@askexenow/exe-os 0.9.82 → 0.9.84

package/deploy/compose/.env

@@ -0,0 +1,73 @@
+# exe-os VPS stack — environment variables
+#
+# Copy from .env.example and fill real values:   cp .env.example .env
+# `docker compose config` parses cleanly with this file unmodified — the stack
+# uses bash-style ${VAR:-default} so missing vars never break parse.
+# Anything prefixed CHANGEME_ MUST be replaced before `docker compose up -d`.
+
+# ------------------------------------------------------------------
+# Exe license — required for all services. Purchase at https://askexe.com
+# ------------------------------------------------------------------
+EXE_LICENSE_KEY=CHANGEME_EXE_LICENSE_KEY
+
+# ------------------------------------------------------------------
+# Image tags (per-client pinning — never use :latest in production)
+# ------------------------------------------------------------------
+CRM_IMAGE_TAG=ghcr.io/askexe/exe-crm:v0.9.1
+WIKI_IMAGE_TAG=ghcr.io/askexe/exe-wiki:v0.9.1
+EXED_IMAGE_TAG=ghcr.io/askexe/exed:v0.9.66
+GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.1
+
+# ------------------------------------------------------------------
+# Postgres (shared by CRM + wiki)
+# ------------------------------------------------------------------
+POSTGRES_USER=exe
+POSTGRES_PASSWORD=CHANGEME_POSTGRES_PASSWORD
+POSTGRES_DB=default
+WIKI_DB_NAME=wiki
+
+# ------------------------------------------------------------------
+# ClickHouse (CRM analytics)
+# ------------------------------------------------------------------
+CLICKHOUSE_DB=default
+CLICKHOUSE_USER=exe
+CLICKHOUSE_PASSWORD=CHANGEME_CLICKHOUSE_PASSWORD
+
+# ------------------------------------------------------------------
+# Redis (CRM cache/queue)
+# ------------------------------------------------------------------
+REDIS_PASSWORD=CHANGEME_REDIS_PASSWORD
+
+# ------------------------------------------------------------------
+# CRM (Twenty fork)
+# ------------------------------------------------------------------
+CRM_SERVER_URL=https://CHANGEME_DOMAIN
+CRM_APP_SECRET=CHANGEME_CRM_APP_SECRET
+CRM_HOST_PORT=3000
+
+# ------------------------------------------------------------------
+# Wiki (AnythingLLM fork)
+# ------------------------------------------------------------------
+WIKI_AUTH_TOKEN=CHANGEME_WIKI_AUTH_TOKEN
+WIKI_JWT_SECRET=CHANGEME_WIKI_JWT_SECRET
+WIKI_SIG_KEY=CHANGEME_WIKI_SIG_KEY
+WIKI_SIG_SALT=CHANGEME_WIKI_SIG_SALT
+WIKI_HOST_PORT=3001
+
+# ------------------------------------------------------------------
+# exed (exe-os daemon — MCP embedding + memory backend)
+# ------------------------------------------------------------------
+EXED_MCP_TOKEN=CHANGEME_EXED_MCP_TOKEN
+EXED_DEVICE_ID=vps-default
+
+# ------------------------------------------------------------------
+# Gateway (WhatsApp/Signal/webhook bridge)
+# ------------------------------------------------------------------
+EXE_GATEWAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_AUTH_TOKEN
+EXE_GATEWAY_WS_RELAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_WS_RELAY_AUTH_TOKEN
+EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN=CHANGEME_EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN
+WHATSAPP_ACCESS_TOKEN=
+API_ROUTER_URL=https://gateway.askexe.com
+API_ROUTER_KEY=exe_rk_CHANGEME_API_ROUTER_KEY
+GATEWAY_HTTP_HOST_PORT=3100
+GATEWAY_WS_HOST_PORT=3101

package/deploy/compose/.env.askexe-control-plane.example

@@ -0,0 +1,18 @@
+# AskExe CONTROL-PLANE example environment variables
+# This file is for AskExe-owned infrastructure only. Do NOT use for Hygo/customer VPSs.
+
+# --- Central monitor hub (AskExe-owned: monitor.askexe.com) ---
+MONITOR_HUB_IMAGE_TAG=ghcr.io/askexe/exe-monitor-hub:v0.9.2
+MONITOR_HUB_PUBLIC_URL=https://monitor.askexe.com
+MONITOR_HUB_SOURCE_DIR=/opt/exe-monitor
+MONITOR_HUB_HOST_PORT=8090
+MONITOR_HUB_DATA_DIR=/opt/exe-monitor-data
+MONITOR_TRUSTED_AUTH_HEADER=X-AskExe-User-Email
+# Keep false during bootstrap; set true only after GoTrue/auth proxy is verified.
+MONITOR_DISABLE_PASSWORD_AUTH=false
+MONITOR_USER_CREATION=true
+MONITOR_SHARE_ALL_SYSTEMS=false
+
+# --- AskExe central services (not customer-hosted) ---
+# License server, update API, API router, and exe-create are AskExe-owned services.
+# Customer VPSs consume them over HTTPS with EXE_LICENSE_KEY/API_ROUTER_KEY; they do not host them.

package/deploy/compose/.env.customer.example

@@ -0,0 +1,69 @@
+# exe-os CUSTOMER VPS stack — Hygo/customer example environment variables
+# Copy to .env before deployment and replace every CHANGEME_* value.
+# Values under # SET_MANUALLY must be provided by the operator.
+
+# --- Data Layer ---
+POSTGRES_USER=exe
+POSTGRES_PASSWORD=CHANGEME_POSTGRES_PASSWORD
+POSTGRES_DB=default
+
+CLICKHOUSE_DB=default
+CLICKHOUSE_USER=exe
+CLICKHOUSE_PASSWORD=CHANGEME_CLICKHOUSE_PASSWORD
+
+REDIS_PASSWORD=CHANGEME_REDIS_PASSWORD
+
+# --- CRM ---
+CRM_IMAGE_TAG=registry.askexe.com/askexe/exe-crm:v0.9.3
+CRM_SERVER_URL=https://CHANGEME_DOMAIN
+CRM_APP_SECRET=CHANGEME_CRM_APP_SECRET
+CRM_HOST_PORT=3000
+
+# --- Wiki ---
+WIKI_IMAGE_TAG=registry.askexe.com/askexe/exe-wiki:v0.9.3
+WIKI_DB_SCHEMA=wiki
+WIKI_VECTOR_DB=postgres
+WIKI_AUTH_TOKEN=CHANGEME_WIKI_AUTH_TOKEN
+WIKI_JWT_SECRET=CHANGEME_WIKI_JWT_SECRET
+WIKI_SIG_KEY=CHANGEME_WIKI_SIG_KEY
+WIKI_SIG_SALT=CHANGEME_WIKI_SIG_SALT
+WIKI_HOST_PORT=3001
+
+# --- exed ---
+EXED_IMAGE_TAG=registry.askexe.com/askexe/exed:v0.9.7
+EXED_MCP_TOKEN=CHANGEME_EXED_MCP_TOKEN
+EXED_DEVICE_ID=hygo-vps
+# VPS-only: enables cloud/local SQLite -> exe-db Postgres projection.
+# Keep false on laptops/dev boxes.
+EXE_CLOUD_SYNC_TO_POSTGRES=true
+
+# --- Gateway ---
+GATEWAY_IMAGE_TAG=registry.askexe.com/askexe/exe-gateway:v0.9.3
+EXE_GATEWAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_AUTH_TOKEN
+EXE_GATEWAY_WS_RELAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_WS_RELAY_AUTH_TOKEN
+EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN=CHANGEME_EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN
+# SET_MANUALLY
+WHATSAPP_ACCESS_TOKEN=
+API_ROUTER_URL=https://gateway.askexe.com
+API_ROUTER_KEY=exe_rk_CHANGEME_API_ROUTER_KEY
+# BYOK: to use your own API keys instead of the Exe API Router,
+# set BYOK_ENABLED=true and provide ANTHROPIC_API_KEY below.
+# BYOK_ENABLED=false
+# ANTHROPIC_API_KEY=CHANGEME_ANTHROPIC_API_KEY
+GATEWAY_HTTP_HOST_PORT=3100
+GATEWAY_WS_HOST_PORT=3101
+
+# --- Monitoring agent (standard for managed customer VPSs) ---
+MONITOR_AGENT_IMAGE_TAG=registry.askexe.com/askexe/exe-monitor-agent:v0.9.3
+MONITOR_HUB_URL=https://monitor.askexe.com
+# Required: values copied from monitor.askexe.com when adding the Hygo/customer system.
+MONITOR_AGENT_TOKEN=CHANGEME_MONITOR_AGENT_TOKEN_FROM_MONITOR_HUB
+MONITOR_AGENT_KEY=CHANGEME_MONITOR_AGENT_PUBLIC_KEY_FROM_MONITOR_HUB
+MONITOR_AGENT_LISTEN=:45876
+
+# --- AskExe central monitoring hub ---
+# Not included on customer VPSs. Hygo/customer deployments run exe-monitor-agent above, never the hub.
+
+# --- License ---
+# injected by deploy_client
+EXE_LICENSE_KEY=CHANGEME_EXE_LICENSE_KEY

package/deploy/compose/.env.example

@@ -0,0 +1,69 @@
+# exe-os CUSTOMER VPS stack — Hygo/customer example environment variables
+# Copy to .env before deployment and replace every CHANGEME_* value.
+# Values under # SET_MANUALLY must be provided by the operator.
+
+# --- Data Layer ---
+POSTGRES_USER=exe
+POSTGRES_PASSWORD=CHANGEME_POSTGRES_PASSWORD
+POSTGRES_DB=default
+
+CLICKHOUSE_DB=default
+CLICKHOUSE_USER=exe
+CLICKHOUSE_PASSWORD=CHANGEME_CLICKHOUSE_PASSWORD
+
+REDIS_PASSWORD=CHANGEME_REDIS_PASSWORD
+
+# --- CRM ---
+CRM_IMAGE_TAG=registry.askexe.com/askexe/exe-crm:v0.9.3
+CRM_SERVER_URL=https://CHANGEME_DOMAIN
+CRM_APP_SECRET=CHANGEME_CRM_APP_SECRET
+CRM_HOST_PORT=3000
+
+# --- Wiki ---
+WIKI_IMAGE_TAG=registry.askexe.com/askexe/exe-wiki:v0.9.3
+WIKI_DB_SCHEMA=wiki
+WIKI_VECTOR_DB=postgres
+WIKI_AUTH_TOKEN=CHANGEME_WIKI_AUTH_TOKEN
+WIKI_JWT_SECRET=CHANGEME_WIKI_JWT_SECRET
+WIKI_SIG_KEY=CHANGEME_WIKI_SIG_KEY
+WIKI_SIG_SALT=CHANGEME_WIKI_SIG_SALT
+WIKI_HOST_PORT=3001
+
+# --- exed ---
+EXED_IMAGE_TAG=registry.askexe.com/askexe/exed:v0.9.7
+EXED_MCP_TOKEN=CHANGEME_EXED_MCP_TOKEN
+EXED_DEVICE_ID=hygo-vps
+# VPS-only: enables cloud/local SQLite -> exe-db Postgres projection.
+# Keep false on laptops/dev boxes.
+EXE_CLOUD_SYNC_TO_POSTGRES=true
+
+# --- Gateway ---
+GATEWAY_IMAGE_TAG=registry.askexe.com/askexe/exe-gateway:v0.9.3
+EXE_GATEWAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_AUTH_TOKEN
+EXE_GATEWAY_WS_RELAY_AUTH_TOKEN=CHANGEME_EXE_GATEWAY_WS_RELAY_AUTH_TOKEN
+EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN=CHANGEME_EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN
+# SET_MANUALLY
+WHATSAPP_ACCESS_TOKEN=
+API_ROUTER_URL=https://gateway.askexe.com
+API_ROUTER_KEY=exe_rk_CHANGEME_API_ROUTER_KEY
+# BYOK: to use your own API keys instead of the Exe API Router,
+# set BYOK_ENABLED=true and provide ANTHROPIC_API_KEY below.
+# BYOK_ENABLED=false
+# ANTHROPIC_API_KEY=CHANGEME_ANTHROPIC_API_KEY
+GATEWAY_HTTP_HOST_PORT=3100
+GATEWAY_WS_HOST_PORT=3101
+
+# --- Monitoring agent (standard for managed customer VPSs) ---
+MONITOR_AGENT_IMAGE_TAG=registry.askexe.com/askexe/exe-monitor-agent:v0.9.3
+MONITOR_HUB_URL=https://monitor.askexe.com
+# Required: values copied from monitor.askexe.com when adding the Hygo/customer system.
+MONITOR_AGENT_TOKEN=CHANGEME_MONITOR_AGENT_TOKEN_FROM_MONITOR_HUB
+MONITOR_AGENT_KEY=CHANGEME_MONITOR_AGENT_PUBLIC_KEY_FROM_MONITOR_HUB
+MONITOR_AGENT_LISTEN=:45876
+
+# --- AskExe central monitoring hub ---
+# Not included on customer VPSs. Hygo/customer deployments run exe-monitor-agent above, never the hub.
+
+# --- License ---
+# injected by deploy_client
+EXE_LICENSE_KEY=CHANGEME_EXE_LICENSE_KEY

package/deploy/compose/README.md

@@ -0,0 +1,164 @@
+# Deployment persona warning
+
+Customer VPS deployments (Hygo/High/etc.) must start from `.env.customer.example`. AskExe-owned control-plane variables live in `.env.askexe-control-plane.example` and must not be copied to customer VPSs.
+
+# exe-os VPS stack — `deploy/compose/`
+
+Full production stack for a single client VPS: CRM + wiki + gateway + exed
+backed by Postgres, ClickHouse, and Redis. Pinned image tags, healthchecks on
+every service, named volumes for persistence, and host-nginx-friendly port
+publishing on `127.0.0.1`.
+
+This is the **Lane A-2** deliverable from the v1.6 execution plan
+(`exe/output/v16-execution-plan.md`). Pairs with **Lane A-1** Ansible roles
+which provision the host and install nginx-tls; the `nginx-tls` role includes
+the snippets at `../nginx/snippets/*.conf` from `/etc/nginx/snippets/`.
+
+The standalone **gateway-only** compose at `deploy/docker-compose.yml` remains
+unchanged; this directory is the full stack.
+
+---
+
+## Services
+
+| Service        | Image                                         | Pin source             | Internal port |
+|----------------|-----------------------------------------------|------------------------|---------------|
+| `crm-postgres` | `postgres:16.6-alpine`                        | hard-pinned            | 5432          |
+| `clickhouse`   | `clickhouse/clickhouse-server:24.8.4.13-alpine` | hard-pinned          | 8123 / 9000   |
+| `redis`        | `redis:7.4-alpine`                            | hard-pinned            | 6379          |
+| `exe-crm`      | `${CRM_IMAGE_TAG}`                            | `.env`                 | 3000          |
+| `exe-crm-worker` | `${CRM_IMAGE_TAG}`                          | `.env`                 | —             |
+| `exe-wiki`     | `${WIKI_IMAGE_TAG}`                           | `.env`                 | 3001          |
+| `exed`         | `${EXED_IMAGE_TAG}`                           | `.env`                 | 8765          |
+| `exe-gateway`  | `${GATEWAY_IMAGE_TAG}`                        | `.env`                 | 3100 / 3101   |
+
+DB minor pins reflect the LTS line per service. Bump in lockstep when the
+upstream LTS rolls.
+
+## Networks
+
+- `backend` (`10.42.0.0/24`) — every service. Inter-service traffic only.
+- `frontend` (`10.43.0.0/24`) — apps that terminate user traffic
+  (`exe-crm`, `exe-wiki`, `exe-gateway`). DBs never join this net.
+
+Apps publish their HTTP ports to `127.0.0.1` on the host so the host-installed
+nginx (Lane A-1 `nginx-tls`) can reverse-proxy them. Override the host port via
+`CRM_HOST_PORT` / `WIKI_HOST_PORT` / `GATEWAY_HTTP_HOST_PORT` /
+`GATEWAY_WS_HOST_PORT` if you co-host multiple stacks.
+
+## Company Brain projection guard
+
+`exed` is the only place in the stack that should project cloud/local memory
+into exe-db Postgres. This is **VPS-only** behavior. Founder/customer laptops
+remain SQLite + encrypted cloud sync only.
+
+The stack enables projection explicitly with:
+
+```env
+EXE_CLOUD_SYNC_TO_POSTGRES=true
+DATABASE_URL=postgres://...
+```
+
+Code must not infer Postgres projection from a local `~/exe-db` checkout or a
+stray `DATABASE_URL`; both the explicit gate and the DB URL are required.
+
+## Volumes
+
+`postgres_data`, `clickhouse_data`, `clickhouse_logs`, `redis_data`,
+`crm_data`, `wiki_data`, `exed_data`, `gateway_data` — local driver, persisted
+under `/var/lib/docker/volumes/exe-os_*`. Backups (Lane G, Wave 2) snapshot
+these.
+
+---
+
+## Runbook
+
+### 1. Validate config (no secrets needed)
+
+```bash
+cd deploy/compose/
+cp .env.customer.example .env
+docker compose -f docker-compose.yml config >/dev/null && echo OK
+```
+
+This is the `48224c7` invariant: parse must succeed on a fresh clone with
+`.env.example` copied verbatim. The `env_file: required: false` gate keeps
+this true even without `.env`. CI should run the same command.
+
+### 2. Fill secrets
+
+Edit `.env`. Replace every `CHANGEME_*` value. Set image tags to the versions
+you want pinned for this client. Rotate secrets per the standard rotation
+policy.
+
+### 3. Boot the stack
+
+```bash
+docker compose -f docker-compose.yml up -d
+docker compose -f docker-compose.yml ps
+```
+
+DBs come up first; apps wait on `condition: service_healthy`. Expect ~60s to
+fully healthy on a fresh VPS.
+
+`exe-gateway` also expects `deploy/compose/gateway.json` to exist. This repo
+ships a minimal checked-in config that env overrides can layer on top of.
+
+### 4. Wire host nginx
+
+The Lane A-1 `nginx-tls` Ansible role drops `../nginx/snippets/*.conf` into
+`/etc/nginx/snippets/` and renders per-host server blocks for
+`crm.<client>.com`, `wiki.<client>.com`, `gateway.<client>.com` that
+`include` the matching snippet. Reload nginx after `compose up -d`:
+
+```bash
+sudo nginx -t && sudo systemctl reload nginx
+```
+
+### 5. Verify end-to-end
+
+```bash
+curl -fsS https://crm.<client>.com/healthz       # exe-crm
+curl -fsS https://wiki.<client>.com/api/ping     # exe-wiki
+curl -fsS https://gateway.<client>.com/health    # exe-gateway
+```
+
+---
+
+## Out of scope (handled by other Wave-1/2 lanes)
+
+- Ansible host provisioning + nginx-tls — Lane A-1 (tom1)
+- Image build pipelines for `exe-crm` / `exe-wiki` / `exed` / `exe-gateway` —
+  consumers of the pinned tags; not built by this compose
+- Daily backup cron — Lane G / I4 (Wave 2)
+- Upgrade / rollback workflow — Lane K / I3 (Wave 2)
+
+## Stack manifest updates (v0.9)
+
+Customer VPS updates use the self-hosted omnibus model: customers update one
+Exe OS stack version, not individual repo versions. The stack manifest pins the
+compatible image tags for CRM, Wiki, exed, Gateway, and monitor agent.
+
+Dry-run a local manifest:
+
+```bash
+exe-os stack-update \
+  --manifest ./deploy/stack-manifests/v0.9.json \
+  --compose-file ./deploy/compose/docker-compose.yml \
+  --env-file ./deploy/compose/.env.example \
+  --check
+```
+
+Run on a customer VPS after reviewing breaking-change notices:
+
+```bash
+exe-os stack-update \
+  --manifest https://update.askexe.com/v1/stack-manifest.json \
+  --allow-breaking whatsapp_relink_required \
+  --yes
+```
+
+`stack-update` backs up the current `.env`, patches pinned image tags from the
+manifest, runs `docker compose pull && docker compose up -d`, health-checks the
+stack, writes `.exe-stack-lock.json`, and restores the previous `.env` if the
+rollout fails.