);
3446
+
3447
+ CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
3448
+ ON agent_events(goal_id, occurred_at);
3449
+
3450
+ CREATE INDEX IF NOT EXISTS idx_agent_events_memory
3451
+ ON agent_events(evidence_memory_id);
3452
+
3453
+ CREATE TABLE IF NOT EXISTS agent_goal_links (
3454
+ id TEXT PRIMARY KEY,
3455
+ goal_id TEXT NOT NULL,
3456
+ link_type TEXT NOT NULL,
3457
+ target_id TEXT NOT NULL,
3458
+ target_type TEXT NOT NULL,
3459
+ created_at TEXT NOT NULL
3460
+ );
3461
+
3462
+ CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
3463
+ ON agent_goal_links(goal_id, target_type);
3464
+
3465
+ CREATE TABLE IF NOT EXISTS agent_semantic_labels (
3466
+ id TEXT PRIMARY KEY,
3467
+ source_memory_id TEXT NOT NULL,
3468
+ event_id TEXT,
3469
+ labeler TEXT NOT NULL,
3470
+ schema_version INTEGER NOT NULL DEFAULT 1,
3471
+ confidence REAL NOT NULL DEFAULT 0,
3472
+ labels TEXT NOT NULL,
3473
+ created_at TEXT NOT NULL,
3474
+ updated_at TEXT NOT NULL
3475
+ );
3476
+
3477
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
3478
+ ON agent_semantic_labels(source_memory_id, labeler);
3479
+
3480
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
3481
+ ON agent_semantic_labels(event_id);
3482
+
3483
+ CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
3484
+ id TEXT PRIMARY KEY,
3485
+ project_name TEXT,
3486
+ session_id TEXT,
3487
+ window_start_at TEXT NOT NULL,
3488
+ window_end_at TEXT NOT NULL,
3489
+ event_count INTEGER NOT NULL DEFAULT 0,
3490
+ goal_count INTEGER NOT NULL DEFAULT 0,
3491
+ success_count INTEGER NOT NULL DEFAULT 0,
3492
+ failure_count INTEGER NOT NULL DEFAULT 0,
3493
+ risk_count INTEGER NOT NULL DEFAULT 0,
3494
+ summary TEXT NOT NULL,
3495
+ learnings TEXT NOT NULL DEFAULT '[]',
3496
+ next_actions TEXT NOT NULL DEFAULT '[]',
3497
+ evidence_event_ids TEXT NOT NULL DEFAULT '[]',
3498
+ confidence REAL NOT NULL DEFAULT 0,
3499
+ created_at TEXT NOT NULL
3500
+ );
3501
+
3502
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
3503
+ ON agent_reflection_checkpoints(project_name, window_end_at);
3504
+
3505
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
3506
+ ON agent_reflection_checkpoints(session_id, window_end_at);
3507
+ `);
3360
3508
  try {
3361
3509
  await client.execute({
3362
3510
  sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -6747,7 +6895,7 @@ var init_task_scope = __esm({
6747
6895
 
6748
6896
  // src/lib/keychain.ts
6749
6897
  import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
6750
- import { existsSync as existsSync16 } from "fs";
6898
+ import { existsSync as existsSync16, statSync as statSync2 } from "fs";
6751
6899
  import { execSync as execSync7 } from "child_process";
6752
6900
  import path19 from "path";
6753
6901
  import os12 from "os";
@@ -6757,29 +6905,78 @@ function getKeyDir() {
6757
6905
  function getKeyPath() {
6758
6906
  return path19.join(getKeyDir(), "master.key");
6759
6907
  }
6760
- function macKeychainGet() {
6908
+ function nativeKeychainAllowed() {
6909
+ return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
6910
+ }
6911
+ function linuxSecretAvailable() {
6912
+ if (!nativeKeychainAllowed()) return false;
6913
+ if (process.platform !== "linux") return false;
6914
+ if (linuxSecretAvailability !== null) return linuxSecretAvailability;
6915
+ try {
6916
+ execSync7("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
6917
+ } catch {
6918
+ linuxSecretAvailability = false;
6919
+ return false;
6920
+ }
6921
+ try {
6922
+ execSync7("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
6923
+ linuxSecretAvailability = true;
6924
+ } catch {
6925
+ linuxSecretAvailability = false;
6926
+ }
6927
+ return linuxSecretAvailability;
6928
+ }
6929
+ function isRootOnlyTrustedServerKeyFile(keyPath) {
6930
+ if (process.platform !== "linux") return false;
6931
+ try {
6932
+ const uid = typeof os12.userInfo().uid === "number" ? os12.userInfo().uid : -1;
6933
+ const st = statSync2(keyPath);
6934
+ if (!st.isFile() || (st.mode & 63) !== 0) return false;
6935
+ if (uid === 0) return true;
6936
+ const exeOsDir = process.env.EXE_OS_DIR;
6937
+ return Boolean(exeOsDir && path19.resolve(keyPath).startsWith(path19.resolve(exeOsDir) + path19.sep));
6938
+ } catch {
6939
+ return false;
6940
+ }
6941
+ }
6942
+ function macKeychainGet(service = SERVICE) {
6943
+ if (!nativeKeychainAllowed()) return null;
6761
6944
  if (process.platform !== "darwin") return null;
6762
6945
  try {
6763
6946
  return execSync7(
6764
- `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
6947
+ `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
6765
6948
  { encoding: "utf-8", timeout: 5e3 }
6766
6949
  ).trim();
6767
6950
  } catch {
6768
6951
  return null;
6769
6952
  }
6770
6953
  }
6771
- function macKeychainSet(value) {
6954
+ function macKeychainSet(value, service = SERVICE) {
6955
+ if (!nativeKeychainAllowed()) return false;
6772
6956
  if (process.platform !== "darwin") return false;
6773
6957
  try {
6774
6958
  try {
6775
6959
  execSync7(
6776
- `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
6960
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
6777
6961
  { timeout: 5e3 }
6778
6962
  );
6779
6963
  } catch {
6780
6964
  }
6781
6965
  execSync7(
6782
- `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
6966
+ `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
6967
+ { timeout: 5e3 }
6968
+ );
6969
+ return true;
6970
+ } catch {
6971
+ return false;
6972
+ }
6973
+ }
6974
+ function macKeychainDelete(service = SERVICE) {
6975
+ if (!nativeKeychainAllowed()) return false;
6976
+ if (process.platform !== "darwin") return false;
6977
+ try {
6978
+ execSync7(
6979
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
6783
6980
  { timeout: 5e3 }
6784
6981
  );
6785
6982
  return true;
@@ -6787,22 +6984,35 @@ function macKeychainSet(value) {
6787
6984
  return false;
6788
6985
  }
6789
6986
  }
6790
- function linuxSecretGet() {
6791
- if (process.platform !== "linux") return null;
6987
+ function linuxSecretGet(service = SERVICE) {
6988
+ if (!linuxSecretAvailable()) return null;
6792
6989
  try {
6793
6990
  return execSync7(
6794
- `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
6991
+ `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
6795
6992
  { encoding: "utf-8", timeout: 5e3 }
6796
6993
  ).trim();
6797
6994
  } catch {
6798
6995
  return null;
6799
6996
  }
6800
6997
  }
6801
- function linuxSecretSet(value) {
6998
+ function linuxSecretSet(value, service = SERVICE) {
6999
+ if (!linuxSecretAvailable()) return false;
7000
+ try {
7001
+ execSync7(
7002
+ `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
7003
+ { timeout: 5e3 }
7004
+ );
7005
+ return true;
7006
+ } catch {
7007
+ return false;
7008
+ }
7009
+ }
7010
+ function linuxSecretDelete(service = SERVICE) {
7011
+ if (!nativeKeychainAllowed()) return false;
6802
7012
  if (process.platform !== "linux") return false;
6803
7013
  try {
6804
7014
  execSync7(
6805
- `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
7015
+ `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
6806
7016
  { timeout: 5e3 }
6807
7017
  );
6808
7018
  return true;
@@ -6811,6 +7021,7 @@ function linuxSecretSet(value) {
6811
7021
  }
6812
7022
  }
6813
7023
  async function tryKeytar() {
7024
+ if (!nativeKeychainAllowed()) return null;
6814
7025
  try {
6815
7026
  return await import("keytar");
6816
7027
  } catch {
@@ -6884,7 +7095,19 @@ async function writeMachineBoundFileFallback(b64) {
6884
7095
  return "plaintext";
6885
7096
  }
6886
7097
  async function getMasterKey() {
6887
- const nativeValue = macKeychainGet() ?? linuxSecretGet();
7098
+ let nativeValue = macKeychainGet() ?? linuxSecretGet();
7099
+ if (!nativeValue) {
7100
+ const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
7101
+ if (legacyValue) {
7102
+ const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
7103
+ if (migrated) {
7104
+ macKeychainDelete(LEGACY_SERVICE);
7105
+ linuxSecretDelete(LEGACY_SERVICE);
7106
+ process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
7107
+ }
7108
+ nativeValue = legacyValue;
7109
+ }
7110
+ }
6888
7111
  if (nativeValue) {
6889
7112
  return Buffer.from(nativeValue, "base64");
6890
7113
  }
@@ -6892,12 +7115,17 @@ async function getMasterKey() {
6892
7115
  if (keytar) {
6893
7116
  try {
6894
7117
  const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
6895
- if (keytarValue) {
6896
- const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
7118
+ const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
7119
+ if (legacyKeytarValue) {
7120
+ const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
6897
7121
  if (migrated) {
6898
7122
  process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
7123
+ try {
7124
+ await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
7125
+ } catch {
7126
+ }
6899
7127
  }
6900
- return Buffer.from(keytarValue, "base64");
7128
+ return Buffer.from(legacyKeytarValue, "base64");
6901
7129
  }
6902
7130
  } catch {
6903
7131
  }
@@ -6922,7 +7150,7 @@ async function getMasterKey() {
6922
7150
  const decrypted = decryptWithMachineKey(content, machineKey);
6923
7151
  if (!decrypted) {
6924
7152
  process.stderr.write(
6925
- "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase: exe-os link import\n"
7153
+ "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase during setup: exe-os setup\n"
6926
7154
  );
6927
7155
  return null;
6928
7156
  }
@@ -6931,6 +7159,9 @@ async function getMasterKey() {
6931
7159
  b64Value = content;
6932
7160
  }
6933
7161
  const key = Buffer.from(b64Value, "base64");
7162
+ if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
7163
+ return key;
7164
+ }
6934
7165
  const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
6935
7166
  if (migrated) {
6936
7167
  process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -6958,12 +7189,14 @@ async function getMasterKey() {
6958
7189
  return null;
6959
7190
  }
6960
7191
  }
6961
- var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
7192
+ var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
6962
7193
  var init_keychain = __esm({
6963
7194
  "src/lib/keychain.ts"() {
6964
7195
  "use strict";
6965
- SERVICE = "exe-mem";
7196
+ SERVICE = "exe-os";
7197
+ LEGACY_SERVICE = "exe-mem";
6966
7198
  ACCOUNT = "master-key";
7199
+ linuxSecretAvailability = null;
6967
7200
  ENCRYPTED_PREFIX = "enc:";
6968
7201
  }
6969
7202
  });
@@ -7178,7 +7411,7 @@ __export(shard_manager_exports, {
7178
7411
  shardExists: () => shardExists
7179
7412
  });
7180
7413
  import path20 from "path";
7181
- import { existsSync as existsSync17, mkdirSync as mkdirSync8, readdirSync as readdirSync4, renameSync as renameSync4, statSync as statSync2 } from "fs";
7414
+ import { existsSync as existsSync17, mkdirSync as mkdirSync8, readdirSync as readdirSync4, renameSync as renameSync4, statSync as statSync3 } from "fs";
7182
7415
  import { createClient as createClient2 } from "@libsql/client";
7183
7416
  function initShardManager(encryptionKey) {
7184
7417
  _encryptionKey = encryptionKey;
@@ -7242,7 +7475,7 @@ async function auditShardHealth(options = {}) {
7242
7475
  const shards = [];
7243
7476
  for (const name of names) {
7244
7477
  const dbPath = path20.join(SHARDS_DIR, `${name}.db`);
7245
- const stat = statSync2(dbPath);
7478
+ const stat = statSync3(dbPath);
7246
7479
  const item = {
7247
7480
  name,
7248
7481
  path: dbPath,
@@ -7495,7 +7728,7 @@ async function getReadyShardClient(projectName) {
7495
7728
  _shardLastAccess.delete(safeName);
7496
7729
  const dbPath = path20.join(SHARDS_DIR, `${safeName}.db`);
7497
7730
  if (existsSync17(dbPath)) {
7498
- const stat = statSync2(dbPath);
7731
+ const stat = statSync3(dbPath);
7499
7732
  const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
7500
7733
  const archivedPath = path20.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
7501
7734
  renameSync4(dbPath, archivedPath);
@@ -7615,6 +7848,12 @@ var init_platform_procedures = __esm({
7615
7848
  priority: "p0",
7616
7849
  content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
7617
7850
  },
7851
+ {
7852
+ title: "Customer orchestration maturity \u2014 recommend, never trap",
7853
+ domain: "workflow",
7854
+ priority: "p1",
7855
+ content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
7856
+ },
7618
7857
  {
7619
7858
  title: "Single dispatch path \u2014 create_task only",
7620
7859
  domain: "workflow",
@@ -7673,6 +7912,12 @@ var init_platform_procedures = __esm({
7673
7912
  priority: "p0",
7674
7913
  content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
7675
7914
  },
7915
+ {
7916
+ title: "Commit discipline \u2014 never leave verified work floating",
7917
+ domain: "workflow",
7918
+ priority: "p1",
7919
+ content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
7920
+ },
7676
7921
  {
7677
7922
  title: "Desktop and TUI are the same product",
7678
7923
  domain: "architecture",
@@ -7990,6 +8235,274 @@ var init_memory_cards = __esm({
7990
8235
  }
7991
8236
  });
7992
8237
 
8238
+ // src/lib/agentic-ontology.ts
8239
+ var agentic_ontology_exports = {};
8240
+ __export(agentic_ontology_exports, {
8241
+ clean: () => clean,
8242
+ extractGoalCandidates: () => extractGoalCandidates,
8243
+ inferIntention: () => inferIntention,
8244
+ inferOntologyEventType: () => inferOntologyEventType,
8245
+ inferOutcome: () => inferOutcome,
8246
+ inferSemanticLabel: () => inferSemanticLabel,
8247
+ insertOntologyForBatch: () => insertOntologyForBatch,
8248
+ insertOntologyForMemory: () => insertOntologyForMemory,
8249
+ ontologyPayload: () => ontologyPayload,
8250
+ stableId: () => stableId2
8251
+ });
8252
+ import { createHash as createHash3 } from "crypto";
8253
+ function stableId2(...parts) {
8254
+ return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
8255
+ }
8256
+ function clean(text, max = 240) {
8257
+ return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
8258
+ }
8259
+ function inferOntologyEventType(row) {
8260
+ const lower = row.raw_text.toLowerCase();
8261
+ if (row.has_error) return "error";
8262
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
8263
+ if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
8264
+ if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
8265
+ if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
8266
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
8267
+ if (row.tool_name.startsWith("memory_card")) return "memory_card";
8268
+ return "memory_observation";
8269
+ }
8270
+ function inferIntention(row) {
8271
+ if (row.intent) return clean(row.intent, 220);
8272
+ const text = clean(row.raw_text, 1e3);
8273
+ const patterns = [
8274
+ /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
8275
+ /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
8276
+ /(?:task|plan):\s*([^.!?\n]{8,220})/i
8277
+ ];
8278
+ for (const p of patterns) {
8279
+ const m = text.match(p);
8280
+ if (m?.[1]) return clean(m[1], 220);
8281
+ }
8282
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
8283
+ return `${row.tool_name} during ${row.project_name}`;
8284
+ }
8285
+ return null;
8286
+ }
8287
+ function inferOutcome(row) {
8288
+ if (row.outcome) return clean(row.outcome, 220);
8289
+ if (row.has_error) return "error";
8290
+ const lower = row.raw_text.toLowerCase();
8291
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
8292
+ if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
8293
+ if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
8294
+ return null;
8295
+ }
8296
+ function extractGoalCandidates(row) {
8297
+ const text = clean(row.raw_text, 1600);
8298
+ const patterns = [
8299
+ /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
8300
+ /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
8301
+ ];
8302
+ const out = [];
8303
+ for (const pattern of patterns) {
8304
+ for (const m of text.matchAll(pattern)) {
8305
+ const candidate = clean(m[1] ?? "", 220);
8306
+ if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
8307
+ if (out.length >= 3) return out;
8308
+ }
8309
+ }
8310
+ return out;
8311
+ }
8312
+ function uniq(values, max = 6) {
8313
+ const out = [];
8314
+ for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
8315
+ if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
8316
+ if (out.length >= max) break;
8317
+ }
8318
+ return out;
8319
+ }
8320
+ function extractMatches(text, patterns, max = 5) {
8321
+ const out = [];
8322
+ for (const pattern of patterns) {
8323
+ for (const match of text.matchAll(pattern)) {
8324
+ const value = match[1] ?? match[0];
8325
+ if (value) out.push(value);
8326
+ if (out.length >= max) return uniq(out, max);
8327
+ }
8328
+ }
8329
+ return uniq(out, max);
8330
+ }
8331
+ function inferSemanticLabel(row) {
8332
+ const text = clean(row.raw_text, 2400);
8333
+ const eventType = inferOntologyEventType(row);
8334
+ const intention = inferIntention(row);
8335
+ const outcome = inferOutcome(row);
8336
+ const goals = extractGoalCandidates(row);
8337
+ const milestones = extractMatches(text, [
8338
+ /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
8339
+ /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
8340
+ ]);
8341
+ const problems = extractMatches(text, [
8342
+ /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
8343
+ /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
8344
+ ]);
8345
+ const decisions = extractMatches(text, [
8346
+ /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
8347
+ ]);
8348
+ const temporalAnchors = extractMatches(text, [
8349
+ /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
8350
+ /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
8351
+ ], 8);
8352
+ const nextActions = extractMatches(text, [
8353
+ /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
8354
+ ]);
8355
+ const actors = uniq([
8356
+ row.agent_id,
8357
+ ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
8358
+ ], 6);
8359
+ const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
8360
+ const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
8361
+ const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
8362
+ const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
8363
+ return {
8364
+ labeler: "deterministic",
8365
+ schemaVersion: 1,
8366
+ eventType,
8367
+ intention,
8368
+ outcome,
8369
+ impact,
8370
+ confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
8371
+ goals,
8372
+ milestones,
8373
+ problems,
8374
+ decisions,
8375
+ actors,
8376
+ temporalAnchors,
8377
+ successSignals,
8378
+ failureSignals,
8379
+ nextActions,
8380
+ summary: clean(text, 280)
8381
+ };
8382
+ }
8383
+ function ontologyPayload(row) {
8384
+ const semantic = inferSemanticLabel(row);
8385
+ return {
8386
+ tool_name: row.tool_name,
8387
+ memory_version: row.version ?? null,
8388
+ domain: row.domain ?? null,
8389
+ trajectory: row.trajectory ? safeJson(row.trajectory) : null,
8390
+ semantic
8391
+ };
8392
+ }
8393
+ function safeJson(value) {
8394
+ try {
8395
+ return JSON.parse(value);
8396
+ } catch {
8397
+ return value.slice(0, 1e3);
8398
+ }
8399
+ }
8400
+ async function resolveClient(client) {
8401
+ if (client) return client;
8402
+ const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
8403
+ return getClient2();
8404
+ }
8405
+ async function insertOntologyForMemory(row, client) {
8406
+ const db = await resolveClient(client);
8407
+ const occurredAt = row.timestamp;
8408
+ const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
8409
+ const eventType = inferOntologyEventType(row);
8410
+ const intention = inferIntention(row);
8411
+ const outcome = inferOutcome(row);
8412
+ const eventId = stableId2("event", row.id);
8413
+ const now = (/* @__PURE__ */ new Date()).toISOString();
8414
+ await db.execute({
8415
+ sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
8416
+ VALUES (?, ?, ?, ?, ?, 1, ?)
8417
+ ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
8418
+ event_count = event_count + 1`,
8419
+ args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
8420
+ });
8421
+ await db.execute({
8422
+ sql: `INSERT OR IGNORE INTO agent_events
8423
+ (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
8424
+ session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
8425
+ impact, payload, created_at)
8426
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
8427
+ args: [
8428
+ eventId,
8429
+ eventType,
8430
+ occurredAt,
8431
+ sequence,
8432
+ row.agent_id,
8433
+ row.agent_role,
8434
+ row.project_name,
8435
+ row.session_id,
8436
+ row.task_id ?? null,
8437
+ intention,
8438
+ outcome,
8439
+ row.id,
8440
+ row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
8441
+ JSON.stringify(ontologyPayload(row)),
8442
+ now
8443
+ ]
8444
+ });
8445
+ const semantic = inferSemanticLabel(row);
8446
+ await db.execute({
8447
+ sql: `INSERT INTO agent_semantic_labels
8448
+ (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
8449
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
8450
+ ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
8451
+ labels = excluded.labels, updated_at = excluded.updated_at`,
8452
+ args: [
8453
+ stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
8454
+ row.id,
8455
+ eventId,
8456
+ semantic.labeler,
8457
+ semantic.schemaVersion,
8458
+ semantic.confidence,
8459
+ JSON.stringify(semantic),
8460
+ now,
8461
+ now
8462
+ ]
8463
+ });
8464
+ for (const statement of extractGoalCandidates(row)) {
8465
+ const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
8466
+ await db.execute({
8467
+ sql: `INSERT INTO agent_goals
8468
+ (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
8469
+ parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
8470
+ VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
8471
+ ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
8472
+ args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
8473
+ });
8474
+ await db.execute({
8475
+ sql: `INSERT OR IGNORE INTO agent_goal_links
8476
+ (id, goal_id, link_type, target_id, target_type, created_at)
8477
+ VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
8478
+ args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
8479
+ });
8480
+ await db.execute({
8481
+ sql: `INSERT OR IGNORE INTO agent_goal_links
8482
+ (id, goal_id, link_type, target_id, target_type, created_at)
8483
+ VALUES (?, ?, 'event', ?, 'event', ?)`,
8484
+ args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
8485
+ });
8486
+ }
8487
+ }
8488
+ async function insertOntologyForBatch(rows, client) {
8489
+ const db = await resolveClient(client);
8490
+ let count = 0;
8491
+ for (const row of rows) {
8492
+ try {
8493
+ await insertOntologyForMemory(row, db);
8494
+ count++;
8495
+ } catch {
8496
+ }
8497
+ }
8498
+ return count;
8499
+ }
8500
+ var init_agentic_ontology = __esm({
8501
+ "src/lib/agentic-ontology.ts"() {
8502
+ "use strict";
8503
+ }
8504
+ });
8505
+
7993
8506
  // src/lib/store.ts
7994
8507
  var store_exports = {};
7995
8508
  __export(store_exports, {
@@ -8333,6 +8846,11 @@ async function flushBatch() {
8333
8846
  await insertMemoryCardsForBatch2(batch);
8334
8847
  } catch {
8335
8848
  }
8849
+ try {
8850
+ const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
8851
+ await insertOntologyForBatch2(batch);
8852
+ } catch {
8853
+ }
8336
8854
  schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
8337
8855
  _pendingRecords.splice(0, batch.length);
8338
8856
  try {