@askexenow/exe-os 0.9.80 → 0.9.82

package/dist/bin/stack-update.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/bin/stack-update.ts
-import { readFileSync as readFileSync2 } from "fs";
+import { readFileSync as readFileSync4 } from "fs";
 
 // src/lib/is-main.ts
 import { realpathSync } from "fs";
@@ -21,10 +21,132 @@ function isMainModule(importMetaUrl) {
 // src/lib/stack-update.ts
 import { execFileSync } from "child_process";
 import { createVerify, verify as verifySignature } from "crypto";
-import { existsSync, mkdirSync, readdirSync, readFileSync, renameSync, writeFileSync } from "fs";
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readdirSync, readFileSync as readFileSync3, renameSync as renameSync2, writeFileSync as writeFileSync2 } from "fs";
 import http from "http";
 import https from "https";
+import path3 from "path";
+
+// src/lib/license.ts
+import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
+import { randomUUID } from "crypto";
+import { createRequire } from "module";
+import { pathToFileURL } from "url";
+import os2 from "os";
+import path2 from "path";
+import { jwtVerify, importSPKI } from "jose";
+
+// src/lib/config.ts
+import { readFile, writeFile } from "fs/promises";
+import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
 import path from "path";
+import os from "os";
+
+// src/lib/secure-files.ts
+import { chmodSync, existsSync, mkdirSync } from "fs";
+import { chmod, mkdir } from "fs/promises";
+
+// src/lib/config.ts
+function resolveDataDir() {
+  if (process.env.EXE_OS_DIR) return process.env.EXE_OS_DIR;
+  if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
+  const newDir = path.join(os.homedir(), ".exe-os");
+  const legacyDir = path.join(os.homedir(), ".exe-mem");
+  if (!existsSync2(newDir) && existsSync2(legacyDir)) {
+    try {
+      renameSync(legacyDir, newDir);
+      process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
+`);
+    } catch {
+      return legacyDir;
+    }
+  }
+  return newDir;
+}
+var EXE_AI_DIR = resolveDataDir();
+var DB_PATH = path.join(EXE_AI_DIR, "memories.db");
+var MODELS_DIR = path.join(EXE_AI_DIR, "models");
+var CONFIG_PATH = path.join(EXE_AI_DIR, "config.json");
+var LEGACY_LANCE_PATH = path.join(EXE_AI_DIR, "local.lance");
+var CURRENT_CONFIG_VERSION = 1;
+var DEFAULT_CONFIG = {
+  config_version: CURRENT_CONFIG_VERSION,
+  dbPath: DB_PATH,
+  modelFile: "jina-embeddings-v5-small-q4_k_m.gguf",
+  embeddingDim: 1024,
+  batchSize: 20,
+  flushIntervalMs: 1e4,
+  autoIngestion: true,
+  autoRetrieval: true,
+  searchMode: "hybrid",
+  hookSearchMode: "hybrid",
+  fileGrepEnabled: true,
+  splashEffect: true,
+  consolidationEnabled: true,
+  consolidationIntervalMs: 6 * 60 * 60 * 1e3,
+  consolidationModel: "claude-haiku-4-5-20251001",
+  consolidationMaxCallsPerRun: 20,
+  selfQueryRouter: true,
+  selfQueryModel: "claude-haiku-4-5-20251001",
+  rerankerEnabled: true,
+  scalingRoadmap: {
+    rerankerAutoTrigger: {
+      enabled: true,
+      broadQueryMinCardinality: 5e4,
+      fetchTopK: 200,
+      returnTopK: 20
+    }
+  },
+  graphRagEnabled: true,
+  wikiEnabled: false,
+  wikiUrl: "",
+  wikiApiKey: "",
+  wikiSyncIntervalMs: 30 * 60 * 1e3,
+  wikiWorkspaceMapping: {},
+  wikiAutoUpdate: true,
+  wikiAutoUpdateThreshold: 0.5,
+  wikiAutoUpdateCreateNew: true,
+  skillLearning: true,
+  skillThreshold: 3,
+  skillModel: "claude-haiku-4-5-20251001",
+  exeHeartbeat: {
+    enabled: true,
+    intervalSeconds: 60,
+    staleInProgressThresholdHours: 2
+  },
+  sessionLifecycle: {
+    idleKillEnabled: true,
+    idleKillTicksRequired: 3,
+    idleKillIntercomAckWindowMs: 1e4,
+    maxAutoInstances: 10
+  },
+  autoUpdate: {
+    checkOnBoot: true,
+    autoInstall: false,
+    checkIntervalMs: 24 * 60 * 60 * 1e3
+  },
+  support: {
+    bugReportEndpoint: "https://askexe.com/v1/support/bug-reports"
+  },
+  orchestration: {
+    phase: "phase_1_coo",
+    phaseSetBy: "default"
+  }
+};
+
+// src/lib/license.ts
+var LICENSE_PATH = path2.join(EXE_AI_DIR, "license.key");
+var CACHE_PATH = path2.join(EXE_AI_DIR, "license-cache.json");
+var DEVICE_ID_PATH = path2.join(EXE_AI_DIR, "device-id");
+function loadLicense() {
+  try {
+    if (!existsSync3(LICENSE_PATH)) return null;
+    return readFileSync2(LICENSE_PATH, "utf8").trim();
+  } catch {
+    return null;
+  }
+}
+
+// src/lib/stack-update.ts
 function isSignedEnvelope(value) {
   return !!value && typeof value === "object" && "manifest" in value && "signature" in value;
 }
@@ -58,21 +180,21 @@ function stableJson(value) {
   return `{${Object.keys(obj).sort().map((key) => `${JSON.stringify(key)}:${stableJson(obj[key])}`).join(",")}}`;
 }
 function findLatestBackupEnvFile(envFile) {
-  const backupDir = path.join(path.dirname(envFile), ".exe-stack-backups");
-  if (!existsSync(backupDir)) return null;
+  const backupDir = path3.join(path3.dirname(envFile), ".exe-stack-backups");
+  if (!existsSync4(backupDir)) return null;
   const backups = readdirSync(backupDir).filter((name) => name.startsWith("env-") && name.endsWith(".bak")).sort();
   const latest = backups.at(-1);
-  return latest ? path.join(backupDir, latest) : null;
+  return latest ? path3.join(backupDir, latest) : null;
 }
 async function rollbackStackUpdate(options) {
   const exec = options.exec ?? defaultExec;
-  const backupEnvFile = options.lockFile && existsSync(options.lockFile) ? JSON.parse(readFileSync(options.lockFile, "utf8")).backupEnvFile : void 0;
-  const rollbackEnv = backupEnvFile && existsSync(backupEnvFile) ? backupEnvFile : findLatestBackupEnvFile(options.envFile);
+  const backupEnvFile = options.lockFile && existsSync4(options.lockFile) ? JSON.parse(readFileSync3(options.lockFile, "utf8")).backupEnvFile : void 0;
+  const rollbackEnv = backupEnvFile && existsSync4(backupEnvFile) ? backupEnvFile : findLatestBackupEnvFile(options.envFile);
   if (!rollbackEnv) throw new Error(`No stack backup env found beside ${options.envFile}`);
-  writeFileSync(options.envFile, readFileSync(rollbackEnv), { mode: 384 });
+  writeFileSync2(options.envFile, readFileSync3(rollbackEnv), { mode: 384 });
   const composeArgs = ["compose", "--file", options.composeFile, "--env-file", options.envFile];
   exec("docker", [...composeArgs, "up", "-d"]);
-  return { status: "rolled_back", targetVersion: "previous", changes: [], backupEnvFile: rollbackEnv, lockFile: options.lockFile ?? path.join(path.dirname(options.envFile), ".exe-stack-lock.json") };
+  return { status: "rolled_back", targetVersion: "previous", changes: [], backupEnvFile: rollbackEnv, lockFile: options.lockFile ?? path3.join(path3.dirname(options.envFile), ".exe-stack-lock.json") };
 }
 function parseStackManifest(raw, publicKey) {
   const parsedRaw = JSON.parse(raw);
@@ -97,7 +219,7 @@ function parseStackManifest(raw, publicKey) {
 }
 async function loadStackManifest(ref, fetchText = defaultFetchText, publicKey, authToken) {
   if (/^https?:\/\//.test(ref)) return parseStackManifest(await fetchTextWithAuth(ref, fetchText, authToken), publicKey);
-  return parseStackManifest(readFileSync(ref, "utf8"), publicKey);
+  return parseStackManifest(readFileSync3(ref, "utf8"), publicKey);
 }
 async function fetchTextWithAuth(ref, fetchText, authToken) {
   if (!authToken || fetchText !== defaultFetchText) return fetchText(ref);
@@ -227,9 +349,9 @@ Emergency override requires --break-glass <reason> and writes an audit file.`
 function writeBreakGlassAudit(plan, issues, options) {
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
   const stamp = now().toISOString().replace(/[:.]/g, "-");
-  const defaultDir = existsSync("exe/output") ? "exe/output" : path.dirname(options.envFile ?? ".");
-  const auditFile = options.breakGlassAuditFile ?? path.join(defaultDir, `stack-update-break-glass-${stamp}.md`);
-  mkdirSync(path.dirname(auditFile), { recursive: true });
+  const defaultDir = existsSync4("exe/output") ? "exe/output" : path3.dirname(options.envFile ?? ".");
+  const auditFile = options.breakGlassAuditFile ?? path3.join(defaultDir, `stack-update-break-glass-${stamp}.md`);
+  mkdirSync3(path3.dirname(auditFile), { recursive: true });
   const body = [
     `# Stack Update Break-Glass Audit \u2014 ${now().toISOString()}`,
     "",
@@ -243,7 +365,7 @@ function writeBreakGlassAudit(plan, issues, options) {
     "Return this deployment to the standard pinned GHCR image path immediately after the emergency is resolved.",
     ""
   ].join("\n");
-  writeFileSync(auditFile, body, { mode: 384 });
+  writeFileSync2(auditFile, body, { mode: 384 });
   console.warn(`[stack-update] BREAK-GLASS deploy override recorded: ${auditFile}`);
 }
 function assertBreakingChangesAllowed(plan, allowedIds) {
@@ -265,34 +387,34 @@ async function runStackUpdate(options) {
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
   if (options.rollback) return rollbackStackUpdate(options);
   const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey, options.manifestAuthToken);
-  const envRaw = readFileSync(options.envFile, "utf8");
+  const envRaw = readFileSync3(options.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, options.targetVersion);
   assertBreakingChangesAllowed(plan, options.allowedBreakingChangeIds ?? []);
   assertDeploymentScopeAllowed(plan, options.deploymentPersona ?? "customer");
   const plannedEnvRaw = patchEnv(envRaw, Object.fromEntries(plan.changes.map((c) => [c.key, c.after])));
-  const composeRaw = readFileSync(options.composeFile, "utf8");
+  const composeRaw = readFileSync3(options.composeFile, "utf8");
   assertProductionDeployGate(plan, plannedEnvRaw, composeRaw, {
     breakGlassReason: options.breakGlassReason,
     breakGlassAuditFile: options.breakGlassAuditFile,
     now,
     envFile: options.envFile
   });
-  const lockFile = options.lockFile ?? path.join(path.dirname(options.envFile), ".exe-stack-lock.json");
+  const lockFile = options.lockFile ?? path3.join(path3.dirname(options.envFile), ".exe-stack-lock.json");
   const previousVersion = readCurrentStackVersion(lockFile);
   if (options.dryRun || plan.changes.length === 0) {
     return { status: "planned", targetVersion: plan.targetVersion, changes: plan.changes, lockFile };
   }
   await postDeployAudit(options, "started", plan.targetVersion, previousVersion);
-  const backupDir = path.join(path.dirname(options.envFile), ".exe-stack-backups");
-  mkdirSync(backupDir, { recursive: true });
+  const backupDir = path3.join(path3.dirname(options.envFile), ".exe-stack-backups");
+  mkdirSync3(backupDir, { recursive: true });
   const stamp = now().toISOString().replace(/[:.]/g, "-");
-  const backupEnvFile = path.join(backupDir, `env-${stamp}.bak`);
-  writeFileSync(backupEnvFile, envRaw, { mode: 384 });
+  const backupEnvFile = path3.join(backupDir, `env-${stamp}.bak`);
+  writeFileSync2(backupEnvFile, envRaw, { mode: 384 });
   const updates = Object.fromEntries(plan.changes.map((c) => [c.key, c.after]));
   const patched = patchEnv(envRaw, updates);
   const tmp = `${options.envFile}.tmp-${process.pid}`;
-  writeFileSync(tmp, patched, { mode: 384 });
-  renameSync(tmp, options.envFile);
+  writeFileSync2(tmp, patched, { mode: 384 });
+  renameSync2(tmp, options.envFile);
   const composeArgs = ["compose", "--file", options.composeFile, "--env-file", options.envFile];
   let registryForLogout;
   try {
@@ -304,11 +426,11 @@ async function runStackUpdate(options) {
     exec("docker", [...composeArgs, "pull"]);
     exec("docker", [...composeArgs, "up", "-d"]);
     await verifyReleaseHealth(plan.release, options.healthRetries ?? 12, options.healthDelayMs ?? 5e3);
-    writeFileSync(lockFile, JSON.stringify({ stackVersion: plan.targetVersion, updatedAt: now().toISOString(), backupEnvFile, services: plan.release.services }, null, 2) + "\n");
+    writeFileSync2(lockFile, JSON.stringify({ stackVersion: plan.targetVersion, updatedAt: now().toISOString(), backupEnvFile, services: plan.release.services }, null, 2) + "\n");
     await postDeployAudit(options, "success", plan.targetVersion, previousVersion, void 0, { changes: plan.changes.length });
     return { status: "updated", targetVersion: plan.targetVersion, changes: plan.changes, backupEnvFile, lockFile };
   } catch (err) {
-    writeFileSync(options.envFile, envRaw, { mode: 384 });
+    writeFileSync2(options.envFile, envRaw, { mode: 384 });
     try {
       exec("docker", [...composeArgs, "up", "-d"]);
     } catch {
@@ -339,9 +461,9 @@ async function fetchImageCredentials(options) {
   return await res.json();
 }
 function readCurrentStackVersion(lockFile) {
-  if (!existsSync(lockFile)) return void 0;
+  if (!existsSync4(lockFile)) return void 0;
   try {
-    const parsed = JSON.parse(readFileSync(lockFile, "utf8"));
+    const parsed = JSON.parse(readFileSync3(lockFile, "utf8"));
     return parsed.stackVersion;
   } catch {
     return void 0;
@@ -429,22 +551,22 @@ async function defaultPostJson(url, body, authToken) {
   if (!res.ok) throw new Error(`Failed to POST ${url}: HTTP ${res.status}`);
 }
 function defaultStackPaths() {
-  const cwdCompose = path.resolve("docker-compose.yml");
-  const cwdEnv = path.resolve(".env");
+  const cwdCompose = path3.resolve("docker-compose.yml");
+  const cwdEnv = path3.resolve(".env");
   return {
-    composeFile: process.env.EXE_STACK_COMPOSE_FILE || (existsSync(cwdCompose) ? cwdCompose : "/opt/exe-stack/docker-compose.yml"),
-    envFile: process.env.EXE_STACK_ENV_FILE || (existsSync(cwdEnv) ? cwdEnv : "/opt/exe-stack/.env"),
+    composeFile: process.env.EXE_STACK_COMPOSE_FILE || (existsSync4(cwdCompose) ? cwdCompose : "/opt/exe-stack/docker-compose.yml"),
+    envFile: process.env.EXE_STACK_ENV_FILE || (existsSync4(cwdEnv) ? cwdEnv : "/opt/exe-stack/.env"),
     manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json",
     auditUrl: process.env.EXE_STACK_AUDIT_URL || "https://update.askexe.com/v1/deploy-audits",
     imageCredentialsUrl: process.env.EXE_STACK_IMAGE_CREDENTIALS_URL || "https://update.askexe.com/v1/image-credentials",
-    manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN,
+    manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN || process.env.EXE_LICENSE_KEY || loadLicense() || void 0,
     manifestPublicKey: loadDefaultPublicKey()
   };
 }
 function loadDefaultPublicKey() {
   if (process.env.EXE_STACK_PUBLIC_KEY) return process.env.EXE_STACK_PUBLIC_KEY;
-  if (process.env.EXE_STACK_PUBLIC_KEY_FILE && existsSync(process.env.EXE_STACK_PUBLIC_KEY_FILE)) {
-    return readFileSync(process.env.EXE_STACK_PUBLIC_KEY_FILE, "utf8");
+  if (process.env.EXE_STACK_PUBLIC_KEY_FILE && existsSync4(process.env.EXE_STACK_PUBLIC_KEY_FILE)) {
+    return readFileSync3(process.env.EXE_STACK_PUBLIC_KEY_FILE, "utf8");
   }
   return void 0;
 }
@@ -481,8 +603,8 @@ function parseArgs(args) {
     else if (arg === "--env-file") opts.envFile = next();
     else if (arg.startsWith("--env-file=")) opts.envFile = arg.split("=").slice(1).join("=");
     else if (arg === "--lock-file") opts.lockFile = next();
-    else if (arg === "--public-key") opts.manifestPublicKey = readFileSync2(next(), "utf8");
-    else if (arg.startsWith("--public-key=")) opts.manifestPublicKey = readFileSync2(arg.split("=").slice(1).join("="), "utf8");
+    else if (arg === "--public-key") opts.manifestPublicKey = readFileSync4(next(), "utf8");
+    else if (arg.startsWith("--public-key=")) opts.manifestPublicKey = readFileSync4(arg.split("=").slice(1).join("="), "utf8");
     else if (arg === "--auth-token") opts.manifestAuthToken = next();
     else if (arg.startsWith("--auth-token=")) opts.manifestAuthToken = arg.split("=").slice(1).join("=");
     else if (arg === "--auth-token-env") opts.manifestAuthToken = process.env[next()] ?? "";
@@ -573,8 +695,8 @@ function printBreaking(changes) {
     if (c.expectedDowntimeMinutes) console.log(`    Expected downtime: ${c.expectedDowntimeMinutes} minutes`);
   }
 }
-async function main() {
-  const opts = parseArgs(process.argv.slice(2));
+async function main(args = process.argv.slice(2)) {
+  const opts = parseArgs(args);
   if (opts.rollback) {
     if (!opts.yes) {
       console.error("Refusing to rollback without --yes.");
@@ -585,11 +707,11 @@ async function main() {
     return;
   }
   const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey, opts.manifestAuthToken);
-  const envRaw = readFileSync2(opts.envFile, "utf8");
+  const envRaw = readFileSync4(opts.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, opts.targetVersion);
   assertDeploymentScopeAllowed(plan, opts.deploymentPersona);
   const plannedEnvRaw = patchEnv(envRaw, Object.fromEntries(plan.changes.map((c) => [c.key, c.after])));
-  assertProductionDeployGate(plan, plannedEnvRaw, readFileSync2(opts.composeFile, "utf8"), {
+  assertProductionDeployGate(plan, plannedEnvRaw, readFileSync4(opts.composeFile, "utf8"), {
     breakGlassReason: opts.breakGlassReason,
     breakGlassAuditFile: opts.breakGlassAuditFile,
     envFile: opts.envFile
@@ -612,7 +734,7 @@ async function main() {
   if (result.backupEnvFile) console.log(`Backup env: ${result.backupEnvFile}`);
   console.log(`Lock file: ${result.lockFile}`);
 }
-if (isMainModule(import.meta.url)) {
+if (isMainModule(import.meta.url) && (process.argv[1] ?? "").includes("stack-update")) {
   main().catch((err) => {
     console.error(err instanceof Error ? err.message : String(err));
     process.exit(1);