@askexenow/exe-os 0.9.65 → 0.9.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/deploy/stack-manifests/v0.9.json +54 -5
  2. package/dist/bin/age-ontology-load.js +61 -0
  3. package/dist/bin/agentic-ontology-backfill.js +4708 -0
  4. package/dist/bin/agentic-reflection-backfill.js +4144 -0
  5. package/dist/bin/{exe-link.js → agentic-semantic-label.js} +1532 -2173
  6. package/dist/bin/backfill-conversations.js +528 -20
  7. package/dist/bin/backfill-responses.js +528 -20
  8. package/dist/bin/backfill-vectors.js +255 -20
  9. package/dist/bin/bulk-sync-postgres.js +4876 -0
  10. package/dist/bin/cleanup-stale-review-tasks.js +529 -21
  11. package/dist/bin/cli.js +3471 -1491
  12. package/dist/bin/exe-agent-config.js +4 -0
  13. package/dist/bin/exe-agent.js +16 -0
  14. package/dist/bin/exe-assign.js +528 -20
  15. package/dist/bin/exe-boot.js +492 -54
  16. package/dist/bin/exe-call.js +16 -0
  17. package/dist/bin/exe-cloud.js +7415 -518
  18. package/dist/bin/exe-dispatch.js +540 -22
  19. package/dist/bin/exe-doctor.js +3404 -1225
  20. package/dist/bin/exe-export-behaviors.js +542 -24
  21. package/dist/bin/exe-forget.js +529 -21
  22. package/dist/bin/exe-gateway.js +595 -25
  23. package/dist/bin/exe-heartbeat.js +541 -24
  24. package/dist/bin/exe-kill.js +529 -21
  25. package/dist/bin/exe-launch-agent.js +2334 -1067
  26. package/dist/bin/exe-new-employee.js +324 -166
  27. package/dist/bin/exe-pending-messages.js +529 -21
  28. package/dist/bin/exe-pending-notifications.js +529 -21
  29. package/dist/bin/exe-pending-reviews.js +529 -21
  30. package/dist/bin/exe-rename.js +529 -21
  31. package/dist/bin/exe-review.js +529 -21
  32. package/dist/bin/exe-search.js +542 -24
  33. package/dist/bin/exe-session-cleanup.js +540 -22
  34. package/dist/bin/exe-settings.js +14 -0
  35. package/dist/bin/exe-start-codex.js +817 -144
  36. package/dist/bin/exe-start-opencode.js +776 -80
  37. package/dist/bin/exe-status.js +529 -21
  38. package/dist/bin/exe-team.js +529 -21
  39. package/dist/bin/git-sweep.js +540 -22
  40. package/dist/bin/graph-backfill.js +580 -21
  41. package/dist/bin/graph-export.js +529 -21
  42. package/dist/bin/graph-layer-benchmark.js +109 -0
  43. package/dist/bin/install.js +420 -289
  44. package/dist/bin/intercom-check.js +540 -22
  45. package/dist/bin/postgres-agentic-reflection-backfill.js +187 -0
  46. package/dist/bin/postgres-agentic-semantic-backfill.js +237 -0
  47. package/dist/bin/scan-tasks.js +540 -22
  48. package/dist/bin/setup.js +790 -206
  49. package/dist/bin/shard-migrate.js +528 -20
  50. package/dist/bin/update.js +4 -0
  51. package/dist/gateway/index.js +593 -23
  52. package/dist/hooks/bug-report-worker.js +651 -64
  53. package/dist/hooks/codex-stop-task-finalizer.js +540 -22
  54. package/dist/hooks/commit-complete.js +540 -22
  55. package/dist/hooks/error-recall.js +542 -24
  56. package/dist/hooks/exe-heartbeat-hook.js +4 -0
  57. package/dist/hooks/ingest-worker.js +4 -0
  58. package/dist/hooks/ingest.js +539 -22
  59. package/dist/hooks/instructions-loaded.js +529 -21
  60. package/dist/hooks/notification.js +529 -21
  61. package/dist/hooks/post-compact.js +529 -21
  62. package/dist/hooks/post-tool-combined.js +543 -25
  63. package/dist/hooks/pre-compact.js +772 -127
  64. package/dist/hooks/pre-tool-use.js +529 -21
  65. package/dist/hooks/prompt-submit.js +543 -25
  66. package/dist/hooks/session-end.js +673 -140
  67. package/dist/hooks/session-start.js +662 -26
  68. package/dist/hooks/stop.js +540 -23
  69. package/dist/hooks/subagent-stop.js +529 -21
  70. package/dist/hooks/summary-worker.js +571 -126
  71. package/dist/index.js +593 -23
  72. package/dist/lib/agent-config.js +4 -0
  73. package/dist/lib/cloud-sync.js +408 -47
  74. package/dist/lib/config.js +25 -1
  75. package/dist/lib/consolidation.js +5 -1
  76. package/dist/lib/database.js +128 -0
  77. package/dist/lib/db-daemon-client.js +4 -0
  78. package/dist/lib/db.js +128 -0
  79. package/dist/lib/device-registry.js +128 -0
  80. package/dist/lib/embedder.js +25 -1
  81. package/dist/lib/employee-templates.js +16 -0
  82. package/dist/lib/employees.js +4 -0
  83. package/dist/lib/exe-daemon-client.js +4 -0
  84. package/dist/lib/exe-daemon.js +3158 -930
  85. package/dist/lib/hybrid-search.js +542 -24
  86. package/dist/lib/identity.js +7 -0
  87. package/dist/lib/keychain.js +178 -22
  88. package/dist/lib/license.js +4 -0
  89. package/dist/lib/messaging.js +7 -0
  90. package/dist/lib/reminders.js +7 -0
  91. package/dist/lib/schedules.js +255 -20
  92. package/dist/lib/skill-learning.js +28 -1
  93. package/dist/lib/status-brief.js +39 -0
  94. package/dist/lib/store.js +528 -20
  95. package/dist/lib/task-router.js +4 -0
  96. package/dist/lib/tasks.js +28 -1
  97. package/dist/lib/tmux-routing.js +28 -1
  98. package/dist/lib/token-spend.js +7 -0
  99. package/dist/mcp/server.js +2739 -813
  100. package/dist/mcp/tools/complete-reminder.js +7 -0
  101. package/dist/mcp/tools/create-reminder.js +7 -0
  102. package/dist/mcp/tools/create-task.js +28 -1
  103. package/dist/mcp/tools/deactivate-behavior.js +7 -0
  104. package/dist/mcp/tools/list-reminders.js +7 -0
  105. package/dist/mcp/tools/list-tasks.js +7 -0
  106. package/dist/mcp/tools/send-message.js +7 -0
  107. package/dist/mcp/tools/update-task.js +28 -1
  108. package/dist/runtime/index.js +540 -22
  109. package/dist/tui/App.js +618 -29
  110. package/package.json +9 -5
  111. package/src/commands/exe/cloud.md +11 -8
  112. package/stack.release.json +3 -3
  113. package/src/commands/exe/link.md +0 -17
@@ -123,6 +123,11 @@ function normalizeAutoUpdate(raw) {
123
123
  const userAU = raw.autoUpdate ?? {};
124
124
  raw.autoUpdate = { ...defaultAU, ...userAU };
125
125
  }
126
+ function normalizeOrchestration(raw) {
127
+ const defaultOrg = DEFAULT_CONFIG.orchestration;
128
+ const userOrg = raw.orchestration ?? {};
129
+ raw.orchestration = { ...defaultOrg, ...userOrg };
130
+ }
126
131
  async function loadConfig() {
127
132
  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
128
133
  await ensurePrivateDir(dir);
@@ -147,10 +152,15 @@ async function loadConfig() {
147
152
  normalizeScalingRoadmap(migratedCfg);
148
153
  normalizeSessionLifecycle(migratedCfg);
149
154
  normalizeAutoUpdate(migratedCfg);
155
+ normalizeOrchestration(migratedCfg);
150
156
  const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
151
157
  if (config.dbPath.startsWith("~")) {
152
158
  config.dbPath = config.dbPath.replace(/^~/, os.homedir());
153
159
  }
160
+ const envDbPath = path.join(dir, "memories.db");
161
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
162
+ config.dbPath = envDbPath;
163
+ }
154
164
  return config;
155
165
  } catch {
156
166
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
@@ -170,7 +180,16 @@ function loadConfigSync() {
170
180
  normalizeScalingRoadmap(migratedCfg);
171
181
  normalizeSessionLifecycle(migratedCfg);
172
182
  normalizeAutoUpdate(migratedCfg);
173
- return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
183
+ normalizeOrchestration(migratedCfg);
184
+ const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
185
+ if (config.dbPath.startsWith("~")) {
186
+ config.dbPath = config.dbPath.replace(/^~/, os.homedir());
187
+ }
188
+ const envDbPath = path.join(dir, "memories.db");
189
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
190
+ config.dbPath = envDbPath;
191
+ }
192
+ return config;
174
193
  } catch {
175
194
  return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
176
195
  }
@@ -241,6 +260,10 @@ var init_config = __esm({
241
260
  checkOnBoot: true,
242
261
  autoInstall: false,
243
262
  checkIntervalMs: 24 * 60 * 60 * 1e3
263
+ },
264
+ orchestration: {
265
+ phase: "phase_1_coo",
266
+ phaseSetBy: "default"
244
267
  }
245
268
  };
246
269
  CONFIG_MIGRATIONS = [
@@ -1902,6 +1925,9 @@ function getClient() {
1902
1925
  if (_daemonClient && _daemonClient._isDaemonActive()) {
1903
1926
  return _daemonClient;
1904
1927
  }
1928
+ if (!_resilientClient) {
1929
+ return _adapterClient;
1930
+ }
1905
1931
  return _resilientClient;
1906
1932
  }
1907
1933
  async function initDaemonClient() {
@@ -2934,6 +2960,127 @@ async function ensureSchema() {
2934
2960
  VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
2935
2961
  END;
2936
2962
  `);
2963
+ await client.executeMultiple(`
2964
+ CREATE TABLE IF NOT EXISTS agent_sessions (
2965
+ id TEXT PRIMARY KEY,
2966
+ agent_id TEXT NOT NULL,
2967
+ project_name TEXT,
2968
+ started_at TEXT NOT NULL,
2969
+ last_event_at TEXT NOT NULL,
2970
+ event_count INTEGER NOT NULL DEFAULT 0,
2971
+ properties TEXT DEFAULT '{}'
2972
+ );
2973
+
2974
+ CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
2975
+ ON agent_sessions(agent_id, started_at);
2976
+
2977
+ CREATE TABLE IF NOT EXISTS agent_goals (
2978
+ id TEXT PRIMARY KEY,
2979
+ statement TEXT NOT NULL,
2980
+ owner_agent_id TEXT,
2981
+ project_name TEXT,
2982
+ status TEXT NOT NULL DEFAULT 'open',
2983
+ priority INTEGER NOT NULL DEFAULT 5,
2984
+ success_criteria TEXT,
2985
+ parent_goal_id TEXT,
2986
+ due_at TEXT,
2987
+ achieved_at TEXT,
2988
+ supersedes_id TEXT,
2989
+ created_at TEXT NOT NULL,
2990
+ updated_at TEXT NOT NULL,
2991
+ source_memory_id TEXT
2992
+ );
2993
+
2994
+ CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
2995
+ ON agent_goals(project_name, status, priority);
2996
+
2997
+ CREATE TABLE IF NOT EXISTS agent_events (
2998
+ id TEXT PRIMARY KEY,
2999
+ event_type TEXT NOT NULL,
3000
+ occurred_at TEXT NOT NULL,
3001
+ sequence_index INTEGER NOT NULL,
3002
+ actor_agent_id TEXT,
3003
+ agent_role TEXT,
3004
+ project_name TEXT,
3005
+ session_id TEXT,
3006
+ task_id TEXT,
3007
+ goal_id TEXT,
3008
+ parent_event_id TEXT,
3009
+ intention TEXT,
3010
+ outcome TEXT,
3011
+ evidence_memory_id TEXT,
3012
+ impact TEXT,
3013
+ payload TEXT DEFAULT '{}',
3014
+ created_at TEXT NOT NULL
3015
+ );
3016
+
3017
+ CREATE INDEX IF NOT EXISTS idx_agent_events_time
3018
+ ON agent_events(occurred_at, sequence_index);
3019
+
3020
+ CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
3021
+ ON agent_events(session_id, sequence_index);
3022
+
3023
+ CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
3024
+ ON agent_events(goal_id, occurred_at);
3025
+
3026
+ CREATE INDEX IF NOT EXISTS idx_agent_events_memory
3027
+ ON agent_events(evidence_memory_id);
3028
+
3029
+ CREATE TABLE IF NOT EXISTS agent_goal_links (
3030
+ id TEXT PRIMARY KEY,
3031
+ goal_id TEXT NOT NULL,
3032
+ link_type TEXT NOT NULL,
3033
+ target_id TEXT NOT NULL,
3034
+ target_type TEXT NOT NULL,
3035
+ created_at TEXT NOT NULL
3036
+ );
3037
+
3038
+ CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
3039
+ ON agent_goal_links(goal_id, target_type);
3040
+
3041
+ CREATE TABLE IF NOT EXISTS agent_semantic_labels (
3042
+ id TEXT PRIMARY KEY,
3043
+ source_memory_id TEXT NOT NULL,
3044
+ event_id TEXT,
3045
+ labeler TEXT NOT NULL,
3046
+ schema_version INTEGER NOT NULL DEFAULT 1,
3047
+ confidence REAL NOT NULL DEFAULT 0,
3048
+ labels TEXT NOT NULL,
3049
+ created_at TEXT NOT NULL,
3050
+ updated_at TEXT NOT NULL
3051
+ );
3052
+
3053
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
3054
+ ON agent_semantic_labels(source_memory_id, labeler);
3055
+
3056
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
3057
+ ON agent_semantic_labels(event_id);
3058
+
3059
+ CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
3060
+ id TEXT PRIMARY KEY,
3061
+ project_name TEXT,
3062
+ session_id TEXT,
3063
+ window_start_at TEXT NOT NULL,
3064
+ window_end_at TEXT NOT NULL,
3065
+ event_count INTEGER NOT NULL DEFAULT 0,
3066
+ goal_count INTEGER NOT NULL DEFAULT 0,
3067
+ success_count INTEGER NOT NULL DEFAULT 0,
3068
+ failure_count INTEGER NOT NULL DEFAULT 0,
3069
+ risk_count INTEGER NOT NULL DEFAULT 0,
3070
+ summary TEXT NOT NULL,
3071
+ learnings TEXT NOT NULL DEFAULT '[]',
3072
+ next_actions TEXT NOT NULL DEFAULT '[]',
3073
+ evidence_event_ids TEXT NOT NULL DEFAULT '[]',
3074
+ confidence REAL NOT NULL DEFAULT 0,
3075
+ created_at TEXT NOT NULL
3076
+ );
3077
+
3078
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
3079
+ ON agent_reflection_checkpoints(project_name, window_end_at);
3080
+
3081
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
3082
+ ON agent_reflection_checkpoints(session_id, window_end_at);
3083
+ `);
2937
3084
  try {
2938
3085
  await client.execute({
2939
3086
  sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -3083,7 +3230,7 @@ var init_database = __esm({
3083
3230
 
3084
3231
  // src/lib/keychain.ts
3085
3232
  import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
3086
- import { existsSync as existsSync9 } from "fs";
3233
+ import { existsSync as existsSync9, statSync as statSync2 } from "fs";
3087
3234
  import { execSync as execSync4 } from "child_process";
3088
3235
  import path10 from "path";
3089
3236
  import os6 from "os";
@@ -3093,29 +3240,65 @@ function getKeyDir() {
3093
3240
  function getKeyPath() {
3094
3241
  return path10.join(getKeyDir(), "master.key");
3095
3242
  }
3096
- function macKeychainGet() {
3243
+ function nativeKeychainAllowed() {
3244
+ return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
3245
+ }
3246
+ function linuxSecretAvailable() {
3247
+ if (!nativeKeychainAllowed()) return false;
3248
+ if (process.platform !== "linux") return false;
3249
+ if (linuxSecretAvailability !== null) return linuxSecretAvailability;
3250
+ try {
3251
+ execSync4("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
3252
+ } catch {
3253
+ linuxSecretAvailability = false;
3254
+ return false;
3255
+ }
3256
+ try {
3257
+ execSync4("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
3258
+ linuxSecretAvailability = true;
3259
+ } catch {
3260
+ linuxSecretAvailability = false;
3261
+ }
3262
+ return linuxSecretAvailability;
3263
+ }
3264
+ function isRootOnlyTrustedServerKeyFile(keyPath) {
3265
+ if (process.platform !== "linux") return false;
3266
+ try {
3267
+ const uid = typeof os6.userInfo().uid === "number" ? os6.userInfo().uid : -1;
3268
+ const st = statSync2(keyPath);
3269
+ if (!st.isFile() || (st.mode & 63) !== 0) return false;
3270
+ if (uid === 0) return true;
3271
+ const exeOsDir = process.env.EXE_OS_DIR;
3272
+ return Boolean(exeOsDir && path10.resolve(keyPath).startsWith(path10.resolve(exeOsDir) + path10.sep));
3273
+ } catch {
3274
+ return false;
3275
+ }
3276
+ }
3277
+ function macKeychainGet(service = SERVICE) {
3278
+ if (!nativeKeychainAllowed()) return null;
3097
3279
  if (process.platform !== "darwin") return null;
3098
3280
  try {
3099
3281
  return execSync4(
3100
- `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
3282
+ `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
3101
3283
  { encoding: "utf-8", timeout: 5e3 }
3102
3284
  ).trim();
3103
3285
  } catch {
3104
3286
  return null;
3105
3287
  }
3106
3288
  }
3107
- function macKeychainSet(value) {
3289
+ function macKeychainSet(value, service = SERVICE) {
3290
+ if (!nativeKeychainAllowed()) return false;
3108
3291
  if (process.platform !== "darwin") return false;
3109
3292
  try {
3110
3293
  try {
3111
3294
  execSync4(
3112
- `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
3295
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3113
3296
  { timeout: 5e3 }
3114
3297
  );
3115
3298
  } catch {
3116
3299
  }
3117
3300
  execSync4(
3118
- `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
3301
+ `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
3119
3302
  { timeout: 5e3 }
3120
3303
  );
3121
3304
  return true;
@@ -3123,22 +3306,48 @@ function macKeychainSet(value) {
3123
3306
  return false;
3124
3307
  }
3125
3308
  }
3126
- function linuxSecretGet() {
3127
- if (process.platform !== "linux") return null;
3309
+ function macKeychainDelete(service = SERVICE) {
3310
+ if (!nativeKeychainAllowed()) return false;
3311
+ if (process.platform !== "darwin") return false;
3312
+ try {
3313
+ execSync4(
3314
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
3315
+ { timeout: 5e3 }
3316
+ );
3317
+ return true;
3318
+ } catch {
3319
+ return false;
3320
+ }
3321
+ }
3322
+ function linuxSecretGet(service = SERVICE) {
3323
+ if (!linuxSecretAvailable()) return null;
3128
3324
  try {
3129
3325
  return execSync4(
3130
- `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
3326
+ `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3131
3327
  { encoding: "utf-8", timeout: 5e3 }
3132
3328
  ).trim();
3133
3329
  } catch {
3134
3330
  return null;
3135
3331
  }
3136
3332
  }
3137
- function linuxSecretSet(value) {
3333
+ function linuxSecretSet(value, service = SERVICE) {
3334
+ if (!linuxSecretAvailable()) return false;
3335
+ try {
3336
+ execSync4(
3337
+ `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3338
+ { timeout: 5e3 }
3339
+ );
3340
+ return true;
3341
+ } catch {
3342
+ return false;
3343
+ }
3344
+ }
3345
+ function linuxSecretDelete(service = SERVICE) {
3346
+ if (!nativeKeychainAllowed()) return false;
3138
3347
  if (process.platform !== "linux") return false;
3139
3348
  try {
3140
3349
  execSync4(
3141
- `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
3350
+ `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
3142
3351
  { timeout: 5e3 }
3143
3352
  );
3144
3353
  return true;
@@ -3147,6 +3356,7 @@ function linuxSecretSet(value) {
3147
3356
  }
3148
3357
  }
3149
3358
  async function tryKeytar() {
3359
+ if (!nativeKeychainAllowed()) return null;
3150
3360
  try {
3151
3361
  return await import("keytar");
3152
3362
  } catch {
@@ -3220,7 +3430,19 @@ async function writeMachineBoundFileFallback(b64) {
3220
3430
  return "plaintext";
3221
3431
  }
3222
3432
  async function getMasterKey() {
3223
- const nativeValue = macKeychainGet() ?? linuxSecretGet();
3433
+ let nativeValue = macKeychainGet() ?? linuxSecretGet();
3434
+ if (!nativeValue) {
3435
+ const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
3436
+ if (legacyValue) {
3437
+ const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
3438
+ if (migrated) {
3439
+ macKeychainDelete(LEGACY_SERVICE);
3440
+ linuxSecretDelete(LEGACY_SERVICE);
3441
+ process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
3442
+ }
3443
+ nativeValue = legacyValue;
3444
+ }
3445
+ }
3224
3446
  if (nativeValue) {
3225
3447
  return Buffer.from(nativeValue, "base64");
3226
3448
  }
@@ -3228,12 +3450,17 @@ async function getMasterKey() {
3228
3450
  if (keytar) {
3229
3451
  try {
3230
3452
  const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
3231
- if (keytarValue) {
3232
- const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
3453
+ const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
3454
+ if (legacyKeytarValue) {
3455
+ const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
3233
3456
  if (migrated) {
3234
3457
  process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
3458
+ try {
3459
+ await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
3460
+ } catch {
3461
+ }
3235
3462
  }
3236
- return Buffer.from(keytarValue, "base64");
3463
+ return Buffer.from(legacyKeytarValue, "base64");
3237
3464
  }
3238
3465
  } catch {
3239
3466
  }
@@ -3258,7 +3485,7 @@ async function getMasterKey() {
3258
3485
  const decrypted = decryptWithMachineKey(content, machineKey);
3259
3486
  if (!decrypted) {
3260
3487
  process.stderr.write(
3261
- "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase: exe-os link import\n"
3488
+ "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase during setup: exe-os setup\n"
3262
3489
  );
3263
3490
  return null;
3264
3491
  }
@@ -3267,6 +3494,9 @@ async function getMasterKey() {
3267
3494
  b64Value = content;
3268
3495
  }
3269
3496
  const key = Buffer.from(b64Value, "base64");
3497
+ if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
3498
+ return key;
3499
+ }
3270
3500
  const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
3271
3501
  if (migrated) {
3272
3502
  process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -3294,12 +3524,14 @@ async function getMasterKey() {
3294
3524
  return null;
3295
3525
  }
3296
3526
  }
3297
- var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
3527
+ var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
3298
3528
  var init_keychain = __esm({
3299
3529
  "src/lib/keychain.ts"() {
3300
3530
  "use strict";
3301
- SERVICE = "exe-mem";
3531
+ SERVICE = "exe-os";
3532
+ LEGACY_SERVICE = "exe-mem";
3302
3533
  ACCOUNT = "master-key";
3534
+ linuxSecretAvailability = null;
3303
3535
  ENCRYPTED_PREFIX = "enc:";
3304
3536
  }
3305
3537
  });
@@ -3569,7 +3801,7 @@ __export(shard_manager_exports, {
3569
3801
  shardExists: () => shardExists
3570
3802
  });
3571
3803
  import path11 from "path";
3572
- import { existsSync as existsSync10, mkdirSync as mkdirSync5, readdirSync as readdirSync3, renameSync as renameSync3, statSync as statSync2 } from "fs";
3804
+ import { existsSync as existsSync10, mkdirSync as mkdirSync5, readdirSync as readdirSync3, renameSync as renameSync3, statSync as statSync3 } from "fs";
3573
3805
  import { createClient as createClient2 } from "@libsql/client";
3574
3806
  function initShardManager(encryptionKey) {
3575
3807
  _encryptionKey = encryptionKey;
@@ -3633,7 +3865,7 @@ async function auditShardHealth(options = {}) {
3633
3865
  const shards = [];
3634
3866
  for (const name of names) {
3635
3867
  const dbPath = path11.join(SHARDS_DIR, `${name}.db`);
3636
- const stat = statSync2(dbPath);
3868
+ const stat = statSync3(dbPath);
3637
3869
  const item = {
3638
3870
  name,
3639
3871
  path: dbPath,
@@ -3886,7 +4118,7 @@ async function getReadyShardClient(projectName) {
3886
4118
  _shardLastAccess.delete(safeName);
3887
4119
  const dbPath = path11.join(SHARDS_DIR, `${safeName}.db`);
3888
4120
  if (existsSync10(dbPath)) {
3889
- const stat = statSync2(dbPath);
4121
+ const stat = statSync3(dbPath);
3890
4122
  const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
3891
4123
  const archivedPath = path11.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
3892
4124
  renameSync3(dbPath, archivedPath);
@@ -4006,6 +4238,12 @@ var init_platform_procedures = __esm({
4006
4238
  priority: "p0",
4007
4239
  content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
4008
4240
  },
4241
+ {
4242
+ title: "Customer orchestration maturity \u2014 recommend, never trap",
4243
+ domain: "workflow",
4244
+ priority: "p1",
4245
+ content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
4246
+ },
4009
4247
  {
4010
4248
  title: "Single dispatch path \u2014 create_task only",
4011
4249
  domain: "workflow",
@@ -4064,6 +4302,12 @@ var init_platform_procedures = __esm({
4064
4302
  priority: "p0",
4065
4303
  content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
4066
4304
  },
4305
+ {
4306
+ title: "Commit discipline \u2014 never leave verified work floating",
4307
+ domain: "workflow",
4308
+ priority: "p1",
4309
+ content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
4310
+ },
4067
4311
  {
4068
4312
  title: "Desktop and TUI are the same product",
4069
4313
  domain: "architecture",
@@ -4381,6 +4625,274 @@ var init_memory_cards = __esm({
4381
4625
  }
4382
4626
  });
4383
4627
 
4628
+ // src/lib/agentic-ontology.ts
4629
+ var agentic_ontology_exports = {};
4630
+ __export(agentic_ontology_exports, {
4631
+ clean: () => clean,
4632
+ extractGoalCandidates: () => extractGoalCandidates,
4633
+ inferIntention: () => inferIntention,
4634
+ inferOntologyEventType: () => inferOntologyEventType,
4635
+ inferOutcome: () => inferOutcome,
4636
+ inferSemanticLabel: () => inferSemanticLabel,
4637
+ insertOntologyForBatch: () => insertOntologyForBatch,
4638
+ insertOntologyForMemory: () => insertOntologyForMemory,
4639
+ ontologyPayload: () => ontologyPayload,
4640
+ stableId: () => stableId2
4641
+ });
4642
+ import { createHash as createHash3 } from "crypto";
4643
+ function stableId2(...parts) {
4644
+ return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
4645
+ }
4646
+ function clean(text, max = 240) {
4647
+ return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
4648
+ }
4649
+ function inferOntologyEventType(row) {
4650
+ const lower = row.raw_text.toLowerCase();
4651
+ if (row.has_error) return "error";
4652
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
4653
+ if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
4654
+ if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
4655
+ if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
4656
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
4657
+ if (row.tool_name.startsWith("memory_card")) return "memory_card";
4658
+ return "memory_observation";
4659
+ }
4660
+ function inferIntention(row) {
4661
+ if (row.intent) return clean(row.intent, 220);
4662
+ const text = clean(row.raw_text, 1e3);
4663
+ const patterns = [
4664
+ /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
4665
+ /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
4666
+ /(?:task|plan):\s*([^.!?\n]{8,220})/i
4667
+ ];
4668
+ for (const p of patterns) {
4669
+ const m = text.match(p);
4670
+ if (m?.[1]) return clean(m[1], 220);
4671
+ }
4672
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
4673
+ return `${row.tool_name} during ${row.project_name}`;
4674
+ }
4675
+ return null;
4676
+ }
4677
+ function inferOutcome(row) {
4678
+ if (row.outcome) return clean(row.outcome, 220);
4679
+ if (row.has_error) return "error";
4680
+ const lower = row.raw_text.toLowerCase();
4681
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
4682
+ if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
4683
+ if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
4684
+ return null;
4685
+ }
4686
+ function extractGoalCandidates(row) {
4687
+ const text = clean(row.raw_text, 1600);
4688
+ const patterns = [
4689
+ /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
4690
+ /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
4691
+ ];
4692
+ const out = [];
4693
+ for (const pattern of patterns) {
4694
+ for (const m of text.matchAll(pattern)) {
4695
+ const candidate = clean(m[1] ?? "", 220);
4696
+ if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
4697
+ if (out.length >= 3) return out;
4698
+ }
4699
+ }
4700
+ return out;
4701
+ }
4702
+ function uniq(values, max = 6) {
4703
+ const out = [];
4704
+ for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
4705
+ if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
4706
+ if (out.length >= max) break;
4707
+ }
4708
+ return out;
4709
+ }
4710
+ function extractMatches(text, patterns, max = 5) {
4711
+ const out = [];
4712
+ for (const pattern of patterns) {
4713
+ for (const match of text.matchAll(pattern)) {
4714
+ const value = match[1] ?? match[0];
4715
+ if (value) out.push(value);
4716
+ if (out.length >= max) return uniq(out, max);
4717
+ }
4718
+ }
4719
+ return uniq(out, max);
4720
+ }
4721
+ function inferSemanticLabel(row) {
4722
+ const text = clean(row.raw_text, 2400);
4723
+ const eventType = inferOntologyEventType(row);
4724
+ const intention = inferIntention(row);
4725
+ const outcome = inferOutcome(row);
4726
+ const goals = extractGoalCandidates(row);
4727
+ const milestones = extractMatches(text, [
4728
+ /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
4729
+ /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
4730
+ ]);
4731
+ const problems = extractMatches(text, [
4732
+ /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
4733
+ /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
4734
+ ]);
4735
+ const decisions = extractMatches(text, [
4736
+ /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
4737
+ ]);
4738
+ const temporalAnchors = extractMatches(text, [
4739
+ /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
4740
+ /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
4741
+ ], 8);
4742
+ const nextActions = extractMatches(text, [
4743
+ /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
4744
+ ]);
4745
+ const actors = uniq([
4746
+ row.agent_id,
4747
+ ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
4748
+ ], 6);
4749
+ const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
4750
+ const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
4751
+ const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
4752
+ const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
4753
+ return {
4754
+ labeler: "deterministic",
4755
+ schemaVersion: 1,
4756
+ eventType,
4757
+ intention,
4758
+ outcome,
4759
+ impact,
4760
+ confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
4761
+ goals,
4762
+ milestones,
4763
+ problems,
4764
+ decisions,
4765
+ actors,
4766
+ temporalAnchors,
4767
+ successSignals,
4768
+ failureSignals,
4769
+ nextActions,
4770
+ summary: clean(text, 280)
4771
+ };
4772
+ }
4773
+ function ontologyPayload(row) {
4774
+ const semantic = inferSemanticLabel(row);
4775
+ return {
4776
+ tool_name: row.tool_name,
4777
+ memory_version: row.version ?? null,
4778
+ domain: row.domain ?? null,
4779
+ trajectory: row.trajectory ? safeJson(row.trajectory) : null,
4780
+ semantic
4781
+ };
4782
+ }
4783
+ function safeJson(value) {
4784
+ try {
4785
+ return JSON.parse(value);
4786
+ } catch {
4787
+ return value.slice(0, 1e3);
4788
+ }
4789
+ }
4790
+ async function resolveClient(client) {
4791
+ if (client) return client;
4792
+ const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
4793
+ return getClient2();
4794
+ }
4795
+ async function insertOntologyForMemory(row, client) {
4796
+ const db = await resolveClient(client);
4797
+ const occurredAt = row.timestamp;
4798
+ const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
4799
+ const eventType = inferOntologyEventType(row);
4800
+ const intention = inferIntention(row);
4801
+ const outcome = inferOutcome(row);
4802
+ const eventId = stableId2("event", row.id);
4803
+ const now = (/* @__PURE__ */ new Date()).toISOString();
4804
+ await db.execute({
4805
+ sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
4806
+ VALUES (?, ?, ?, ?, ?, 1, ?)
4807
+ ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
4808
+ event_count = event_count + 1`,
4809
+ args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
4810
+ });
4811
+ await db.execute({
4812
+ sql: `INSERT OR IGNORE INTO agent_events
4813
+ (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
4814
+ session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
4815
+ impact, payload, created_at)
4816
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
4817
+ args: [
4818
+ eventId,
4819
+ eventType,
4820
+ occurredAt,
4821
+ sequence,
4822
+ row.agent_id,
4823
+ row.agent_role,
4824
+ row.project_name,
4825
+ row.session_id,
4826
+ row.task_id ?? null,
4827
+ intention,
4828
+ outcome,
4829
+ row.id,
4830
+ row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
4831
+ JSON.stringify(ontologyPayload(row)),
4832
+ now
4833
+ ]
4834
+ });
4835
+ const semantic = inferSemanticLabel(row);
4836
+ await db.execute({
4837
+ sql: `INSERT INTO agent_semantic_labels
4838
+ (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
4839
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
4840
+ ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
4841
+ labels = excluded.labels, updated_at = excluded.updated_at`,
4842
+ args: [
4843
+ stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
4844
+ row.id,
4845
+ eventId,
4846
+ semantic.labeler,
4847
+ semantic.schemaVersion,
4848
+ semantic.confidence,
4849
+ JSON.stringify(semantic),
4850
+ now,
4851
+ now
4852
+ ]
4853
+ });
4854
+ for (const statement of extractGoalCandidates(row)) {
4855
+ const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
4856
+ await db.execute({
4857
+ sql: `INSERT INTO agent_goals
4858
+ (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
4859
+ parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
4860
+ VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
4861
+ ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
4862
+ args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
4863
+ });
4864
+ await db.execute({
4865
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4866
+ (id, goal_id, link_type, target_id, target_type, created_at)
4867
+ VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
4868
+ args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
4869
+ });
4870
+ await db.execute({
4871
+ sql: `INSERT OR IGNORE INTO agent_goal_links
4872
+ (id, goal_id, link_type, target_id, target_type, created_at)
4873
+ VALUES (?, ?, 'event', ?, 'event', ?)`,
4874
+ args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
4875
+ });
4876
+ }
4877
+ }
4878
+ async function insertOntologyForBatch(rows, client) {
4879
+ const db = await resolveClient(client);
4880
+ let count = 0;
4881
+ for (const row of rows) {
4882
+ try {
4883
+ await insertOntologyForMemory(row, db);
4884
+ count++;
4885
+ } catch {
4886
+ }
4887
+ }
4888
+ return count;
4889
+ }
4890
+ var init_agentic_ontology = __esm({
4891
+ "src/lib/agentic-ontology.ts"() {
4892
+ "use strict";
4893
+ }
4894
+ });
4895
+
4384
4896
  // src/lib/store.ts
4385
4897
  var store_exports = {};
4386
4898
  __export(store_exports, {
@@ -4724,6 +5236,11 @@ async function flushBatch() {
4724
5236
  await insertMemoryCardsForBatch2(batch);
4725
5237
  } catch {
4726
5238
  }
5239
+ try {
5240
+ const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
5241
+ await insertOntologyForBatch2(batch);
5242
+ } catch {
5243
+ }
4727
5244
  schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
4728
5245
  _pendingRecords.splice(0, batch.length);
4729
5246
  try {