@askexenow/exe-os 0.9.65 → 0.9.67

package/dist/lib/identity.js

@@ -99,6 +99,10 @@ var init_config = __esm({
         checkOnBoot: true,
         autoInstall: false,
         checkIntervalMs: 24 * 60 * 60 * 1e3
+      },
+      orchestration: {
+        phase: "phase_1_coo",
+        phaseSetBy: "default"
       }
     };
   }
@@ -156,6 +160,9 @@ function getClient() {
   if (_daemonClient && _daemonClient._isDaemonActive()) {
     return _daemonClient;
   }
+  if (!_resilientClient) {
+    return _adapterClient;
+  }
   return _resilientClient;
 }
 

package/dist/lib/keychain.js

@@ -7,11 +7,12 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
 
 // src/lib/keychain.ts
 import { readFile, writeFile, unlink, mkdir, chmod } from "fs/promises";
-import { existsSync } from "fs";
+import { existsSync, statSync } from "fs";
 import { execSync } from "child_process";
 import path from "path";
 import os from "os";
-var SERVICE = "exe-mem";
+var SERVICE = "exe-os";
+var LEGACY_SERVICE = "exe-mem";
 var ACCOUNT = "master-key";
 function getKeyDir() {
   return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path.join(os.homedir(), ".exe-os");
@@ -19,29 +20,66 @@ function getKeyDir() {
 function getKeyPath() {
   return path.join(getKeyDir(), "master.key");
 }
-function macKeychainGet() {
+function nativeKeychainAllowed() {
+  return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
+}
+var linuxSecretAvailability = null;
+function linuxSecretAvailable() {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "linux") return false;
+  if (linuxSecretAvailability !== null) return linuxSecretAvailability;
+  try {
+    execSync("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
+  } catch {
+    linuxSecretAvailability = false;
+    return false;
+  }
+  try {
+    execSync("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
+    linuxSecretAvailability = true;
+  } catch {
+    linuxSecretAvailability = false;
+  }
+  return linuxSecretAvailability;
+}
+function isRootOnlyTrustedServerKeyFile(keyPath) {
+  if (process.platform !== "linux") return false;
+  try {
+    const uid = typeof os.userInfo().uid === "number" ? os.userInfo().uid : -1;
+    const st = statSync(keyPath);
+    if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    if (uid === 0) return true;
+    const exeOsDir = process.env.EXE_OS_DIR;
+    return Boolean(exeOsDir && path.resolve(keyPath).startsWith(path.resolve(exeOsDir) + path.sep));
+  } catch {
+    return false;
+  }
+}
+function macKeychainGet(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return null;
   if (process.platform !== "darwin") return null;
   try {
     return execSync(
-      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
       { encoding: "utf-8", timeout: 5e3 }
     ).trim();
   } catch {
     return null;
   }
 }
-function macKeychainSet(value) {
+function macKeychainSet(value, service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "darwin") return false;
   try {
     try {
       execSync(
-        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
         { timeout: 5e3 }
       );
     } catch {
     }
     execSync(
-      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
       { timeout: 5e3 }
     );
     return true;
@@ -49,11 +87,12 @@ function macKeychainSet(value) {
     return false;
   }
 }
-function macKeychainDelete() {
+function macKeychainDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "darwin") return false;
   try {
     execSync(
-      `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+      `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -61,22 +100,22 @@ function macKeychainDelete() {
     return false;
   }
 }
-function linuxSecretGet() {
-  if (process.platform !== "linux") return null;
+function linuxSecretGet(service = SERVICE) {
+  if (!linuxSecretAvailable()) return null;
   try {
     return execSync(
-      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { encoding: "utf-8", timeout: 5e3 }
     ).trim();
   } catch {
     return null;
   }
 }
-function linuxSecretSet(value) {
-  if (process.platform !== "linux") return false;
+function linuxSecretSet(value, service = SERVICE) {
+  if (!linuxSecretAvailable()) return false;
   try {
     execSync(
-      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -84,11 +123,12 @@ function linuxSecretSet(value) {
     return false;
   }
 }
-function linuxSecretDelete() {
+function linuxSecretDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "linux") return false;
   try {
     execSync(
-      `secret-tool clear service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -97,6 +137,7 @@ function linuxSecretDelete() {
   }
 }
 async function tryKeytar() {
+  if (!nativeKeychainAllowed()) return null;
   try {
     return await import("keytar");
   } catch {
@@ -171,7 +212,19 @@ async function writeMachineBoundFileFallback(b64) {
   return "plaintext";
 }
 async function getMasterKey() {
-  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  let nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (!nativeValue) {
+    const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
+    if (legacyValue) {
+      const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
+      if (migrated) {
+        macKeychainDelete(LEGACY_SERVICE);
+        linuxSecretDelete(LEGACY_SERVICE);
+        process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
+      }
+      nativeValue = legacyValue;
+    }
+  }
   if (nativeValue) {
     return Buffer.from(nativeValue, "base64");
   }
@@ -179,12 +232,17 @@ async function getMasterKey() {
   if (keytar) {
     try {
       const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (keytarValue) {
-        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+      const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
+      if (legacyKeytarValue) {
+        const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
         if (migrated) {
           process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+          try {
+            await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
+          } catch {
+          }
         }
-        return Buffer.from(keytarValue, "base64");
+        return Buffer.from(legacyKeytarValue, "base64");
       }
     } catch {
     }
@@ -209,7 +267,7 @@ async function getMasterKey() {
       const decrypted = decryptWithMachineKey(content, machineKey);
       if (!decrypted) {
         process.stderr.write(
-          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase during setup: exe-os setup\n"
         );
         return null;
       }
@@ -218,6 +276,9 @@ async function getMasterKey() {
       b64Value = content;
     }
     const key = Buffer.from(b64Value, "base64");
+    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+      return key;
+    }
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -245,6 +306,97 @@ async function getMasterKey() {
     return null;
   }
 }
+async function getKeyStorageInfo() {
+  if (macKeychainGet()) {
+    return {
+      kind: "macos-keychain",
+      secure: true,
+      note: "stored in macOS Keychain via built-in security CLI"
+    };
+  }
+  if (macKeychainGet(LEGACY_SERVICE)) {
+    return {
+      kind: "macos-keychain",
+      secure: true,
+      note: "stored in legacy macOS Keychain service exe-mem; next key read migrates it to exe-os"
+    };
+  }
+  if (linuxSecretGet()) {
+    return {
+      kind: "linux-secret-service",
+      secure: true,
+      note: "stored in Linux Secret Service via secret-tool"
+    };
+  }
+  if (linuxSecretGet(LEGACY_SERVICE)) {
+    return {
+      kind: "linux-secret-service",
+      secure: true,
+      note: "stored in legacy Linux Secret Service service exe-mem; next key read migrates it to exe-os"
+    };
+  }
+  const keytar = await tryKeytar();
+  if (keytar) {
+    try {
+      if (await keytar.getPassword(SERVICE, ACCOUNT)) {
+        return {
+          kind: "legacy-keytar",
+          secure: true,
+          note: "stored in legacy keytar backend; will migrate to native keychain when possible"
+        };
+      }
+      if (await keytar.getPassword(LEGACY_SERVICE, ACCOUNT)) {
+        return {
+          kind: "legacy-keytar",
+          secure: true,
+          note: "stored in legacy keytar service exe-mem; will migrate to native exe-os keychain when possible"
+        };
+      }
+    } catch {
+    }
+  }
+  const keyPath = getKeyPath();
+  if (!existsSync(keyPath)) {
+    return {
+      kind: "missing",
+      secure: false,
+      path: keyPath,
+      note: "no key found in OS keychain, legacy keytar, or file fallback"
+    };
+  }
+  try {
+    const content = (await readFile(keyPath, "utf-8")).trim();
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      return {
+        kind: "encrypted-file",
+        secure: true,
+        path: keyPath,
+        note: "stored in machine-bound encrypted file fallback"
+      };
+    }
+    if (isRootOnlyTrustedServerKeyFile(keyPath)) {
+      return {
+        kind: "server-secret-file",
+        secure: true,
+        path: keyPath,
+        note: "stored as root-only trusted server secret file"
+      };
+    }
+    return {
+      kind: "plaintext-file",
+      secure: false,
+      path: keyPath,
+      note: "stored in legacy plaintext file; reading it will migrate or encrypt it"
+    };
+  } catch {
+    return {
+      kind: "missing",
+      secure: false,
+      path: keyPath,
+      note: "key file exists but could not be read"
+    };
+  }
+}
 async function setMasterKey(key) {
   const b64 = key.toString("base64");
   if (macKeychainSet(b64) || linuxSecretSet(b64)) {
@@ -270,10 +422,13 @@ async function setMasterKey(key) {
 async function deleteMasterKey() {
   macKeychainDelete();
   linuxSecretDelete();
+  macKeychainDelete(LEGACY_SERVICE);
+  linuxSecretDelete(LEGACY_SERVICE);
   const keytar = await tryKeytar();
   if (keytar) {
     try {
       await keytar.deletePassword(SERVICE, ACCOUNT);
+      await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
     } catch {
     }
   }
@@ -314,6 +469,7 @@ async function importMnemonic(mnemonic) {
 export {
   deleteMasterKey,
   exportMnemonic,
+  getKeyStorageInfo,
   getMasterKey,
   importMnemonic,
   setMasterKey

package/dist/lib/license.js

@@ -102,6 +102,10 @@ var DEFAULT_CONFIG = {
     checkOnBoot: true,
     autoInstall: false,
     checkIntervalMs: 24 * 60 * 60 * 1e3
+  },
+  orchestration: {
+    phase: "phase_1_coo",
+    phaseSetBy: "default"
   }
 };
 

package/dist/lib/messaging.js

@@ -122,6 +122,10 @@ var init_config = __esm({
         checkOnBoot: true,
         autoInstall: false,
         checkIntervalMs: 24 * 60 * 60 * 1e3
+      },
+      orchestration: {
+        phase: "phase_1_coo",
+        phaseSetBy: "default"
       }
     };
   }
@@ -219,6 +223,9 @@ function getClient() {
   if (_daemonClient && _daemonClient._isDaemonActive()) {
     return _daemonClient;
   }
+  if (!_resilientClient) {
+    return _adapterClient;
+  }
   return _resilientClient;
 }
 var _resilientClient, _daemonClient, _adapterClient;

package/dist/lib/reminders.js

@@ -99,6 +99,10 @@ var init_config = __esm({
         checkOnBoot: true,
         autoInstall: false,
         checkIntervalMs: 24 * 60 * 60 * 1e3
+      },
+      orchestration: {
+        phase: "phase_1_coo",
+        phaseSetBy: "default"
       }
     };
   }
@@ -152,6 +156,9 @@ function getClient() {
   if (_daemonClient && _daemonClient._isDaemonActive()) {
     return _daemonClient;
   }
+  if (!_resilientClient) {
+    return _adapterClient;
+  }
   return _resilientClient;
 }