@askexenow/exe-os 0.9.81 → 0.9.82

package/deploy/stack-manifests/v0.9.json

@@ -1,6 +1,6 @@
 {
   "schemaVersion": 1,
-  "latest": "0.9.3",
+  "latest": "0.9.5",
   "stacks": {
     "0.9.0": {
       "version": "0.9.0",
@@ -11,7 +11,7 @@
           "id": "whatsapp_relink_required",
           "title": "WhatsApp QR re-link required for Baileys v7",
           "description": "exe-gateway uses Baileys v7. Existing WhatsApp 6.x linked-device auth state must be backed up and re-linked once with a new QR code.",
-          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp \u2192 Linked Devices after the update.",
+          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp → Linked Devices after the update.",
           "expectedDowntimeMinutes": "2-5",
           "requiresConfirmation": true
         }
@@ -65,7 +65,7 @@
           "id": "whatsapp_relink_required",
           "title": "WhatsApp QR re-link required for Baileys v7",
           "description": "exe-gateway uses Baileys v7. Existing WhatsApp 6.x linked-device auth state must be backed up and re-linked once with a new QR code.",
-          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp \u2192 Linked Devices after the update.",
+          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp → Linked Devices after the update.",
           "expectedDowntimeMinutes": "2-5",
           "requiresConfirmation": true
         }
@@ -119,7 +119,7 @@
           "id": "whatsapp_relink_required",
           "title": "WhatsApp QR re-link required for Baileys v7",
           "description": "exe-gateway uses Baileys v7. Existing WhatsApp 6.x linked-device auth state must be backed up and re-linked once with a new QR code.",
-          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp \u2192 Linked Devices after the update.",
+          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp → Linked Devices after the update.",
           "expectedDowntimeMinutes": "2-5",
           "requiresConfirmation": true
         }
@@ -173,7 +173,7 @@
           "id": "whatsapp_relink_required",
           "title": "WhatsApp QR re-link required for Baileys v7",
           "description": "exe-gateway uses Baileys v7. Existing WhatsApp 6.x linked-device auth state must be backed up and re-linked once with a new QR code.",
-          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp \u2192 Linked Devices after the update.",
+          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp → Linked Devices after the update.",
           "expectedDowntimeMinutes": "2-5",
           "requiresConfirmation": true
         }
@@ -228,6 +228,139 @@
           "sourceRef": "v0.9.3"
         }
       }
+    },
+    "0.9.4": {
+      "version": "0.9.4",
+      "releasedAt": "2026-05-12T00:00:00Z",
+      "notes": "Hygo customer stack release with exed refreshed to include npm @askexenow/exe-os@0.9.81 support/MCP parity fixes. Other service images remain pinned to the already-approved v0.9.3 artifacts.",
+      "breakingChanges": [
+        {
+          "id": "whatsapp_relink_required",
+          "title": "WhatsApp QR re-link required for Baileys v7",
+          "description": "exe-gateway uses Baileys v7. Existing WhatsApp 6.x linked-device auth state must be backed up and re-linked once with a new QR code.",
+          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp → Linked Devices after the update.",
+          "expectedDowntimeMinutes": "2-5",
+          "requiresConfirmation": true
+        }
+      ],
+      "services": {
+        "crm": {
+          "env": "CRM_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-crm:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3000/healthz",
+          "deploymentScope": "customer"
+        },
+        "wiki": {
+          "env": "WIKI_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-wiki:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3001/api/ping",
+          "deploymentScope": "customer"
+        },
+        "exed": {
+          "env": "EXED_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exed:v0.9.4",
+          "healthUrl": "http://127.0.0.1:8765/health",
+          "deploymentScope": "customer"
+        },
+        "gateway": {
+          "env": "GATEWAY_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-gateway:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3100/health",
+          "deploymentScope": "customer"
+        },
+        "monitorAgent": {
+          "env": "MONITOR_AGENT_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-monitor-agent:v0.9.3",
+          "deploymentScope": "customer"
+        }
+      },
+      "releaseDescriptors": {
+        "exed": "AskExe/exe-os@stack-v0.9.4:stack.release.json",
+        "crm": "AskExe/exe-crm@0.9.3:stack.release.json",
+        "wiki": "AskExe/exe-wiki@0.9.3:stack.release.json",
+        "gateway": "AskExe/exe-gateway@0.9.3:stack.release.json",
+        "db": "AskExe/exe-db@0.9.3:stack.release.json",
+        "monitorAgent": "AskExe/exe-monitor@0.9.3:stack.release.json"
+      },
+      "componentVersions": {
+        "exe-os": {
+          "repo": "AskExe/exe-os",
+          "npmPackage": "@askexenow/exe-os",
+          "npmVersion": "0.9.81",
+          "image": "registry.askexe.com/askexe/exed:v0.9.4",
+          "imageVersion": "0.9.4",
+          "note": "Customer stack image tag is 0.9.4; bundled npm package is @askexenow/exe-os@0.9.81. Hygo pulls through registry.askexe.com, which proxies the AskExe-owned GHCR artifact server-side.",
+          "sourceRef": "stack-v0.9.4"
+        }
+      }
+    },
+    "0.9.5": {
+      "version": "0.9.5",
+      "releasedAt": "2026-05-12T00:00:00Z",
+      "notes": "Hygo cold-start fix: exed refreshed to include npm @askexenow/exe-os@0.9.82, fixing exe-os stack-update CLI routing and preserving support/MCP parity tools. Other services remain v0.9.3.",
+      "breakingChanges": [
+        {
+          "id": "whatsapp_relink_required",
+          "title": "WhatsApp QR re-link required for Baileys v7",
+          "description": "exe-gateway uses Baileys v7. Existing WhatsApp 6.x linked-device auth state must be backed up and re-linked once with a new QR code.",
+          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp → Linked Devices after the update.",
+          "expectedDowntimeMinutes": "2-5",
+          "requiresConfirmation": true
+        }
+      ],
+      "services": {
+        "crm": {
+          "env": "CRM_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-crm:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3000/healthz",
+          "deploymentScope": "customer"
+        },
+        "wiki": {
+          "env": "WIKI_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-wiki:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3001/api/ping",
+          "deploymentScope": "customer"
+        },
+        "exed": {
+          "env": "EXED_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exed:v0.9.5",
+          "healthUrl": "http://127.0.0.1:8765/health",
+          "deploymentScope": "customer"
+        },
+        "gateway": {
+          "env": "GATEWAY_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-gateway:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3100/health",
+          "deploymentScope": "customer"
+        },
+        "monitorAgent": {
+          "env": "MONITOR_AGENT_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-monitor-agent:v0.9.3",
+          "deploymentScope": "customer"
+        }
+      },
+      "releaseDescriptors": {
+        "exed": "AskExe/exe-os@stack-v0.9.4:stack.release.json",
+        "crm": "AskExe/exe-crm@0.9.3:stack.release.json",
+        "wiki": "AskExe/exe-wiki@0.9.3:stack.release.json",
+        "gateway": "AskExe/exe-gateway@0.9.3:stack.release.json",
+        "db": "AskExe/exe-db@0.9.3:stack.release.json",
+        "monitorAgent": "AskExe/exe-monitor@0.9.3:stack.release.json"
+      },
+      "componentVersions": {
+        "exe-os": {
+          "repo": "AskExe/exe-os",
+          "npmPackage": "@askexenow/exe-os",
+          "npmVersion": "0.9.82",
+          "image": "registry.askexe.com/askexe/exed:v0.9.4",
+          "imageVersion": "0.9.5",
+          "note": "Customer stack image tag is 0.9.4; bundled npm package is @askexenow/exe-os@0.9.81. Hygo pulls through registry.askexe.com, which proxies the AskExe-owned GHCR artifact server-side.",
+          "sourceRef": "stack-v0.9.4",
+          "commit": "main@stack-v0.9.5"
+        }
+      },
+      "date": "2026-05-12",
+      "sourceRef": "stack-v0.9.5"
     }
   }
 }

package/dist/bin/cli.js

@@ -20162,7 +20162,7 @@ function defaultStackPaths() {
     manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json",
     auditUrl: process.env.EXE_STACK_AUDIT_URL || "https://update.askexe.com/v1/deploy-audits",
     imageCredentialsUrl: process.env.EXE_STACK_IMAGE_CREDENTIALS_URL || "https://update.askexe.com/v1/image-credentials",
-    manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN,
+    manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN || process.env.EXE_LICENSE_KEY || loadLicense() || void 0,
     manifestPublicKey: loadDefaultPublicKey()
   };
 }
@@ -20177,6 +20177,7 @@ var ASKEXE_GHCR_IMAGE;
 var init_stack_update = __esm({
   "src/lib/stack-update.ts"() {
     "use strict";
+    init_license();
     ASKEXE_GHCR_IMAGE = /^(?:ghcr\.io\/askexe|registry\.askexe\.com\/askexe)\/[a-z0-9._/-]+(?::[^:@$/{]+|@sha256:[a-f0-9]{64})$/i;
   }
 });
@@ -20310,8 +20311,8 @@ function printBreaking(changes) {
     if (c.expectedDowntimeMinutes) console.log(`    Expected downtime: ${c.expectedDowntimeMinutes} minutes`);
   }
 }
-async function main7() {
-  const opts = parseArgs4(process.argv.slice(2));
+async function main7(args2 = process.argv.slice(2)) {
+  const opts = parseArgs4(args2);
   if (opts.rollback) {
     if (!opts.yes) {
       console.error("Refusing to rollback without --yes.");
@@ -20354,7 +20355,7 @@ var init_stack_update2 = __esm({
     "use strict";
     init_is_main();
     init_stack_update();
-    if (isMainModule(import.meta.url)) {
+    if (isMainModule(import.meta.url) && (process.argv[1] ?? "").includes("stack-update")) {
       main7().catch((err) => {
         console.error(err instanceof Error ? err.message : String(err));
         process.exit(1);
@@ -20558,7 +20559,7 @@ var init_registry_proxy2 = __esm({
     "use strict";
     init_is_main();
     init_registry_proxy();
-    if (isMainModule(import.meta.url)) {
+    if (isMainModule(import.meta.url) && (process.argv[1] ?? "").includes("registry-proxy")) {
       main8().catch((err) => {
         console.error(err instanceof Error ? err.message : String(err));
         process.exit(1);
@@ -36351,7 +36352,7 @@ ID: ${result.id}`);
   await runUpdate2(args.slice(1));
 } else if (args[0] === "stack-update") {
   const { runStackUpdateCli } = await Promise.resolve().then(() => (init_stack_update2(), stack_update_exports));
-  await runStackUpdateCli();
+  await runStackUpdateCli(args.slice(1));
 } else if (args[0] === "registry-proxy") {
   const { main: runRegistryProxy2 } = await Promise.resolve().then(() => (init_registry_proxy2(), registry_proxy_exports));
   await runRegistryProxy2(args.slice(1));

package/dist/bin/exe-gateway.js

@@ -8098,11 +8098,11 @@ __export(signal_exports, {
   SignalAdapter: () => SignalAdapter
 });
 import { randomUUID as randomUUID5 } from "crypto";
-var DEFAULT_TIMEOUT_MS, POLL_INTERVAL_MS, SignalAdapter;
+var DEFAULT_TIMEOUT_MS2, POLL_INTERVAL_MS, SignalAdapter;
 var init_signal = __esm({
   "src/gateway/adapters/signal.ts"() {
     "use strict";
-    DEFAULT_TIMEOUT_MS = 1e4;
+    DEFAULT_TIMEOUT_MS2 = 1e4;
     POLL_INTERVAL_MS = 2e3;
     SignalAdapter = class {
       platform = "signal";
@@ -8163,7 +8163,7 @@ var init_signal = __esm({
           method: "POST",
           headers: { "Content-Type": "application/json" },
           body: JSON.stringify(body),
-          signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS)
+          signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS2)
         });
         if (!res.ok) {
           const errText = await res.text().catch(() => "");
@@ -8181,7 +8181,7 @@ var init_signal = __esm({
               recipient: isGroup ? void 0 : channelId,
               group_id: isGroup ? channelId.slice("group:".length) : void 0
             }),
-            signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS)
+            signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS2)
           });
         } catch {
         }
@@ -8192,7 +8192,7 @@ var init_signal = __esm({
         try {
           const res = await fetch(`${this.baseUrl}/v1/about`, {
             method: "GET",
-            signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS)
+            signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS2)
           });
           this._connected = res.ok;
           return {
@@ -8223,7 +8223,7 @@ var init_signal = __esm({
           `${this.baseUrl}/v1/receive/${encodeURIComponent(this.account)}`,
           {
             method: "GET",
-            signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS)
+            signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS2)
           }
         );
         if (!res.ok) {
@@ -8366,7 +8366,7 @@ var init_signal = __esm({
         if (!this.messageHandler || !this.account) return;
         const res = await fetch(
           `${this.baseUrl}/v1/contacts/${encodeURIComponent(this.account)}`,
-          { signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS) }
+          { signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS2) }
         );
         if (!res.ok) return;
         const contacts = await res.json();
@@ -8401,7 +8401,7 @@ var init_signal = __esm({
         if (!this.messageHandler || !this.account) return;
         const res = await fetch(
           `${this.baseUrl}/v1/groups/${encodeURIComponent(this.account)}`,
-          { signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS) }
+          { signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS2) }
         );
         if (!res.ok) return;
         const groups = await res.json();
@@ -8619,12 +8619,12 @@ var init_discord = __esm({
       messageHandler = null;
       connected = false;
       async connect(config2) {
-        const { Client, GatewayIntentBits } = await import("discord.js");
+        const { Client: Client2, GatewayIntentBits } = await import("discord.js");
         const token = config2.credentials.bot_token ?? config2.credentials.token;
         if (!token) {
           throw new Error("Discord requires bot_token in credentials");
         }
-        const discordClient = new Client({
+        const discordClient = new Client2({
           intents: [
             GatewayIntentBits.Guilds,
             GatewayIntentBits.GuildMessages,
@@ -13843,6 +13843,91 @@ function toIsoTimestamp(value) {
   return UNKNOWN_TIMESTAMP;
 }
 
+// src/gateway/read-only-sql.ts
+import { Client } from "pg";
+var DEFAULT_MAX_ROWS = 100;
+var HARD_MAX_ROWS = 1e3;
+var DEFAULT_TIMEOUT_MS = 1e4;
+var BLOCKED_SQL = /\b(insert|update|delete|merge|upsert|drop|alter|create|truncate|grant|revoke|copy|call|do|listen|notify|vacuum|analyze|comment|security|set\s+role|reset|begin|commit|rollback|savepoint|lock)\b/i;
+var ReadOnlySqlValidationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ReadOnlySqlValidationError";
+  }
+};
+var ReadOnlySqlRunner = class {
+  constructor(config2 = {}) {
+    this.config = config2;
+  }
+  async run(sql, maxRows) {
+    const databaseUrl = this.config.databaseUrl ?? process.env.EXE_GATEWAY_SQL_DATABASE_URL ?? process.env.EXE_COMPANY_BRAIN_SQL_DATABASE_URL ?? process.env.DATABASE_URL;
+    if (!databaseUrl) {
+      throw new Error("Read-only SQL is not configured. Set EXE_GATEWAY_SQL_DATABASE_URL or DATABASE_URL.");
+    }
+    const cleaned = validateSql(sql);
+    const limit = clampRows(maxRows ?? this.config.maxRows ?? DEFAULT_MAX_ROWS);
+    const timeoutMs = this.config.statementTimeoutMs ?? DEFAULT_TIMEOUT_MS;
+    const wrappedSql = `SELECT * FROM (${cleaned}) AS exe_readonly_sql LIMIT ${limit + 1}`;
+    const client = new Client({ connectionString: databaseUrl });
+    const start = Date.now();
+    try {
+      await client.connect();
+      await client.query("BEGIN READ ONLY");
+      await client.query("SET LOCAL transaction_read_only = on");
+      await client.query("SET LOCAL statement_timeout = $1", [timeoutMs]);
+      const result = await client.query(wrappedSql);
+      await client.query("COMMIT");
+      const rows = result.rows.slice(0, limit);
+      return {
+        columns: result.fields.map((field) => field.name),
+        rows,
+        row_count: rows.length,
+        max_rows: limit,
+        truncated: result.rows.length > limit,
+        execution_ms: Date.now() - start
+      };
+    } catch (err) {
+      try {
+        await client.query("ROLLBACK");
+      } catch {
+      }
+      throw err;
+    } finally {
+      await client.end().catch(() => void 0);
+    }
+  }
+};
+function validateSql(sql) {
+  const trimmed = sql.trim().replace(/;\s*$/, "");
+  if (!trimmed) throw new ReadOnlySqlValidationError("sql is required");
+  if (!/^(select|with)\b/i.test(trimmed)) {
+    throw new ReadOnlySqlValidationError("Only SELECT/WITH read-only SQL is allowed");
+  }
+  if (hasMultipleStatements(trimmed)) {
+    throw new ReadOnlySqlValidationError("Multiple SQL statements are not allowed");
+  }
+  if (BLOCKED_SQL.test(trimmed)) {
+    throw new ReadOnlySqlValidationError("SQL contains a blocked write/admin keyword");
+  }
+  return trimmed;
+}
+function hasMultipleStatements(sql) {
+  let single = false;
+  let double = false;
+  for (let i = 0; i < sql.length; i += 1) {
+    const ch = sql[i];
+    const prev = sql[i - 1];
+    if (ch === "'" && !double && prev !== "\\") single = !single;
+    if (ch === '"' && !single && prev !== "\\") double = !double;
+    if (ch === ";" && !single && !double) return true;
+  }
+  return false;
+}
+function clampRows(value) {
+  if (!Number.isFinite(value) || value <= 0) return DEFAULT_MAX_ROWS;
+  return Math.min(Math.floor(value), HARD_MAX_ROWS);
+}
+
 // src/gateway/webhook-server.ts
 var DEFAULT_HOST = process.env.EXE_WEBHOOK_HOST || "127.0.0.1";
 var BODY_SIZE_LIMIT = 1048576;
@@ -13859,6 +13944,7 @@ var WebhookServer = class {
   server = null;
   handlers = /* @__PURE__ */ new Map();
   startedAt = 0;
+  readOnlySqlRunner = new ReadOnlySqlRunner();
   /** Register a handler for a platform: POST /webhook/:platform */
   onPlatform(platform, handler) {
     this.handlers.set(platform, handler);
@@ -13905,6 +13991,10 @@ var WebhookServer = class {
       await this.handleQuery(req, res);
       return;
     }
+    if (method === "POST" && isRoute(url, "/query/sql")) {
+      await this.handleReadOnlySql(req, res);
+      return;
+    }
     if (method === "GET" && url.startsWith("/webhook/whatsapp")) {
       this.handleWhatsAppVerification(req, res);
       return;
@@ -13947,6 +14037,29 @@ var WebhookServer = class {
       sendJson(res, 503, { error: "Database unavailable" });
     }
   }
+  async handleReadOnlySql(req, res) {
+    if ((this.config.authToken || this.config.queryAuthToken) && !this.verifyQueryAuth(req)) {
+      sendJson(res, 401, { error: "Unauthorized" });
+      return;
+    }
+    try {
+      const body = await readBody(req);
+      const sql = typeof body.sql === "string" ? body.sql : "";
+      const maxRows = typeof body.max_rows === "number" ? body.max_rows : void 0;
+      const result = await this.readOnlySqlRunner.run(sql, maxRows);
+      sendJson(res, 200, result);
+    } catch (err) {
+      if (err instanceof ReadOnlySqlValidationError) {
+        sendJson(res, 400, { error: err.message });
+        return;
+      }
+      console.error(
+        "[webhook-server] Read-only SQL error:",
+        err instanceof Error ? err.message : err
+      );
+      sendJson(res, 503, { error: err instanceof Error ? err.message : "Database unavailable" });
+    }
+  }
   handleWhatsAppVerification(req, res) {
     const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
     const mode = url.searchParams.get("hub.mode");

package/dist/bin/registry-proxy.js

@@ -196,7 +196,7 @@ async function main(args = process.argv.slice(2)) {
   }
   await runRegistryProxy(registryProxyOptionsFromEnv());
 }
-if (isMainModule(import.meta.url)) {
+if (isMainModule(import.meta.url) && (process.argv[1] ?? "").includes("registry-proxy")) {
   main().catch((err) => {
     console.error(err instanceof Error ? err.message : String(err));
     process.exit(1);