@askexenow/exe-os 0.9.8 → 0.9.9

package/dist/bin/exe-call.js

@@ -9,9 +9,34 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/lib/secure-files.ts
+import { chmodSync, existsSync, mkdirSync } from "fs";
+import { chmod, mkdir } from "fs/promises";
+function ensurePrivateDirSync(dirPath) {
+  mkdirSync(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    chmodSync(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+function enforcePrivateFileSync(filePath) {
+  try {
+    if (existsSync(filePath)) chmodSync(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+var PRIVATE_DIR_MODE, PRIVATE_FILE_MODE;
+var init_secure_files = __esm({
+  "src/lib/secure-files.ts"() {
+    "use strict";
+    PRIVATE_DIR_MODE = 448;
+    PRIVATE_FILE_MODE = 384;
+  }
+});
+
 // src/lib/config.ts
-import { readFile, writeFile, mkdir, chmod } from "fs/promises";
-import { readFileSync, existsSync, renameSync } from "fs";
+import { readFile, writeFile } from "fs/promises";
+import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
 import path from "path";
 import os from "os";
 function resolveDataDir() {
@@ -19,7 +44,7 @@ function resolveDataDir() {
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
   const newDir = path.join(os.homedir(), ".exe-os");
   const legacyDir = path.join(os.homedir(), ".exe-mem");
-  if (!existsSync(newDir) && existsSync(legacyDir)) {
+  if (!existsSync2(newDir) && existsSync2(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
       process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
@@ -34,6 +59,7 @@ var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CON
 var init_config = __esm({
   "src/lib/config.ts"() {
     "use strict";
+    init_secure_files();
     EXE_AI_DIR = resolveDataDir();
     DB_PATH = path.join(EXE_AI_DIR, "memories.db");
     MODELS_DIR = path.join(EXE_AI_DIR, "models");
@@ -140,10 +166,10 @@ __export(agent_config_exports, {
   saveAgentConfig: () => saveAgentConfig,
   setAgentRuntime: () => setAgentRuntime
 });
-import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync2, mkdirSync } from "fs";
+import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3 } from "fs";
 import path2 from "path";
 function loadAgentConfig() {
-  if (!existsSync2(AGENT_CONFIG_PATH)) return {};
+  if (!existsSync3(AGENT_CONFIG_PATH)) return {};
   try {
     return JSON.parse(readFileSync2(AGENT_CONFIG_PATH, "utf-8"));
   } catch {
@@ -152,8 +178,9 @@ function loadAgentConfig() {
 }
 function saveAgentConfig(config) {
   const dir = path2.dirname(AGENT_CONFIG_PATH);
-  if (!existsSync2(dir)) mkdirSync(dir, { recursive: true });
+  ensurePrivateDirSync(dir);
   writeFileSync(AGENT_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  enforcePrivateFileSync(AGENT_CONFIG_PATH);
 }
 function getAgentRuntime(agentId) {
   const config = loadAgentConfig();
@@ -193,6 +220,7 @@ var init_agent_config = __esm({
     "use strict";
     init_config();
     init_runtime_table();
+    init_secure_files();
     AGENT_CONFIG_PATH = path2.join(EXE_AI_DIR, "agent-config.json");
     KNOWN_RUNTIMES = {
       claude: ["claude-opus-4", "claude-sonnet-4", "claude-haiku-4.5"],
@@ -240,7 +268,7 @@ __export(employees_exports, {
   validateEmployeeName: () => validateEmployeeName
 });
 import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync3, renameSync as renameSync2, unlinkSync, writeFileSync as writeFileSync2 } from "fs";
+import { existsSync as existsSync4, symlinkSync, readlinkSync, readFileSync as readFileSync3, renameSync as renameSync2, unlinkSync, writeFileSync as writeFileSync2 } from "fs";
 import { execSync } from "child_process";
 import path3 from "path";
 import os2 from "os";
@@ -279,7 +307,7 @@ function validateEmployeeName(name) {
   return { valid: true };
 }
 async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync3(employeesPath)) {
+  if (!existsSync4(employeesPath)) {
     return [];
   }
   const raw = await readFile2(employeesPath, "utf-8");
@@ -294,7 +322,7 @@ async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
   await writeFile2(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
 }
 function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync3(employeesPath)) return [];
+  if (!existsSync4(employeesPath)) return [];
   try {
     return JSON.parse(readFileSync3(employeesPath, "utf-8"));
   } catch {
@@ -342,7 +370,7 @@ function appendToCoordinatorTeam(employee) {
   const coordinator = getCoordinatorEmployee(loadEmployeesSync());
   if (!coordinator) return;
   const idPath = path3.join(IDENTITY_DIR, `${coordinator.name}.md`);
-  if (!existsSync3(idPath)) return;
+  if (!existsSync4(idPath)) return;
   const content = readFileSync3(idPath, "utf-8");
   if (content.includes(`**${capitalize(employee.name)}`)) return;
   const teamMatch = content.match(TEAM_SECTION_RE);
@@ -396,9 +424,9 @@ async function normalizeRosterCase(rosterPath) {
         const identityDir = path3.join(os2.homedir(), ".exe-os", "identity");
         const oldPath = path3.join(identityDir, `${oldName}.md`);
         const newPath = path3.join(identityDir, `${emp.name}.md`);
-        if (existsSync3(oldPath) && !existsSync3(newPath)) {
+        if (existsSync4(oldPath) && !existsSync4(newPath)) {
           renameSync2(oldPath, newPath);
-        } else if (existsSync3(oldPath) && oldPath !== newPath) {
+        } else if (existsSync4(oldPath) && oldPath !== newPath) {
           const content = readFileSync3(oldPath, "utf-8");
           writeFileSync2(newPath, content, "utf-8");
           if (oldPath.toLowerCase() !== newPath.toLowerCase()) {
@@ -441,7 +469,7 @@ function registerBinSymlinks(name) {
   for (const suffix of ["", "-opencode"]) {
     const linkName = `${name}${suffix}`;
     const linkPath = path3.join(binDir, linkName);
-    if (existsSync3(linkPath)) {
+    if (existsSync4(linkPath)) {
       skipped.push(linkName);
       continue;
     }

package/dist/bin/exe-cloud.js

@@ -117,9 +117,34 @@ var init_keychain = __esm({
   }
 });
 
+// src/lib/secure-files.ts
+import { chmodSync, existsSync as existsSync2, mkdirSync } from "fs";
+import { chmod as chmod2, mkdir as mkdir2 } from "fs/promises";
+async function ensurePrivateDir(dirPath) {
+  await mkdir2(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    await chmod2(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+async function enforcePrivateFile(filePath) {
+  try {
+    await chmod2(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+var PRIVATE_DIR_MODE, PRIVATE_FILE_MODE;
+var init_secure_files = __esm({
+  "src/lib/secure-files.ts"() {
+    "use strict";
+    PRIVATE_DIR_MODE = 448;
+    PRIVATE_FILE_MODE = 384;
+  }
+});
+
 // src/lib/config.ts
-import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
-import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
+import { readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
+import { readFileSync, existsSync as existsSync3, renameSync } from "fs";
 import path2 from "path";
 import os2 from "os";
 function resolveDataDir() {
@@ -127,7 +152,7 @@ function resolveDataDir() {
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
   const newDir = path2.join(os2.homedir(), ".exe-os");
   const legacyDir = path2.join(os2.homedir(), ".exe-mem");
-  if (!existsSync2(newDir) && existsSync2(legacyDir)) {
+  if (!existsSync3(newDir) && existsSync3(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
       process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
@@ -190,9 +215,9 @@ function normalizeAutoUpdate(raw) {
 }
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await mkdir2(dir, { recursive: true });
+  await ensurePrivateDir(dir);
   const configPath = path2.join(dir, "config.json");
-  if (!existsSync2(configPath)) {
+  if (!existsSync3(configPath)) {
     return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
   }
   const raw = await readFile2(configPath, "utf-8");
@@ -205,6 +230,7 @@ async function loadConfig() {
 `);
       try {
         await writeFile2(configPath, JSON.stringify(migratedCfg, null, 2) + "\n");
+        await enforcePrivateFile(configPath);
       } catch {
       }
     }
@@ -222,17 +248,16 @@ async function loadConfig() {
 }
 async function saveConfig(config) {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await mkdir2(dir, { recursive: true });
+  await ensurePrivateDir(dir);
   const configPath = path2.join(dir, "config.json");
   await writeFile2(configPath, JSON.stringify(config, null, 2) + "\n");
-  if (config.cloud?.apiKey) {
-    await chmod2(configPath, 384);
-  }
+  await enforcePrivateFile(configPath);
 }
 var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CONFIG_VERSION, DEFAULT_CONFIG, CONFIG_MIGRATIONS;
 var init_config = __esm({
   "src/lib/config.ts"() {
     "use strict";
+    init_secure_files();
     EXE_AI_DIR = resolveDataDir();
     DB_PATH = path2.join(EXE_AI_DIR, "memories.db");
     MODELS_DIR = path2.join(EXE_AI_DIR, "models");
@@ -318,7 +343,7 @@ var init_db_retry = __esm({
 
 // src/lib/employees.ts
 import { readFile as readFile3, writeFile as writeFile3, mkdir as mkdir3 } from "fs/promises";
-import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
+import { existsSync as existsSync4, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
 import { execSync } from "child_process";
 import path3 from "path";
 import os3 from "os";
@@ -381,8 +406,11 @@ __export(license_exports, {
   stopLicenseRevalidation: () => stopLicenseRevalidation,
   validateLicense: () => validateLicense
 });
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync4, mkdirSync } from "fs";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync5, mkdirSync as mkdirSync2 } from "fs";
 import { randomUUID } from "crypto";
+import { createRequire as createRequire2 } from "module";
+import { pathToFileURL as pathToFileURL2 } from "url";
+import os5 from "os";
 import path5 from "path";
 import { jwtVerify, importSPKI } from "jose";
 async function fetchRetry(url, init) {
@@ -396,34 +424,34 @@ async function fetchRetry(url, init) {
 function loadDeviceId() {
   const deviceJsonPath = path5.join(EXE_AI_DIR, "device.json");
   try {
-    if (existsSync4(deviceJsonPath)) {
+    if (existsSync5(deviceJsonPath)) {
       const data = JSON.parse(readFileSync3(deviceJsonPath, "utf8"));
       if (data.deviceId) return data.deviceId;
     }
   } catch {
   }
   try {
-    if (existsSync4(DEVICE_ID_PATH)) {
+    if (existsSync5(DEVICE_ID_PATH)) {
       const id2 = readFileSync3(DEVICE_ID_PATH, "utf8").trim();
       if (id2) return id2;
     }
   } catch {
   }
   const id = randomUUID();
-  mkdirSync(EXE_AI_DIR, { recursive: true });
+  mkdirSync2(EXE_AI_DIR, { recursive: true });
   writeFileSync2(DEVICE_ID_PATH, id, "utf8");
   return id;
 }
 function loadLicense() {
   try {
-    if (!existsSync4(LICENSE_PATH)) return null;
+    if (!existsSync5(LICENSE_PATH)) return null;
     return readFileSync3(LICENSE_PATH, "utf8").trim();
   } catch {
     return null;
   }
 }
 function saveLicense(apiKey) {
-  mkdirSync(EXE_AI_DIR, { recursive: true });
+  mkdirSync2(EXE_AI_DIR, { recursive: true });
   writeFileSync2(LICENSE_PATH, apiKey.trim(), { encoding: "utf8", mode: 384 });
 }
 async function verifyLicenseJwt(token) {
@@ -450,7 +478,7 @@ async function verifyLicenseJwt(token) {
 }
 async function getCachedLicense() {
   try {
-    if (!existsSync4(CACHE_PATH)) return null;
+    if (!existsSync5(CACHE_PATH)) return null;
     const raw = JSON.parse(readFileSync3(CACHE_PATH, "utf8"));
     if (!raw.token || typeof raw.token !== "string") return null;
     return await verifyLicenseJwt(raw.token);
@@ -460,7 +488,7 @@ async function getCachedLicense() {
 }
 function readCachedToken() {
   try {
-    if (!existsSync4(CACHE_PATH)) return null;
+    if (!existsSync5(CACHE_PATH)) return null;
     const raw = JSON.parse(readFileSync3(CACHE_PATH, "utf8"));
     return typeof raw.token === "string" ? raw.token : null;
   } catch {
@@ -499,52 +527,126 @@ function cacheResponse(token) {
   } catch {
   }
 }
-async function validateLicense(apiKey, deviceId) {
-  const did = deviceId ?? loadDeviceId();
+function loadPrismaForLicense() {
+  if (_prismaFailed) return null;
+  const dbUrl = process.env.DATABASE_URL;
+  if (!dbUrl) {
+    const exeDbRoot = process.env.EXE_DB_ROOT ?? path5.join(os5.homedir(), "exe-db");
+    if (!existsSync5(path5.join(exeDbRoot, "package.json"))) {
+      _prismaFailed = true;
+      return null;
+    }
+  }
+  if (!_prismaPromise) {
+    _prismaPromise = (async () => {
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const mod2 = await import(pathToFileURL2(explicitPath).href);
+        const Ctor2 = mod2.PrismaClient ?? mod2.default?.PrismaClient;
+        if (!Ctor2) throw new Error(`No PrismaClient at ${explicitPath}`);
+        return new Ctor2();
+      }
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path5.join(os5.homedir(), "exe-db");
+      const req = createRequire2(path5.join(exeDbRoot, "package.json"));
+      const entry = req.resolve("@prisma/client");
+      const mod = await import(pathToFileURL2(entry).href);
+      const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+      if (!Ctor) throw new Error(`No PrismaClient in ${entry}`);
+      return new Ctor();
+    })().catch((err) => {
+      _prismaFailed = true;
+      _prismaPromise = null;
+      throw err;
+    });
+  }
+  return _prismaPromise;
+}
+async function validateViaPostgres(apiKey) {
+  const loader = loadPrismaForLicense();
+  if (!loader) return null;
+  try {
+    const prisma = await loader;
+    const rows = await prisma.$queryRawUnsafe(
+      `SELECT plan, email, status, device_limit, employee_limit, memory_limit, expires_at
+       FROM billing.licenses WHERE key = $1 LIMIT 1`,
+      apiKey
+    );
+    if (!rows || rows.length === 0) return null;
+    const row = rows[0];
+    if (row.status !== "active") return null;
+    if (row.expires_at && new Date(row.expires_at) < /* @__PURE__ */ new Date()) return null;
+    const plan = row.plan;
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan,
+      email: row.email,
+      expiresAt: row.expires_at ? new Date(row.expires_at).toISOString() : null,
+      deviceLimit: row.device_limit ?? limits.devices,
+      employeeLimit: row.employee_limit ?? limits.employees,
+      memoryLimit: row.memory_limit ?? limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateViaCFWorker(apiKey, deviceId) {
   try {
     const res = await fetchRetry(`${API_BASE}/auth/activate`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ apiKey, deviceId: did }),
+      body: JSON.stringify({ apiKey, deviceId }),
       signal: AbortSignal.timeout(1e4)
     });
-    if (res.ok) {
-      const data = await res.json();
-      if (data.error === "device_limit_exceeded") {
-        const cached2 = await getCachedLicense();
-        if (cached2) return cached2;
-        const raw2 = getRawCachedPlan();
-        if (raw2) return { ...raw2, valid: false };
-        return { ...FREE_LICENSE, valid: false, plan: "free" };
-      }
-      if (data.token) {
-        cacheResponse(data.token);
-        const verified = await verifyLicenseJwt(data.token);
-        if (verified) return verified;
+    if (!res.ok) return null;
+    const data = await res.json();
+    if (data.error === "device_limit_exceeded") return null;
+    if (!data.valid) return null;
+    if (data.token) {
+      cacheResponse(data.token);
+      const verified = await verifyLicenseJwt(data.token);
+      if (verified) return verified;
+    }
+    const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: data.valid,
+      plan: data.plan,
+      email: data.email,
+      expiresAt: data.expiresAt,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateLicense(apiKey, deviceId) {
+  const did = deviceId ?? loadDeviceId();
+  const pgResult = await validateViaPostgres(apiKey);
+  if (pgResult) {
+    try {
+      writeFileSync2(CACHE_PATH, JSON.stringify({ pgLicense: pgResult, ts: Date.now() }), "utf8");
+    } catch {
+    }
+    return pgResult;
+  }
+  const cfResult = await validateViaCFWorker(apiKey, did);
+  if (cfResult) return cfResult;
+  const cached = await getCachedLicense();
+  if (cached) return cached;
+  try {
+    if (existsSync5(CACHE_PATH)) {
+      const raw = JSON.parse(readFileSync3(CACHE_PATH, "utf8"));
+      if (raw.pgLicense && raw.ts && Date.now() - raw.ts < 7 * 24 * 60 * 60 * 1e3) {
+        return raw.pgLicense;
       }
-      const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
-      return {
-        valid: data.valid,
-        plan: data.plan,
-        email: data.email,
-        expiresAt: data.expiresAt,
-        deviceLimit: limits.devices,
-        employeeLimit: limits.employees,
-        memoryLimit: limits.memories
-      };
     }
-    const cached = await getCachedLicense();
-    if (cached) return cached;
-    const raw = getRawCachedPlan();
-    if (raw) return raw;
-    return { ...FREE_LICENSE, valid: false, plan: "free" };
   } catch {
-    const cached = await getCachedLicense();
-    if (cached) return cached;
-    const rawFallback = getRawCachedPlan();
-    if (rawFallback) return rawFallback;
-    return { ...FREE_LICENSE, valid: false, error: "offline" };
   }
+  const rawFallback = getRawCachedPlan();
+  if (rawFallback) return rawFallback;
+  return { ...FREE_LICENSE, valid: false };
 }
 function getCacheAgeMs() {
   try {
@@ -560,7 +662,7 @@ async function checkLicense() {
   if (!key) {
     try {
       const configPath = path5.join(EXE_AI_DIR, "config.json");
-      if (existsSync4(configPath)) {
+      if (existsSync5(configPath)) {
         const raw = JSON.parse(readFileSync3(configPath, "utf8"));
         const cloud = raw.cloud;
         if (cloud?.apiKey) {
@@ -715,7 +817,7 @@ function stopLicenseRevalidation() {
     _revalTimer = null;
   }
 }
-var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, CACHE_MAX_AGE_MS, _revalTimer;
+var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, _prismaPromise, _prismaFailed, CACHE_MAX_AGE_MS, _revalTimer;
 var init_license = __esm({
   "src/lib/license.ts"() {
     "use strict";
@@ -746,6 +848,8 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
       employeeLimit: 1,
       memoryLimit: 5e3
     };
+    _prismaPromise = null;
+    _prismaFailed = false;
     CACHE_MAX_AGE_MS = 36e5;
     _revalTimer = null;
   }
@@ -753,7 +857,7 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
 
 // src/lib/crdt-sync.ts
 import * as Y from "yjs";
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync5, mkdirSync as mkdirSync2, unlinkSync as unlinkSync2 } from "fs";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync6, mkdirSync as mkdirSync3, unlinkSync as unlinkSync2 } from "fs";
 import path6 from "path";
 import { homedir } from "os";
 var DEFAULT_STATE_PATH;
@@ -801,7 +905,7 @@ function isMainModule(importMetaUrl) {
 
 // src/lib/cloud-sync.ts
 init_database();
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, existsSync as existsSync6, readdirSync, mkdirSync as mkdirSync3, appendFileSync, unlinkSync as unlinkSync3, openSync, closeSync } from "fs";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, existsSync as existsSync7, readdirSync, mkdirSync as mkdirSync4, appendFileSync, unlinkSync as unlinkSync3, openSync, closeSync } from "fs";
 import crypto3 from "crypto";
 import path7 from "path";
 import { homedir as homedir2 } from "os";
@@ -817,6 +921,7 @@ init_license();
 init_config();
 init_crdt_sync();
 init_employees();
+init_secure_files();
 var LOCALHOST_PATTERNS = /^(localhost|127\.0\.0\.1|\[::1\])$/i;
 var ROSTER_LOCK_PATH = path7.join(EXE_AI_DIR, "roster-merge.lock");
 function assertSecureEndpoint(endpoint) {