@askexenow/exe-os 0.9.65 → 0.9.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/deploy/stack-manifests/v0.9.json +54 -5
  2. package/dist/bin/age-ontology-load.js +61 -0
  3. package/dist/bin/agentic-ontology-backfill.js +4708 -0
  4. package/dist/bin/agentic-reflection-backfill.js +4144 -0
  5. package/dist/bin/{exe-link.js → agentic-semantic-label.js} +1532 -2173
  6. package/dist/bin/backfill-conversations.js +528 -20
  7. package/dist/bin/backfill-responses.js +528 -20
  8. package/dist/bin/backfill-vectors.js +255 -20
  9. package/dist/bin/bulk-sync-postgres.js +4876 -0
  10. package/dist/bin/cleanup-stale-review-tasks.js +529 -21
  11. package/dist/bin/cli.js +3471 -1491
  12. package/dist/bin/exe-agent-config.js +4 -0
  13. package/dist/bin/exe-agent.js +16 -0
  14. package/dist/bin/exe-assign.js +528 -20
  15. package/dist/bin/exe-boot.js +492 -54
  16. package/dist/bin/exe-call.js +16 -0
  17. package/dist/bin/exe-cloud.js +7415 -518
  18. package/dist/bin/exe-dispatch.js +540 -22
  19. package/dist/bin/exe-doctor.js +3404 -1225
  20. package/dist/bin/exe-export-behaviors.js +542 -24
  21. package/dist/bin/exe-forget.js +529 -21
  22. package/dist/bin/exe-gateway.js +595 -25
  23. package/dist/bin/exe-heartbeat.js +541 -24
  24. package/dist/bin/exe-kill.js +529 -21
  25. package/dist/bin/exe-launch-agent.js +2334 -1067
  26. package/dist/bin/exe-new-employee.js +324 -166
  27. package/dist/bin/exe-pending-messages.js +529 -21
  28. package/dist/bin/exe-pending-notifications.js +529 -21
  29. package/dist/bin/exe-pending-reviews.js +529 -21
  30. package/dist/bin/exe-rename.js +529 -21
  31. package/dist/bin/exe-review.js +529 -21
  32. package/dist/bin/exe-search.js +542 -24
  33. package/dist/bin/exe-session-cleanup.js +540 -22
  34. package/dist/bin/exe-settings.js +14 -0
  35. package/dist/bin/exe-start-codex.js +817 -144
  36. package/dist/bin/exe-start-opencode.js +776 -80
  37. package/dist/bin/exe-status.js +529 -21
  38. package/dist/bin/exe-team.js +529 -21
  39. package/dist/bin/git-sweep.js +540 -22
  40. package/dist/bin/graph-backfill.js +580 -21
  41. package/dist/bin/graph-export.js +529 -21
  42. package/dist/bin/graph-layer-benchmark.js +109 -0
  43. package/dist/bin/install.js +420 -289
  44. package/dist/bin/intercom-check.js +540 -22
  45. package/dist/bin/postgres-agentic-reflection-backfill.js +187 -0
  46. package/dist/bin/postgres-agentic-semantic-backfill.js +237 -0
  47. package/dist/bin/scan-tasks.js +540 -22
  48. package/dist/bin/setup.js +790 -206
  49. package/dist/bin/shard-migrate.js +528 -20
  50. package/dist/bin/update.js +4 -0
  51. package/dist/gateway/index.js +593 -23
  52. package/dist/hooks/bug-report-worker.js +651 -64
  53. package/dist/hooks/codex-stop-task-finalizer.js +540 -22
  54. package/dist/hooks/commit-complete.js +540 -22
  55. package/dist/hooks/error-recall.js +542 -24
  56. package/dist/hooks/exe-heartbeat-hook.js +4 -0
  57. package/dist/hooks/ingest-worker.js +4 -0
  58. package/dist/hooks/ingest.js +539 -22
  59. package/dist/hooks/instructions-loaded.js +529 -21
  60. package/dist/hooks/notification.js +529 -21
  61. package/dist/hooks/post-compact.js +529 -21
  62. package/dist/hooks/post-tool-combined.js +543 -25
  63. package/dist/hooks/pre-compact.js +772 -127
  64. package/dist/hooks/pre-tool-use.js +529 -21
  65. package/dist/hooks/prompt-submit.js +543 -25
  66. package/dist/hooks/session-end.js +673 -140
  67. package/dist/hooks/session-start.js +662 -26
  68. package/dist/hooks/stop.js +540 -23
  69. package/dist/hooks/subagent-stop.js +529 -21
  70. package/dist/hooks/summary-worker.js +571 -126
  71. package/dist/index.js +593 -23
  72. package/dist/lib/agent-config.js +4 -0
  73. package/dist/lib/cloud-sync.js +408 -47
  74. package/dist/lib/config.js +25 -1
  75. package/dist/lib/consolidation.js +5 -1
  76. package/dist/lib/database.js +128 -0
  77. package/dist/lib/db-daemon-client.js +4 -0
  78. package/dist/lib/db.js +128 -0
  79. package/dist/lib/device-registry.js +128 -0
  80. package/dist/lib/embedder.js +25 -1
  81. package/dist/lib/employee-templates.js +16 -0
  82. package/dist/lib/employees.js +4 -0
  83. package/dist/lib/exe-daemon-client.js +4 -0
  84. package/dist/lib/exe-daemon.js +3158 -930
  85. package/dist/lib/hybrid-search.js +542 -24
  86. package/dist/lib/identity.js +7 -0
  87. package/dist/lib/keychain.js +178 -22
  88. package/dist/lib/license.js +4 -0
  89. package/dist/lib/messaging.js +7 -0
  90. package/dist/lib/reminders.js +7 -0
  91. package/dist/lib/schedules.js +255 -20
  92. package/dist/lib/skill-learning.js +28 -1
  93. package/dist/lib/status-brief.js +39 -0
  94. package/dist/lib/store.js +528 -20
  95. package/dist/lib/task-router.js +4 -0
  96. package/dist/lib/tasks.js +28 -1
  97. package/dist/lib/tmux-routing.js +28 -1
  98. package/dist/lib/token-spend.js +7 -0
  99. package/dist/mcp/server.js +2739 -813
  100. package/dist/mcp/tools/complete-reminder.js +7 -0
  101. package/dist/mcp/tools/create-reminder.js +7 -0
  102. package/dist/mcp/tools/create-task.js +28 -1
  103. package/dist/mcp/tools/deactivate-behavior.js +7 -0
  104. package/dist/mcp/tools/list-reminders.js +7 -0
  105. package/dist/mcp/tools/list-tasks.js +7 -0
  106. package/dist/mcp/tools/send-message.js +7 -0
  107. package/dist/mcp/tools/update-task.js +28 -1
  108. package/dist/runtime/index.js +540 -22
  109. package/dist/tui/App.js +618 -29
  110. package/package.json +9 -5
  111. package/src/commands/exe/cloud.md +11 -8
  112. package/stack.release.json +3 -3
  113. package/src/commands/exe/link.md +0 -17
package/dist/runtime/index.js CHANGED
@@ -149,6 +149,11 @@ function normalizeAutoUpdate(raw) {
149
149
  const userAU = raw.autoUpdate ?? {};
150
150
  raw.autoUpdate = { ...defaultAU, ...userAU };
151
151
  }
152
+ function normalizeOrchestration(raw) {
153
+ const defaultOrg = DEFAULT_CONFIG.orchestration;
154
+ const userOrg = raw.orchestration ?? {};
155
+ raw.orchestration = { ...defaultOrg, ...userOrg };
156
+ }
152
157
  async function loadConfig() {
153
158
  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
154
159
  await ensurePrivateDir(dir);
@@ -173,10 +178,15 @@ async function loadConfig() {
173
178
  normalizeScalingRoadmap(migratedCfg);
174
179
  normalizeSessionLifecycle(migratedCfg);
175
180
  normalizeAutoUpdate(migratedCfg);
181
+ normalizeOrchestration(migratedCfg);
176
182
  const config = { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db"), ...migratedCfg };
177
183
  if (config.dbPath.startsWith("~")) {
178
184
  config.dbPath = config.dbPath.replace(/^~/, os2.homedir());
179
185
  }
186
+ const envDbPath = path2.join(dir, "memories.db");
187
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
188
+ config.dbPath = envDbPath;
189
+ }
180
190
  return config;
181
191
  } catch {
182
192
  return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
@@ -196,7 +206,16 @@ function loadConfigSync() {
196
206
  normalizeScalingRoadmap(migratedCfg);
197
207
  normalizeSessionLifecycle(migratedCfg);
198
208
  normalizeAutoUpdate(migratedCfg);
199
- return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db"), ...migratedCfg };
209
+ normalizeOrchestration(migratedCfg);
210
+ const config = { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db"), ...migratedCfg };
211
+ if (config.dbPath.startsWith("~")) {
212
+ config.dbPath = config.dbPath.replace(/^~/, os2.homedir());
213
+ }
214
+ const envDbPath = path2.join(dir, "memories.db");
215
+ if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
216
+ config.dbPath = envDbPath;
217
+ }
218
+ return config;
200
219
  } catch {
201
220
  return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
202
221
  }
@@ -217,6 +236,7 @@ async function loadConfigFrom(configPath) {
217
236
  normalizeScalingRoadmap(migratedCfg);
218
237
  normalizeSessionLifecycle(migratedCfg);
219
238
  normalizeAutoUpdate(migratedCfg);
239
+ normalizeOrchestration(migratedCfg);
220
240
  return { ...DEFAULT_CONFIG, ...migratedCfg };
221
241
  } catch {
222
242
  return { ...DEFAULT_CONFIG };
@@ -288,6 +308,10 @@ var init_config = __esm({
288
308
  checkOnBoot: true,
289
309
  autoInstall: false,
290
310
  checkIntervalMs: 24 * 60 * 60 * 1e3
311
+ },
312
+ orchestration: {
313
+ phase: "phase_1_coo",
314
+ phaseSetBy: "default"
291
315
  }
292
316
  };
293
317
  CONFIG_MIGRATIONS = [
@@ -2293,6 +2317,9 @@ function getClient() {
2293
2317
  if (_daemonClient && _daemonClient._isDaemonActive()) {
2294
2318
  return _daemonClient;
2295
2319
  }
2320
+ if (!_resilientClient) {
2321
+ return _adapterClient;
2322
+ }
2296
2323
  return _resilientClient;
2297
2324
  }
2298
2325
  async function initDaemonClient() {
@@ -3325,6 +3352,127 @@ async function ensureSchema() {
3325
3352
  VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
3326
3353
  END;
3327
3354
  `);
3355
+ await client.executeMultiple(`
3356
+ CREATE TABLE IF NOT EXISTS agent_sessions (
3357
+ id TEXT PRIMARY KEY,
3358
+ agent_id TEXT NOT NULL,
3359
+ project_name TEXT,
3360
+ started_at TEXT NOT NULL,
3361
+ last_event_at TEXT NOT NULL,
3362
+ event_count INTEGER NOT NULL DEFAULT 0,
3363
+ properties TEXT DEFAULT '{}'
3364
+ );
3365
+
3366
+ CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
3367
+ ON agent_sessions(agent_id, started_at);
3368
+
3369
+ CREATE TABLE IF NOT EXISTS agent_goals (
3370
+ id TEXT PRIMARY KEY,
3371
+ statement TEXT NOT NULL,
3372
+ owner_agent_id TEXT,
3373
+ project_name TEXT,
3374
+ status TEXT NOT NULL DEFAULT 'open',
3375
+ priority INTEGER NOT NULL DEFAULT 5,
3376
+ success_criteria TEXT,
3377
+ parent_goal_id TEXT,
3378
+ due_at TEXT,
3379
+ achieved_at TEXT,
3380
+ supersedes_id TEXT,
3381
+ created_at TEXT NOT NULL,
3382
+ updated_at TEXT NOT NULL,
3383
+ source_memory_id TEXT
3384
+ );
3385
+
3386
+ CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
3387
+ ON agent_goals(project_name, status, priority);
3388
+
3389
+ CREATE TABLE IF NOT EXISTS agent_events (
3390
+ id TEXT PRIMARY KEY,
3391
+ event_type TEXT NOT NULL,
3392
+ occurred_at TEXT NOT NULL,
3393
+ sequence_index INTEGER NOT NULL,
3394
+ actor_agent_id TEXT,
3395
+ agent_role TEXT,
3396
+ project_name TEXT,
3397
+ session_id TEXT,
3398
+ task_id TEXT,
3399
+ goal_id TEXT,
3400
+ parent_event_id TEXT,
3401
+ intention TEXT,
3402
+ outcome TEXT,
3403
+ evidence_memory_id TEXT,
3404
+ impact TEXT,
3405
+ payload TEXT DEFAULT '{}',
3406
+ created_at TEXT NOT NULL
3407
+ );
3408
+
3409
+ CREATE INDEX IF NOT EXISTS idx_agent_events_time
3410
+ ON agent_events(occurred_at, sequence_index);
3411
+
3412
+ CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
3413
+ ON agent_events(session_id, sequence_index);
3414
+
3415
+ CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
3416
+ ON agent_events(goal_id, occurred_at);
3417
+
3418
+ CREATE INDEX IF NOT EXISTS idx_agent_events_memory
3419
+ ON agent_events(evidence_memory_id);
3420
+
3421
+ CREATE TABLE IF NOT EXISTS agent_goal_links (
3422
+ id TEXT PRIMARY KEY,
3423
+ goal_id TEXT NOT NULL,
3424
+ link_type TEXT NOT NULL,
3425
+ target_id TEXT NOT NULL,
3426
+ target_type TEXT NOT NULL,
3427
+ created_at TEXT NOT NULL
3428
+ );
3429
+
3430
+ CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
3431
+ ON agent_goal_links(goal_id, target_type);
3432
+
3433
+ CREATE TABLE IF NOT EXISTS agent_semantic_labels (
3434
+ id TEXT PRIMARY KEY,
3435
+ source_memory_id TEXT NOT NULL,
3436
+ event_id TEXT,
3437
+ labeler TEXT NOT NULL,
3438
+ schema_version INTEGER NOT NULL DEFAULT 1,
3439
+ confidence REAL NOT NULL DEFAULT 0,
3440
+ labels TEXT NOT NULL,
3441
+ created_at TEXT NOT NULL,
3442
+ updated_at TEXT NOT NULL
3443
+ );
3444
+
3445
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
3446
+ ON agent_semantic_labels(source_memory_id, labeler);
3447
+
3448
+ CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
3449
+ ON agent_semantic_labels(event_id);
3450
+
3451
+ CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
3452
+ id TEXT PRIMARY KEY,
3453
+ project_name TEXT,
3454
+ session_id TEXT,
3455
+ window_start_at TEXT NOT NULL,
3456
+ window_end_at TEXT NOT NULL,
3457
+ event_count INTEGER NOT NULL DEFAULT 0,
3458
+ goal_count INTEGER NOT NULL DEFAULT 0,
3459
+ success_count INTEGER NOT NULL DEFAULT 0,
3460
+ failure_count INTEGER NOT NULL DEFAULT 0,
3461
+ risk_count INTEGER NOT NULL DEFAULT 0,
3462
+ summary TEXT NOT NULL,
3463
+ learnings TEXT NOT NULL DEFAULT '[]',
3464
+ next_actions TEXT NOT NULL DEFAULT '[]',
3465
+ evidence_event_ids TEXT NOT NULL DEFAULT '[]',
3466
+ confidence REAL NOT NULL DEFAULT 0,
3467
+ created_at TEXT NOT NULL
3468
+ );
3469
+
3470
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
3471
+ ON agent_reflection_checkpoints(project_name, window_end_at);
3472
+
3473
+ CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
3474
+ ON agent_reflection_checkpoints(session_id, window_end_at);
3475
+ `);
3328
3476
  try {
3329
3477
  await client.execute({
3330
3478
  sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -6783,7 +6931,7 @@ var init_tmux_routing = __esm({
6783
6931
 
6784
6932
  // src/lib/keychain.ts
6785
6933
  import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
6786
- import { existsSync as existsSync16 } from "fs";
6934
+ import { existsSync as existsSync16, statSync as statSync2 } from "fs";
6787
6935
  import { execSync as execSync8 } from "child_process";
6788
6936
  import path20 from "path";
6789
6937
  import os13 from "os";
@@ -6793,29 +6941,78 @@ function getKeyDir() {
6793
6941
  function getKeyPath() {
6794
6942
  return path20.join(getKeyDir(), "master.key");
6795
6943
  }
6796
- function macKeychainGet() {
6944
+ function nativeKeychainAllowed() {
6945
+ return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
6946
+ }
6947
+ function linuxSecretAvailable() {
6948
+ if (!nativeKeychainAllowed()) return false;
6949
+ if (process.platform !== "linux") return false;
6950
+ if (linuxSecretAvailability !== null) return linuxSecretAvailability;
6951
+ try {
6952
+ execSync8("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
6953
+ } catch {
6954
+ linuxSecretAvailability = false;
6955
+ return false;
6956
+ }
6957
+ try {
6958
+ execSync8("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
6959
+ linuxSecretAvailability = true;
6960
+ } catch {
6961
+ linuxSecretAvailability = false;
6962
+ }
6963
+ return linuxSecretAvailability;
6964
+ }
6965
+ function isRootOnlyTrustedServerKeyFile(keyPath) {
6966
+ if (process.platform !== "linux") return false;
6967
+ try {
6968
+ const uid = typeof os13.userInfo().uid === "number" ? os13.userInfo().uid : -1;
6969
+ const st = statSync2(keyPath);
6970
+ if (!st.isFile() || (st.mode & 63) !== 0) return false;
6971
+ if (uid === 0) return true;
6972
+ const exeOsDir = process.env.EXE_OS_DIR;
6973
+ return Boolean(exeOsDir && path20.resolve(keyPath).startsWith(path20.resolve(exeOsDir) + path20.sep));
6974
+ } catch {
6975
+ return false;
6976
+ }
6977
+ }
6978
+ function macKeychainGet(service = SERVICE) {
6979
+ if (!nativeKeychainAllowed()) return null;
6797
6980
  if (process.platform !== "darwin") return null;
6798
6981
  try {
6799
6982
  return execSync8(
6800
- `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
6983
+ `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
6801
6984
  { encoding: "utf-8", timeout: 5e3 }
6802
6985
  ).trim();
6803
6986
  } catch {
6804
6987
  return null;
6805
6988
  }
6806
6989
  }
6807
- function macKeychainSet(value) {
6990
+ function macKeychainSet(value, service = SERVICE) {
6991
+ if (!nativeKeychainAllowed()) return false;
6808
6992
  if (process.platform !== "darwin") return false;
6809
6993
  try {
6810
6994
  try {
6811
6995
  execSync8(
6812
- `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
6996
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
6813
6997
  { timeout: 5e3 }
6814
6998
  );
6815
6999
  } catch {
6816
7000
  }
6817
7001
  execSync8(
6818
- `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
7002
+ `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
7003
+ { timeout: 5e3 }
7004
+ );
7005
+ return true;
7006
+ } catch {
7007
+ return false;
7008
+ }
7009
+ }
7010
+ function macKeychainDelete(service = SERVICE) {
7011
+ if (!nativeKeychainAllowed()) return false;
7012
+ if (process.platform !== "darwin") return false;
7013
+ try {
7014
+ execSync8(
7015
+ `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
6819
7016
  { timeout: 5e3 }
6820
7017
  );
6821
7018
  return true;
@@ -6823,22 +7020,35 @@ function macKeychainSet(value) {
6823
7020
  return false;
6824
7021
  }
6825
7022
  }
6826
- function linuxSecretGet() {
6827
- if (process.platform !== "linux") return null;
7023
+ function linuxSecretGet(service = SERVICE) {
7024
+ if (!linuxSecretAvailable()) return null;
6828
7025
  try {
6829
7026
  return execSync8(
6830
- `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
7027
+ `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
6831
7028
  { encoding: "utf-8", timeout: 5e3 }
6832
7029
  ).trim();
6833
7030
  } catch {
6834
7031
  return null;
6835
7032
  }
6836
7033
  }
6837
- function linuxSecretSet(value) {
7034
+ function linuxSecretSet(value, service = SERVICE) {
7035
+ if (!linuxSecretAvailable()) return false;
7036
+ try {
7037
+ execSync8(
7038
+ `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
7039
+ { timeout: 5e3 }
7040
+ );
7041
+ return true;
7042
+ } catch {
7043
+ return false;
7044
+ }
7045
+ }
7046
+ function linuxSecretDelete(service = SERVICE) {
7047
+ if (!nativeKeychainAllowed()) return false;
6838
7048
  if (process.platform !== "linux") return false;
6839
7049
  try {
6840
7050
  execSync8(
6841
- `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
7051
+ `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
6842
7052
  { timeout: 5e3 }
6843
7053
  );
6844
7054
  return true;
@@ -6847,6 +7057,7 @@ function linuxSecretSet(value) {
6847
7057
  }
6848
7058
  }
6849
7059
  async function tryKeytar() {
7060
+ if (!nativeKeychainAllowed()) return null;
6850
7061
  try {
6851
7062
  return await import("keytar");
6852
7063
  } catch {
@@ -6920,7 +7131,19 @@ async function writeMachineBoundFileFallback(b64) {
6920
7131
  return "plaintext";
6921
7132
  }
6922
7133
  async function getMasterKey() {
6923
- const nativeValue = macKeychainGet() ?? linuxSecretGet();
7134
+ let nativeValue = macKeychainGet() ?? linuxSecretGet();
7135
+ if (!nativeValue) {
7136
+ const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
7137
+ if (legacyValue) {
7138
+ const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
7139
+ if (migrated) {
7140
+ macKeychainDelete(LEGACY_SERVICE);
7141
+ linuxSecretDelete(LEGACY_SERVICE);
7142
+ process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
7143
+ }
7144
+ nativeValue = legacyValue;
7145
+ }
7146
+ }
6924
7147
  if (nativeValue) {
6925
7148
  return Buffer.from(nativeValue, "base64");
6926
7149
  }
@@ -6928,12 +7151,17 @@ async function getMasterKey() {
6928
7151
  if (keytar) {
6929
7152
  try {
6930
7153
  const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
6931
- if (keytarValue) {
6932
- const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
7154
+ const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
7155
+ if (legacyKeytarValue) {
7156
+ const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
6933
7157
  if (migrated) {
6934
7158
  process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
7159
+ try {
7160
+ await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
7161
+ } catch {
7162
+ }
6935
7163
  }
6936
- return Buffer.from(keytarValue, "base64");
7164
+ return Buffer.from(legacyKeytarValue, "base64");
6937
7165
  }
6938
7166
  } catch {
6939
7167
  }
@@ -6958,7 +7186,7 @@ async function getMasterKey() {
6958
7186
  const decrypted = decryptWithMachineKey(content, machineKey);
6959
7187
  if (!decrypted) {
6960
7188
  process.stderr.write(
6961
- "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase: exe-os link import\n"
7189
+ "[keychain] Key decryption failed \u2014 machine may have changed.\n Use your 24-word recovery phrase during setup: exe-os setup\n"
6962
7190
  );
6963
7191
  return null;
6964
7192
  }
@@ -6967,6 +7195,9 @@ async function getMasterKey() {
6967
7195
  b64Value = content;
6968
7196
  }
6969
7197
  const key = Buffer.from(b64Value, "base64");
7198
+ if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
7199
+ return key;
7200
+ }
6970
7201
  const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
6971
7202
  if (migrated) {
6972
7203
  process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -6994,12 +7225,14 @@ async function getMasterKey() {
6994
7225
  return null;
6995
7226
  }
6996
7227
  }
6997
- var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
7228
+ var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
6998
7229
  var init_keychain = __esm({
6999
7230
  "src/lib/keychain.ts"() {
7000
7231
  "use strict";
7001
- SERVICE = "exe-mem";
7232
+ SERVICE = "exe-os";
7233
+ LEGACY_SERVICE = "exe-mem";
7002
7234
  ACCOUNT = "master-key";
7235
+ linuxSecretAvailability = null;
7003
7236
  ENCRYPTED_PREFIX = "enc:";
7004
7237
  }
7005
7238
  });
@@ -7214,7 +7447,7 @@ __export(shard_manager_exports, {
7214
7447
  shardExists: () => shardExists
7215
7448
  });
7216
7449
  import path21 from "path";
7217
- import { existsSync as existsSync17, mkdirSync as mkdirSync8, readdirSync as readdirSync4, renameSync as renameSync4, statSync as statSync2 } from "fs";
7450
+ import { existsSync as existsSync17, mkdirSync as mkdirSync8, readdirSync as readdirSync4, renameSync as renameSync4, statSync as statSync3 } from "fs";
7218
7451
  import { createClient as createClient2 } from "@libsql/client";
7219
7452
  function initShardManager(encryptionKey) {
7220
7453
  _encryptionKey = encryptionKey;
@@ -7278,7 +7511,7 @@ async function auditShardHealth(options = {}) {
7278
7511
  const shards = [];
7279
7512
  for (const name of names) {
7280
7513
  const dbPath = path21.join(SHARDS_DIR, `${name}.db`);
7281
- const stat = statSync2(dbPath);
7514
+ const stat = statSync3(dbPath);
7282
7515
  const item = {
7283
7516
  name,
7284
7517
  path: dbPath,
@@ -7531,7 +7764,7 @@ async function getReadyShardClient(projectName) {
7531
7764
  _shardLastAccess.delete(safeName);
7532
7765
  const dbPath = path21.join(SHARDS_DIR, `${safeName}.db`);
7533
7766
  if (existsSync17(dbPath)) {
7534
- const stat = statSync2(dbPath);
7767
+ const stat = statSync3(dbPath);
7535
7768
  const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
7536
7769
  const archivedPath = path21.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
7537
7770
  renameSync4(dbPath, archivedPath);
@@ -7651,6 +7884,12 @@ var init_platform_procedures = __esm({
7651
7884
  priority: "p0",
7652
7885
  content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
7653
7886
  },
7887
+ {
7888
+ title: "Customer orchestration maturity \u2014 recommend, never trap",
7889
+ domain: "workflow",
7890
+ priority: "p1",
7891
+ content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
7892
+ },
7654
7893
  {
7655
7894
  title: "Single dispatch path \u2014 create_task only",
7656
7895
  domain: "workflow",
@@ -7709,6 +7948,12 @@ var init_platform_procedures = __esm({
7709
7948
  priority: "p0",
7710
7949
  content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
7711
7950
  },
7951
+ {
7952
+ title: "Commit discipline \u2014 never leave verified work floating",
7953
+ domain: "workflow",
7954
+ priority: "p1",
7955
+ content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
7956
+ },
7712
7957
  {
7713
7958
  title: "Desktop and TUI are the same product",
7714
7959
  domain: "architecture",
@@ -8026,6 +8271,274 @@ var init_memory_cards = __esm({
8026
8271
  }
8027
8272
  });
8028
8273
 
8274
+ // src/lib/agentic-ontology.ts
8275
+ var agentic_ontology_exports = {};
8276
+ __export(agentic_ontology_exports, {
8277
+ clean: () => clean,
8278
+ extractGoalCandidates: () => extractGoalCandidates,
8279
+ inferIntention: () => inferIntention,
8280
+ inferOntologyEventType: () => inferOntologyEventType,
8281
+ inferOutcome: () => inferOutcome,
8282
+ inferSemanticLabel: () => inferSemanticLabel,
8283
+ insertOntologyForBatch: () => insertOntologyForBatch,
8284
+ insertOntologyForMemory: () => insertOntologyForMemory,
8285
+ ontologyPayload: () => ontologyPayload,
8286
+ stableId: () => stableId2
8287
+ });
8288
+ import { createHash as createHash3 } from "crypto";
8289
+ function stableId2(...parts) {
8290
+ return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
8291
+ }
8292
+ function clean(text, max = 240) {
8293
+ return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
8294
+ }
8295
+ function inferOntologyEventType(row) {
8296
+ const lower = row.raw_text.toLowerCase();
8297
+ if (row.has_error) return "error";
8298
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
8299
+ if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
8300
+ if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
8301
+ if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
8302
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
8303
+ if (row.tool_name.startsWith("memory_card")) return "memory_card";
8304
+ return "memory_observation";
8305
+ }
8306
+ function inferIntention(row) {
8307
+ if (row.intent) return clean(row.intent, 220);
8308
+ const text = clean(row.raw_text, 1e3);
8309
+ const patterns = [
8310
+ /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
8311
+ /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
8312
+ /(?:task|plan):\s*([^.!?\n]{8,220})/i
8313
+ ];
8314
+ for (const p of patterns) {
8315
+ const m = text.match(p);
8316
+ if (m?.[1]) return clean(m[1], 220);
8317
+ }
8318
+ if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
8319
+ return `${row.tool_name} during ${row.project_name}`;
8320
+ }
8321
+ return null;
8322
+ }
8323
+ function inferOutcome(row) {
8324
+ if (row.outcome) return clean(row.outcome, 220);
8325
+ if (row.has_error) return "error";
8326
+ const lower = row.raw_text.toLowerCase();
8327
+ if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
8328
+ if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
8329
+ if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
8330
+ return null;
8331
+ }
8332
+ function extractGoalCandidates(row) {
8333
+ const text = clean(row.raw_text, 1600);
8334
+ const patterns = [
8335
+ /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
8336
+ /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
8337
+ ];
8338
+ const out = [];
8339
+ for (const pattern of patterns) {
8340
+ for (const m of text.matchAll(pattern)) {
8341
+ const candidate = clean(m[1] ?? "", 220);
8342
+ if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
8343
+ if (out.length >= 3) return out;
8344
+ }
8345
+ }
8346
+ return out;
8347
+ }
8348
+ function uniq(values, max = 6) {
8349
+ const out = [];
8350
+ for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
8351
+ if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
8352
+ if (out.length >= max) break;
8353
+ }
8354
+ return out;
8355
+ }
8356
+ function extractMatches(text, patterns, max = 5) {
8357
+ const out = [];
8358
+ for (const pattern of patterns) {
8359
+ for (const match of text.matchAll(pattern)) {
8360
+ const value = match[1] ?? match[0];
8361
+ if (value) out.push(value);
8362
+ if (out.length >= max) return uniq(out, max);
8363
+ }
8364
+ }
8365
+ return uniq(out, max);
8366
+ }
8367
+ function inferSemanticLabel(row) {
8368
+ const text = clean(row.raw_text, 2400);
8369
+ const eventType = inferOntologyEventType(row);
8370
+ const intention = inferIntention(row);
8371
+ const outcome = inferOutcome(row);
8372
+ const goals = extractGoalCandidates(row);
8373
+ const milestones = extractMatches(text, [
8374
+ /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
8375
+ /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
8376
+ ]);
8377
+ const problems = extractMatches(text, [
8378
+ /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
8379
+ /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
8380
+ ]);
8381
+ const decisions = extractMatches(text, [
8382
+ /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
8383
+ ]);
8384
+ const temporalAnchors = extractMatches(text, [
8385
+ /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
8386
+ /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
8387
+ ], 8);
8388
+ const nextActions = extractMatches(text, [
8389
+ /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
8390
+ ]);
8391
+ const actors = uniq([
8392
+ row.agent_id,
8393
+ ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
8394
+ ], 6);
8395
+ const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
8396
+ const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
8397
+ const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
8398
+ const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
8399
+ return {
8400
+ labeler: "deterministic",
8401
+ schemaVersion: 1,
8402
+ eventType,
8403
+ intention,
8404
+ outcome,
8405
+ impact,
8406
+ confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
8407
+ goals,
8408
+ milestones,
8409
+ problems,
8410
+ decisions,
8411
+ actors,
8412
+ temporalAnchors,
8413
+ successSignals,
8414
+ failureSignals,
8415
+ nextActions,
8416
+ summary: clean(text, 280)
8417
+ };
8418
+ }
8419
+ function ontologyPayload(row) {
8420
+ const semantic = inferSemanticLabel(row);
8421
+ return {
8422
+ tool_name: row.tool_name,
8423
+ memory_version: row.version ?? null,
8424
+ domain: row.domain ?? null,
8425
+ trajectory: row.trajectory ? safeJson(row.trajectory) : null,
8426
+ semantic
8427
+ };
8428
+ }
8429
+ function safeJson(value) {
8430
+ try {
8431
+ return JSON.parse(value);
8432
+ } catch {
8433
+ return value.slice(0, 1e3);
8434
+ }
8435
+ }
8436
+ async function resolveClient(client) {
8437
+ if (client) return client;
8438
+ const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
8439
+ return getClient2();
8440
+ }
8441
+ async function insertOntologyForMemory(row, client) {
8442
+ const db = await resolveClient(client);
8443
+ const occurredAt = row.timestamp;
8444
+ const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
8445
+ const eventType = inferOntologyEventType(row);
8446
+ const intention = inferIntention(row);
8447
+ const outcome = inferOutcome(row);
8448
+ const eventId = stableId2("event", row.id);
8449
+ const now = (/* @__PURE__ */ new Date()).toISOString();
8450
+ await db.execute({
8451
+ sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
8452
+ VALUES (?, ?, ?, ?, ?, 1, ?)
8453
+ ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
8454
+ event_count = event_count + 1`,
8455
+ args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
8456
+ });
8457
+ await db.execute({
8458
+ sql: `INSERT OR IGNORE INTO agent_events
8459
+ (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
8460
+ session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
8461
+ impact, payload, created_at)
8462
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
8463
+ args: [
8464
+ eventId,
8465
+ eventType,
8466
+ occurredAt,
8467
+ sequence,
8468
+ row.agent_id,
8469
+ row.agent_role,
8470
+ row.project_name,
8471
+ row.session_id,
8472
+ row.task_id ?? null,
8473
+ intention,
8474
+ outcome,
8475
+ row.id,
8476
+ row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
8477
+ JSON.stringify(ontologyPayload(row)),
8478
+ now
8479
+ ]
8480
+ });
8481
+ const semantic = inferSemanticLabel(row);
8482
+ await db.execute({
8483
+ sql: `INSERT INTO agent_semantic_labels
8484
+ (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
8485
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
8486
+ ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
8487
+ labels = excluded.labels, updated_at = excluded.updated_at`,
8488
+ args: [
8489
+ stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
8490
+ row.id,
8491
+ eventId,
8492
+ semantic.labeler,
8493
+ semantic.schemaVersion,
8494
+ semantic.confidence,
8495
+ JSON.stringify(semantic),
8496
+ now,
8497
+ now
8498
+ ]
8499
+ });
8500
+ for (const statement of extractGoalCandidates(row)) {
8501
+ const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
8502
+ await db.execute({
8503
+ sql: `INSERT INTO agent_goals
8504
+ (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
8505
+ parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
8506
+ VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
8507
+ ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
8508
+ args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
8509
+ });
8510
+ await db.execute({
8511
+ sql: `INSERT OR IGNORE INTO agent_goal_links
8512
+ (id, goal_id, link_type, target_id, target_type, created_at)
8513
+ VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
8514
+ args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
8515
+ });
8516
+ await db.execute({
8517
+ sql: `INSERT OR IGNORE INTO agent_goal_links
8518
+ (id, goal_id, link_type, target_id, target_type, created_at)
8519
+ VALUES (?, ?, 'event', ?, 'event', ?)`,
8520
+ args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
8521
+ });
8522
+ }
8523
+ }
8524
+ async function insertOntologyForBatch(rows, client) {
8525
+ const db = await resolveClient(client);
8526
+ let count = 0;
8527
+ for (const row of rows) {
8528
+ try {
8529
+ await insertOntologyForMemory(row, db);
8530
+ count++;
8531
+ } catch {
8532
+ }
8533
+ }
8534
+ return count;
8535
+ }
8536
+ var init_agentic_ontology = __esm({
8537
+ "src/lib/agentic-ontology.ts"() {
8538
+ "use strict";
8539
+ }
8540
+ });
8541
+
8029
8542
  // src/lib/store.ts
8030
8543
  var store_exports = {};
8031
8544
  __export(store_exports, {
@@ -8369,6 +8882,11 @@ async function flushBatch() {
8369
8882
  await insertMemoryCardsForBatch2(batch);
8370
8883
  } catch {
8371
8884
  }
8885
+ try {
8886
+ const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
8887
+ await insertOntologyForBatch2(batch);
8888
+ } catch {
8889
+ }
8372
8890
  schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
8373
8891
  _pendingRecords.splice(0, batch.length);
8374
8892
  try {