@askexenow/exe-os 0.9.69 → 0.9.70

package/dist/lib/hybrid-search.js

@@ -4123,6 +4123,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
       },
+      {
+        title: "Code context first for repository orientation",
+        domain: "workflow",
+        priority: "p1",
+        content: "Before broad repo exploration, symbol tracing, blast-radius review, or codebase Q&A, agents should use the consolidated code_context MCP tool instead of manual grep/read loops. Use action=index or stats to refresh/check the index; action=search with query, limit, offset, languages, paths, refresh_index for fresh multi-language code/doc search; action=trace for symbol imports/dependents; action=blast_radius for impact analysis before edits. CLI parity exists via exe-os code-context init|index|status|stats|search|doctor. Keep code_context separate from durable employee memory: promote only validated decisions, procedures, or lessons into store_memory/commit_memory."
+      },
       {
         title: "Commit discipline \u2014 never leave verified work floating",
         domain: "workflow",

package/dist/lib/registry-proxy.js

@@ -0,0 +1,162 @@
+// src/lib/registry-proxy.ts
+import { createServer } from "http";
+import { Readable } from "stream";
+function parsePullTokens(raw) {
+  return (raw ?? "").split(/[\n,]/).map((s) => s.trim()).filter(Boolean);
+}
+function registryProxyOptionsFromEnv(env = process.env) {
+  const upstreamToken = env.EXE_REGISTRY_PROXY_UPSTREAM_TOKEN || env.GHCR_TOKEN || "";
+  const pullTokens = parsePullTokens(env.EXE_REGISTRY_PROXY_PULL_TOKENS);
+  return {
+    port: Number(env.EXE_REGISTRY_PROXY_PORT || 3201),
+    host: env.EXE_REGISTRY_PROXY_HOST || "0.0.0.0",
+    upstream: env.EXE_REGISTRY_PROXY_UPSTREAM || "https://ghcr.io",
+    upstreamUsername: env.EXE_REGISTRY_PROXY_UPSTREAM_USERNAME || env.GHCR_USERNAME || "askexe",
+    upstreamToken,
+    pullTokens,
+    allowedNamespace: env.EXE_REGISTRY_PROXY_ALLOWED_NAMESPACE || "askexe"
+  };
+}
+function assertRegistryProxyConfig(options) {
+  if (!options.upstreamToken) throw new Error("EXE_REGISTRY_PROXY_UPSTREAM_TOKEN or GHCR_TOKEN is required");
+  if (options.pullTokens.length === 0) throw new Error("EXE_REGISTRY_PROXY_PULL_TOKENS is required");
+  if (!options.allowedNamespace || !/^[a-z0-9._-]+$/i.test(options.allowedNamespace)) {
+    throw new Error("EXE_REGISTRY_PROXY_ALLOWED_NAMESPACE must be a registry-safe namespace");
+  }
+}
+function timingSafeIncludes(values, candidate) {
+  return values.some((value) => value === candidate);
+}
+function parseBasicAuth(header) {
+  if (!header?.startsWith("Basic ")) return null;
+  try {
+    const decoded = Buffer.from(header.slice("Basic ".length), "base64").toString("utf8");
+    const idx = decoded.indexOf(":");
+    if (idx < 0) return null;
+    return { username: decoded.slice(0, idx), password: decoded.slice(idx + 1) };
+  } catch {
+    return null;
+  }
+}
+function unauthorized(res) {
+  res.writeHead(401, {
+    "www-authenticate": 'Basic realm="AskExe Registry Proxy"',
+    "content-type": "application/json"
+  });
+  res.end(JSON.stringify({ error: "registry proxy authentication required" }));
+}
+function isAllowedPath(pathname, namespace) {
+  if (pathname === "/health") return true;
+  if (pathname === "/v2/" || pathname === "/v2") return true;
+  const prefix = `/v2/${namespace}/`;
+  if (!pathname.startsWith(prefix)) return false;
+  if (pathname.includes("..") || /%2f/i.test(pathname)) return false;
+  return true;
+}
+function parseBearerChallenge(header) {
+  if (!header?.toLowerCase().startsWith("bearer ")) return null;
+  const raw = header.slice("Bearer ".length);
+  const params = new URLSearchParams();
+  for (const part of raw.match(/(?:[^,"]+|"[^"]*")+/g) ?? []) {
+    const idx = part.indexOf("=");
+    if (idx < 0) continue;
+    const key = part.slice(0, idx).trim();
+    const value = part.slice(idx + 1).trim().replace(/^"|"$/g, "");
+    params.set(key, value);
+  }
+  const realm = params.get("realm");
+  if (!realm) return null;
+  params.delete("realm");
+  return { realm, params };
+}
+async function fetchUpstreamWithRegistryAuth(url, init, upstreamBasicAuth) {
+  const firstHeaders = new Headers(init.headers);
+  firstHeaders.set("authorization", `Basic ${upstreamBasicAuth}`);
+  const first = await fetch(url, { ...init, headers: firstHeaders });
+  if (first.status !== 401) return first;
+  const challenge = parseBearerChallenge(first.headers.get("www-authenticate"));
+  if (!challenge) return first;
+  const tokenUrl = new URL(challenge.realm);
+  for (const [key, value] of challenge.params.entries()) tokenUrl.searchParams.set(key, value);
+  const tokenRes = await fetch(tokenUrl, { headers: { authorization: `Basic ${upstreamBasicAuth}` } });
+  if (!tokenRes.ok) return first;
+  const tokenJson = await tokenRes.json();
+  const token = tokenJson.token ?? tokenJson.access_token;
+  if (!token) return first;
+  const retryHeaders = new Headers(init.headers);
+  retryHeaders.set("authorization", `Bearer ${token}`);
+  return fetch(url, { ...init, headers: retryHeaders });
+}
+function copyResponseHeaders(from, to) {
+  for (const [key, value] of from.entries()) {
+    const lower = key.toLowerCase();
+    if (["connection", "keep-alive", "transfer-encoding", "content-encoding"].includes(lower)) continue;
+    to.setHeader(key, value);
+  }
+}
+function createRegistryProxyServer(options) {
+  assertRegistryProxyConfig(options);
+  const upstream = new URL(options.upstream ?? "https://ghcr.io");
+  const namespace = options.allowedNamespace ?? "askexe";
+  const upstreamAuth = Buffer.from(`${options.upstreamUsername ?? "askexe"}:${options.upstreamToken}`).toString("base64");
+  return createServer(async (req, res) => {
+    const requestUrl = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
+    if (requestUrl.pathname === "/health") {
+      res.writeHead(200, { "content-type": "application/json" });
+      res.end(JSON.stringify({ ok: true, service: "exe-registry-proxy", upstream: upstream.origin, namespace }));
+      return;
+    }
+    if (!isAllowedPath(requestUrl.pathname, namespace)) {
+      res.writeHead(404, { "content-type": "application/json" });
+      res.end(JSON.stringify({ error: "registry path not allowed" }));
+      return;
+    }
+    const auth = parseBasicAuth(req.headers.authorization);
+    if (!auth || !timingSafeIncludes(options.pullTokens, auth.password)) {
+      unauthorized(res);
+      return;
+    }
+    const upstreamUrl = new URL(requestUrl.pathname + requestUrl.search, upstream.origin);
+    const headers = new Headers();
+    for (const [key, value] of Object.entries(req.headers)) {
+      if (!value) continue;
+      const lower = key.toLowerCase();
+      if (["host", "connection", "authorization", "content-length"].includes(lower)) continue;
+      headers.set(key, Array.isArray(value) ? value.join(",") : value);
+    }
+    headers.set("authorization", `Basic ${upstreamAuth}`);
+    try {
+      const upstreamRes = await fetchUpstreamWithRegistryAuth(upstreamUrl, {
+        method: req.method,
+        headers,
+        body: req.method === "GET" || req.method === "HEAD" ? void 0 : req,
+        // Required by undici when streaming request bodies.
+        duplex: "half"
+      }, upstreamAuth);
+      res.statusCode = upstreamRes.status;
+      res.statusMessage = upstreamRes.statusText;
+      copyResponseHeaders(upstreamRes.headers, res);
+      if (!upstreamRes.body || req.method === "HEAD") {
+        res.end();
+        return;
+      }
+      Readable.fromWeb(upstreamRes.body).pipe(res);
+    } catch (err) {
+      res.writeHead(502, { "content-type": "application/json" });
+      res.end(JSON.stringify({ error: "upstream registry proxy failed", detail: err instanceof Error ? err.message : String(err) }));
+    }
+  });
+}
+async function runRegistryProxy(options = registryProxyOptionsFromEnv()) {
+  const server = createRegistryProxyServer(options);
+  await new Promise((resolve) => server.listen(options.port, options.host, resolve));
+  console.log(`exe-registry-proxy listening on ${options.host ?? "0.0.0.0"}:${options.port}`);
+  console.log(`proxying /v2/${options.allowedNamespace ?? "askexe"}/* -> ${options.upstream ?? "https://ghcr.io"}`);
+}
+export {
+  assertRegistryProxyConfig,
+  createRegistryProxyServer,
+  parsePullTokens,
+  registryProxyOptionsFromEnv,
+  runRegistryProxy
+};

package/dist/lib/schedules.js

@@ -3352,6 +3352,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
       },
+      {
+        title: "Code context first for repository orientation",
+        domain: "workflow",
+        priority: "p1",
+        content: "Before broad repo exploration, symbol tracing, blast-radius review, or codebase Q&A, agents should use the consolidated code_context MCP tool instead of manual grep/read loops. Use action=index or stats to refresh/check the index; action=search with query, limit, offset, languages, paths, refresh_index for fresh multi-language code/doc search; action=trace for symbol imports/dependents; action=blast_radius for impact analysis before edits. CLI parity exists via exe-os code-context init|index|status|stats|search|doctor. Keep code_context separate from durable employee memory: promote only validated decisions, procedures, or lessons into store_memory/commit_memory."
+      },
       {
         title: "Commit discipline \u2014 never leave verified work floating",
         domain: "workflow",

package/dist/lib/store.js

@@ -3352,6 +3352,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
       },
+      {
+        title: "Code context first for repository orientation",
+        domain: "workflow",
+        priority: "p1",
+        content: "Before broad repo exploration, symbol tracing, blast-radius review, or codebase Q&A, agents should use the consolidated code_context MCP tool instead of manual grep/read loops. Use action=index or stats to refresh/check the index; action=search with query, limit, offset, languages, paths, refresh_index for fresh multi-language code/doc search; action=trace for symbol imports/dependents; action=blast_radius for impact analysis before edits. CLI parity exists via exe-os code-context init|index|status|stats|search|doctor. Keep code_context separate from durable employee memory: promote only validated decisions, procedures, or lessons into store_memory/commit_memory."
+      },
       {
         title: "Commit discipline \u2014 never leave verified work floating",
         domain: "workflow",