@askexenow/exe-os 0.9.82 → 0.9.84

package/deploy/stack-manifests/v0.9.json

@@ -1,6 +1,6 @@
 {
   "schemaVersion": 1,
-  "latest": "0.9.5",
+  "latest": "0.9.7",
   "stacks": {
     "0.9.0": {
       "version": "0.9.0",
@@ -361,6 +361,142 @@
       },
       "date": "2026-05-12",
       "sourceRef": "stack-v0.9.5"
+    },
+    "0.9.6": {
+      "version": "0.9.6",
+      "releasedAt": "2026-05-12T00:00:00Z",
+      "notes": "Customer stack lifecycle manager: exe-os stack-update now detects cold-start/partial/existing host state, creates compose/env templates, hydrates generated secrets/license/domain, checks/installs Docker on Ubuntu/Debian with --yes, and then plans/applies the pinned stack. Other services remain v0.9.3.",
+      "breakingChanges": [
+        {
+          "id": "whatsapp_relink_required",
+          "title": "WhatsApp QR re-link required for Baileys v7",
+          "description": "exe-gateway uses Baileys v7. Existing WhatsApp 6.x linked-device auth state must be backed up and re-linked once with a new QR code.",
+          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp → Linked Devices after the update.",
+          "expectedDowntimeMinutes": "2-5",
+          "requiresConfirmation": true
+        }
+      ],
+      "services": {
+        "crm": {
+          "env": "CRM_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-crm:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3000/healthz",
+          "deploymentScope": "customer"
+        },
+        "wiki": {
+          "env": "WIKI_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-wiki:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3001/api/ping",
+          "deploymentScope": "customer"
+        },
+        "exed": {
+          "env": "EXED_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exed:v0.9.6",
+          "healthUrl": "http://127.0.0.1:8765/health",
+          "deploymentScope": "customer"
+        },
+        "gateway": {
+          "env": "GATEWAY_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-gateway:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3100/health",
+          "deploymentScope": "customer"
+        },
+        "monitorAgent": {
+          "env": "MONITOR_AGENT_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-monitor-agent:v0.9.3",
+          "deploymentScope": "customer"
+        }
+      },
+      "releaseDescriptors": {
+        "exed": "AskExe/exe-os@stack-v0.9.4:stack.release.json",
+        "crm": "AskExe/exe-crm@0.9.3:stack.release.json",
+        "wiki": "AskExe/exe-wiki@0.9.3:stack.release.json",
+        "gateway": "AskExe/exe-gateway@0.9.3:stack.release.json",
+        "db": "AskExe/exe-db@0.9.3:stack.release.json",
+        "monitorAgent": "AskExe/exe-monitor@0.9.3:stack.release.json"
+      },
+      "componentVersions": {
+        "exe-os": {
+          "repo": "AskExe/exe-os",
+          "npmPackage": "@askexenow/exe-os",
+          "npmVersion": "0.9.83",
+          "image": "registry.askexe.com/askexe/exed:v0.9.4",
+          "imageVersion": "0.9.6",
+          "note": "Customer stack image tag is 0.9.4; bundled npm package is @askexenow/exe-os@0.9.81. Hygo pulls through registry.askexe.com, which proxies the AskExe-owned GHCR artifact server-side.",
+          "sourceRef": "stack-v0.9.4",
+          "commit": "main@stack-v0.9.6"
+        }
+      },
+      "date": "2026-05-12",
+      "sourceRef": "stack-v0.9.6"
+    },
+    "0.9.7": {
+      "version": "0.9.7",
+      "releasedAt": "2026-05-12T00:00:00Z",
+      "notes": "Stack update auth unblock: default manifest now uses the packaged signed/customer manifest when available, so cold-start installs do not require update.askexe.com entitlement provisioning. Remote update service remains opt-in via EXE_STACK_MANIFEST.",
+      "breakingChanges": [
+        {
+          "id": "whatsapp_relink_required",
+          "title": "WhatsApp QR re-link required for Baileys v7",
+          "description": "exe-gateway uses Baileys v7. Existing WhatsApp 6.x linked-device auth state must be backed up and re-linked once with a new QR code.",
+          "requiredAction": "Open https://<gateway-domain>/pair/default?token=<admin-token> and scan from WhatsApp → Linked Devices after the update.",
+          "expectedDowntimeMinutes": "2-5",
+          "requiresConfirmation": true
+        }
+      ],
+      "services": {
+        "crm": {
+          "env": "CRM_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-crm:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3000/healthz",
+          "deploymentScope": "customer"
+        },
+        "wiki": {
+          "env": "WIKI_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-wiki:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3001/api/ping",
+          "deploymentScope": "customer"
+        },
+        "exed": {
+          "env": "EXED_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exed:v0.9.7",
+          "healthUrl": "http://127.0.0.1:8765/health",
+          "deploymentScope": "customer"
+        },
+        "gateway": {
+          "env": "GATEWAY_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-gateway:v0.9.3",
+          "healthUrl": "http://127.0.0.1:3100/health",
+          "deploymentScope": "customer"
+        },
+        "monitorAgent": {
+          "env": "MONITOR_AGENT_IMAGE_TAG",
+          "image": "registry.askexe.com/askexe/exe-monitor-agent:v0.9.3",
+          "deploymentScope": "customer"
+        }
+      },
+      "releaseDescriptors": {
+        "exed": "AskExe/exe-os@stack-v0.9.4:stack.release.json",
+        "crm": "AskExe/exe-crm@0.9.3:stack.release.json",
+        "wiki": "AskExe/exe-wiki@0.9.3:stack.release.json",
+        "gateway": "AskExe/exe-gateway@0.9.3:stack.release.json",
+        "db": "AskExe/exe-db@0.9.3:stack.release.json",
+        "monitorAgent": "AskExe/exe-monitor@0.9.3:stack.release.json"
+      },
+      "componentVersions": {
+        "exe-os": {
+          "repo": "AskExe/exe-os",
+          "npmPackage": "@askexenow/exe-os",
+          "npmVersion": "0.9.84",
+          "image": "registry.askexe.com/askexe/exed:v0.9.4",
+          "imageVersion": "0.9.7",
+          "note": "Customer stack image tag is 0.9.4; bundled npm package is @askexenow/exe-os@0.9.81. Hygo pulls through registry.askexe.com, which proxies the AskExe-owned GHCR artifact server-side.",
+          "sourceRef": "stack-v0.9.4",
+          "commit": "main@stack-v0.9.7"
+        }
+      },
+      "date": "2026-05-12",
+      "sourceRef": "stack-v0.9.7"
     }
   }
 }

package/dist/bin/cli.js

@@ -19745,12 +19745,13 @@ var init_update = __esm({
 });
 
 // src/lib/stack-update.ts
-import { execFileSync as execFileSync4 } from "child_process";
-import { createVerify, verify as verifySignature } from "crypto";
-import { existsSync as existsSync34, mkdirSync as mkdirSync24, readdirSync as readdirSync10, readFileSync as readFileSync29, renameSync as renameSync8, writeFileSync as writeFileSync25 } from "fs";
+import { execFileSync as execFileSync4, spawnSync } from "child_process";
+import { createVerify, randomBytes as randomBytes2, verify as verifySignature } from "crypto";
+import { copyFileSync as copyFileSync5, existsSync as existsSync34, mkdirSync as mkdirSync24, readdirSync as readdirSync10, readFileSync as readFileSync29, renameSync as renameSync8, writeFileSync as writeFileSync25 } from "fs";
 import http from "http";
 import https from "https";
 import path42 from "path";
+import { fileURLToPath as fileURLToPath5 } from "url";
 function isSignedEnvelope(value) {
   return !!value && typeof value === "object" && "manifest" in value && "signature" in value;
 }
@@ -19985,10 +19986,139 @@ Re-run with --allow-breaking ${missing.map((c) => c.id).join(",")}`
     );
   }
 }
+function commandSucceeds(cmd, args2 = []) {
+  const res = spawnSync(cmd, args2, { stdio: "ignore" });
+  return res.status === 0;
+}
+function shellSucceeds(command) {
+  const res = spawnSync("sh", ["-lc", command], { stdio: "ignore" });
+  return res.status === 0;
+}
+function resolvePackageRoot2() {
+  const here = path42.dirname(fileURLToPath5(import.meta.url));
+  const candidates = [
+    path42.resolve(here, "..", ".."),
+    path42.resolve(here, ".."),
+    process.cwd()
+  ];
+  for (const c of candidates) {
+    if (existsSync34(path42.join(c, "package.json")) && existsSync34(path42.join(c, "deploy", "compose", "docker-compose.yml"))) return c;
+  }
+  return process.cwd();
+}
+function copyTemplateIfMissing(srcRel, dest, created) {
+  if (existsSync34(dest)) return;
+  const src = path42.join(resolvePackageRoot2(), srcRel);
+  if (!existsSync34(src)) throw new Error(`Missing packaged stack template: ${srcRel}. Reinstall/update exe-os and retry.`);
+  mkdirSync24(path42.dirname(dest), { recursive: true });
+  copyFileSync5(src, dest);
+  created.push(dest);
+}
+function installDockerUbuntu(exec2) {
+  if (process.platform !== "linux") throw new Error("Docker auto-install is only supported on Linux. Install Docker manually, then retry.");
+  if (!existsSync34("/etc/os-release")) throw new Error("Cannot detect Linux distro; install Docker manually, then retry.");
+  const osRelease = readFileSync29("/etc/os-release", "utf8");
+  if (!/ID=(ubuntu|debian)|ID_LIKE=.*debian/.test(osRelease)) {
+    throw new Error("Docker auto-install currently supports Ubuntu/Debian only. Install Docker manually, then retry.");
+  }
+  const script = [
+    "set -e",
+    "sudo apt-get update",
+    "sudo apt-get install -y ca-certificates curl gnupg",
+    "sudo install -m 0755 -d /etc/apt/keyrings",
+    "if [ ! -f /etc/apt/keyrings/docker.gpg ]; then curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg; sudo chmod a+r /etc/apt/keyrings/docker.gpg; fi",
+    ". /etc/os-release",
+    'CODENAME="${VERSION_CODENAME:-bookworm}"',
+    'if [ "${ID:-}" = "debian" ]; then DOCKER_DISTRO=debian; else DOCKER_DISTRO=ubuntu; fi',
+    `printf 'deb [arch=%s signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/%s %s stable\\n' "$(dpkg --print-architecture)" "$DOCKER_DISTRO" "$CODENAME" | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null`,
+    "sudo apt-get update",
+    "sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin",
+    "sudo systemctl enable --now docker",
+    "sudo docker version >/dev/null",
+    "sudo docker compose version >/dev/null"
+  ].join("\n");
+  exec2("sh", ["-lc", script]);
+}
+function randomSecret(bytes = 32) {
+  return randomBytes2(bytes).toString("base64url");
+}
+function hydrateEnv(raw, opts) {
+  let next = raw;
+  const license = opts.licenseKey || process.env.EXE_LICENSE_KEY || loadLicense() || "";
+  const domain = opts.domain || process.env.EXE_STACK_DOMAIN || process.env.CUSTOMER_DOMAIN || "";
+  const replacements = {};
+  const env = parseEnv(raw);
+  for (const [key, value] of env.entries()) {
+    if (!/CHANGEME/.test(value)) continue;
+    if (key === "EXE_LICENSE_KEY" && license) replacements[key] = license;
+    else if (key.endsWith("_PASSWORD")) replacements[key] = randomSecret(24);
+    else if (key.endsWith("_SECRET") || key.endsWith("_TOKEN") || key.endsWith("_KEY") || key.endsWith("_SALT")) replacements[key] = value.replace(/CHANGEME[A-Z0-9_]*/g, randomSecret(32));
+    else if (key === "EXED_MCP_TOKEN") replacements[key] = randomSecret(32);
+  }
+  if (domain) next = next.replaceAll("CHANGEME_DOMAIN", domain);
+  next = patchEnv(next, replacements);
+  const remaining = [...parseEnv(next).entries()].filter(([, value]) => /CHANGEME/.test(value)).map(([key, value]) => `${key}=${value}`);
+  return { raw: next, hadPlaceholders: /CHANGEME/.test(raw), remaining: [...new Set(remaining)] };
+}
+function bootstrapStackHost(options) {
+  const exec2 = options.exec ?? defaultExec;
+  const createdFiles = [];
+  const actions = [];
+  let dockerInstalled = commandSucceeds("docker", ["version"]);
+  let dockerComposeInstalled = shellSucceeds("docker compose version");
+  if ((!dockerInstalled || !dockerComposeInstalled) && options.installDocker) {
+    actions.push("install_docker");
+    installDockerUbuntu(exec2);
+    dockerInstalled = commandSucceeds("docker", ["version"]);
+    dockerComposeInstalled = shellSucceeds("docker compose version");
+  }
+  copyTemplateIfMissing("deploy/compose/docker-compose.yml", options.composeFile, createdFiles);
+  copyTemplateIfMissing("deploy/compose/.env.customer.example", options.envFile, createdFiles);
+  const brandingDest = path42.join(path42.dirname(options.envFile), "branding.json");
+  copyTemplateIfMissing("deploy/compose/gateway.json", path42.join(path42.dirname(options.envFile), "gateway.json"), createdFiles);
+  if (!existsSync34(brandingDest)) writeFileSync25(brandingDest, JSON.stringify({ brandName: "Hygo", productName: "Hygo OS" }, null, 2) + "\n", { mode: 384 });
+  let envHadPlaceholders = false;
+  let envRemainingPlaceholders = [];
+  if (existsSync34(options.envFile)) {
+    const envRaw = readFileSync29(options.envFile, "utf8");
+    const hydrated = hydrateEnv(envRaw, options);
+    envHadPlaceholders = hydrated.hadPlaceholders;
+    envRemainingPlaceholders = hydrated.remaining;
+    if (hydrated.raw !== envRaw) {
+      writeFileSync25(options.envFile, hydrated.raw, { mode: 384 });
+      actions.push("hydrate_env_secrets");
+    }
+  }
+  return {
+    dockerInstalled,
+    dockerComposeInstalled,
+    composeFileExists: existsSync34(options.composeFile),
+    envFileExists: existsSync34(options.envFile),
+    envHadPlaceholders,
+    envRemainingPlaceholders,
+    licensePresent: !!(options.licenseKey || process.env.EXE_LICENSE_KEY || loadLicense()),
+    createdFiles,
+    actions
+  };
+}
+function assertHostReadyForApply(report) {
+  const blockers = [];
+  if (!report.dockerInstalled) blockers.push("Docker is not installed/running. Re-run with --yes to auto-install on Ubuntu/Debian, or install Docker manually.");
+  if (!report.dockerComposeInstalled) blockers.push("Docker Compose plugin is missing. Re-run with --yes to auto-install on Ubuntu/Debian, or install docker-compose-plugin manually.");
+  if (!report.composeFileExists) blockers.push("docker-compose.yml is missing and could not be created.");
+  if (!report.envFileExists) blockers.push(".env is missing and could not be created.");
+  if (!report.licensePresent) blockers.push("Exe OS license key is missing. Run `exe-os setup`, `exe-os --activate <key>`, or pass --license-key.");
+  const hardPlaceholders = report.envRemainingPlaceholders.filter((p) => !/WHATSAPP|API_ROUTER|MONITOR_AGENT/.test(p));
+  if (hardPlaceholders.length > 0) blockers.push(`Required .env placeholders remain: ${hardPlaceholders.join(", ")}`);
+  if (blockers.length > 0) throw new Error(`Stack host is not ready:
+- ${blockers.join("\n- ")}`);
+}
 async function runStackUpdate(options) {
   const exec2 = options.exec ?? defaultExec;
   const now2 = options.now ?? (() => /* @__PURE__ */ new Date());
   if (options.rollback) return rollbackStackUpdate(options);
+  const report = bootstrapStackHost({ ...options, installDocker: options.installDocker ?? !!options.yes });
+  if (!options.dryRun) assertHostReadyForApply(report);
   const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey, options.manifestAuthToken);
   const envRaw = readFileSync29(options.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, options.targetVersion);
@@ -20156,12 +20286,16 @@ async function defaultPostJson(url, body, authToken) {
 function defaultStackPaths() {
   const cwdCompose = path42.resolve("docker-compose.yml");
   const cwdEnv = path42.resolve(".env");
+  const packagedManifest = path42.join(resolvePackageRoot2(), "deploy", "stack-manifests", "v0.9.json");
+  const manifestRef = process.env.EXE_STACK_MANIFEST || (existsSync34(packagedManifest) ? packagedManifest : "https://update.askexe.com/stack-manifest.json");
   return {
     composeFile: process.env.EXE_STACK_COMPOSE_FILE || (existsSync34(cwdCompose) ? cwdCompose : "/opt/exe-stack/docker-compose.yml"),
     envFile: process.env.EXE_STACK_ENV_FILE || (existsSync34(cwdEnv) ? cwdEnv : "/opt/exe-stack/.env"),
-    manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json",
-    auditUrl: process.env.EXE_STACK_AUDIT_URL || "https://update.askexe.com/v1/deploy-audits",
-    imageCredentialsUrl: process.env.EXE_STACK_IMAGE_CREDENTIALS_URL || "https://update.askexe.com/v1/image-credentials",
+    manifestRef,
+    // Only call update.askexe.com if explicitly configured or if a remote manifest was requested.
+    // Packaged manifests keep cold-start installs unblocked even before update-service entitlements are provisioned.
+    auditUrl: process.env.EXE_STACK_AUDIT_URL || (/^https?:\/\//.test(manifestRef) ? "https://update.askexe.com/v1/deploy-audits" : void 0),
+    imageCredentialsUrl: process.env.EXE_STACK_IMAGE_CREDENTIALS_URL || (/^https?:\/\//.test(manifestRef) ? "https://update.askexe.com/v1/image-credentials" : void 0),
     manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN || process.env.EXE_LICENSE_KEY || loadLicense() || void 0,
     manifestPublicKey: loadDefaultPublicKey()
   };
@@ -20205,7 +20339,8 @@ function parseArgs4(args2) {
     rollback: false,
     deploymentPersona: process.env.EXE_STACK_DEPLOYMENT_PERSONA === "askexe-control-plane" ? "askexe-control-plane" : "customer",
     yes: false,
-    allowedBreakingChangeIds: []
+    allowedBreakingChangeIds: [],
+    noBootstrap: false
   };
   for (let i = 0; i < args2.length; i++) {
     const arg = args2[i];
@@ -20216,8 +20351,8 @@ function parseArgs4(args2) {
     else if (arg.startsWith("--target=")) opts.targetVersion = arg.split("=")[1];
     else if (arg === "--compose-file") opts.composeFile = next();
     else if (arg.startsWith("--compose-file=")) opts.composeFile = arg.split("=").slice(1).join("=");
-    else if (arg === "--env-file") opts.envFile = next();
-    else if (arg.startsWith("--env-file=")) opts.envFile = arg.split("=").slice(1).join("=");
+    else if (arg === "--env-file" || arg === "--stack-env-file") opts.envFile = next();
+    else if (arg.startsWith("--env-file=") || arg.startsWith("--stack-env-file=")) opts.envFile = arg.split("=").slice(1).join("=");
     else if (arg === "--lock-file") opts.lockFile = next();
     else if (arg === "--public-key") opts.manifestPublicKey = readFileSync30(next(), "utf8");
     else if (arg.startsWith("--public-key=")) opts.manifestPublicKey = readFileSync30(arg.split("=").slice(1).join("="), "utf8");
@@ -20246,6 +20381,9 @@ function parseArgs4(args2) {
     else if (arg.startsWith("--break-glass=")) opts.breakGlassReason = arg.split("=").slice(1).join("=");
     else if (arg === "--break-glass-audit-file") opts.breakGlassAuditFile = next();
     else if (arg.startsWith("--break-glass-audit-file=")) opts.breakGlassAuditFile = arg.split("=").slice(1).join("=");
+    else if (arg === "--domain") opts.domain = next();
+    else if (arg.startsWith("--domain=")) opts.domain = arg.split("=").slice(1).join("=");
+    else if (arg === "--no-bootstrap") opts.noBootstrap = true;
     else if (arg === "--dry-run") opts.dryRun = true;
     else if (arg === "--check") opts.check = true;
     else if (arg === "--yes" || arg === "-y") opts.yes = true;
@@ -20270,10 +20408,13 @@ Options:
   --manifest <ref>           Stack manifest JSON path or URL (default: update.askexe.com)
   --target <version>         Stack version to install (default: manifest.latest)
   --compose-file <path>      docker-compose.yml path (default: ./docker-compose.yml or /opt/exe-stack/docker-compose.yml)
-  --env-file <path>          .env path (default: ./.env or /opt/exe-stack/.env)
+  --stack-env-file <path>    .env path (default: ./.env or /opt/exe-stack/.env)
+  --env-file <path>          Alias; prefer --stack-env-file because Node 22 reserves --env-file
   --lock-file <path>         Lock file path (default: beside .env)
   --check                    Print available changes only
   --dry-run                  Plan only; do not run Docker
+  --domain <domain>          Fill CHANGEME_DOMAIN in new stack .env
+  --no-bootstrap             Do not create templates/hydrate .env/check host prereqs
   --public-key <path>        PEM public key for signed manifest verification
   --auth-token <token>       Bearer token for private update manifest/audit API
   --auth-token-env <name>    Read bearer token from an environment variable
@@ -20311,6 +20452,18 @@ function printBreaking(changes) {
     if (c.expectedDowntimeMinutes) console.log(`    Expected downtime: ${c.expectedDowntimeMinutes} minutes`);
   }
 }
+function printHostReport(report) {
+  console.log("Host preflight:");
+  console.log(`  Docker:         ${report.dockerInstalled ? "\u2705" : "\u274C"}`);
+  console.log(`  Docker Compose: ${report.dockerComposeInstalled ? "\u2705" : "\u274C"}`);
+  console.log(`  Compose file:   ${report.composeFileExists ? "\u2705" : "\u274C"}`);
+  console.log(`  Env file:       ${report.envFileExists ? "\u2705" : "\u274C"}`);
+  console.log(`  License:        ${report.licensePresent ? "\u2705" : "\u274C"}`);
+  if (report.createdFiles.length > 0) console.log(`  Created:        ${report.createdFiles.join(", ")}`);
+  if (report.actions.length > 0) console.log(`  Actions:        ${report.actions.join(", ")}`);
+  if (report.envRemainingPlaceholders.length > 0) console.log(`  Remaining placeholders: ${report.envRemainingPlaceholders.join(", ")}`);
+  console.log("");
+}
 async function main7(args2 = process.argv.slice(2)) {
   const opts = parseArgs4(args2);
   if (opts.rollback) {
@@ -20322,6 +20475,12 @@ async function main7(args2 = process.argv.slice(2)) {
     console.log(`\u2705 Stack rollback attempted using backup: ${result2.backupEnvFile ?? "latest backup"}`);
     return;
   }
+  let hostReport;
+  if (!opts.noBootstrap) {
+    hostReport = bootstrapStackHost({ ...opts, installDocker: opts.yes, domain: opts.domain });
+    printHostReport(hostReport);
+    if (!opts.check && !opts.dryRun) assertHostReadyForApply(hostReport);
+  }
   const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey, opts.manifestAuthToken);
   const envRaw = readFileSync30(opts.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, opts.targetVersion);
@@ -34902,7 +35061,7 @@ __export(code_context_index_exports, {
 import crypto14 from "crypto";
 import path51 from "path";
 import { existsSync as existsSync36, mkdirSync as mkdirSync25, readFileSync as readFileSync32, readdirSync as readdirSync11, statSync as statSync7, writeFileSync as writeFileSync26 } from "fs";
-import { spawnSync } from "child_process";
+import { spawnSync as spawnSync2 } from "child_process";
 function normalizeProjectRoot(projectRoot) {
   return path51.resolve(projectRoot || process.cwd());
 }
@@ -34920,7 +35079,7 @@ function getCodeContextIndexPath(projectRoot) {
   return path51.join(indexDir(), `${rootHash}.json`);
 }
 function currentBranch(projectRoot) {
-  const result = spawnSync("git", ["branch", "--show-current"], { cwd: projectRoot, encoding: "utf8", timeout: 2e3 });
+  const result = spawnSync2("git", ["branch", "--show-current"], { cwd: projectRoot, encoding: "utf8", timeout: 2e3 });
   const branch = result.status === 0 ? result.stdout.trim() : "";
   return branch || "detached-or-unknown";
 }
@@ -34939,12 +35098,12 @@ function listRecursive(projectRoot, dir = projectRoot, out = []) {
   return out;
 }
 function listCodeFiles(projectRoot, maxFiles) {
-  const git = spawnSync("git", ["ls-files"], { cwd: projectRoot, encoding: "utf8", timeout: 5e3, maxBuffer: 1024 * 1024 * 16 });
+  const git = spawnSync2("git", ["ls-files"], { cwd: projectRoot, encoding: "utf8", timeout: 5e3, maxBuffer: 1024 * 1024 * 16 });
   let files = [];
   if (git.status === 0 && git.stdout.trim()) {
     files = git.stdout.split("\n").map((s) => s.trim()).filter(Boolean);
   } else {
-    const rg = spawnSync("rg", ["--files"], { cwd: projectRoot, encoding: "utf8", timeout: 5e3, maxBuffer: 1024 * 1024 * 16 });
+    const rg = spawnSync2("rg", ["--files"], { cwd: projectRoot, encoding: "utf8", timeout: 5e3, maxBuffer: 1024 * 1024 * 16 });
     files = rg.status === 0 && rg.stdout.trim() ? rg.stdout.split("\n").map((s) => s.trim()).filter(Boolean) : listRecursive(projectRoot);
   }
   return files.map((file) => file.replaceAll(path51.sep, "/")).filter((file) => isChunkable(file) && !shouldIgnore(file)).slice(0, maxFiles).sort();
@@ -36146,9 +36305,9 @@ if (args.includes("--global")) {
   );
   await runClaudeInstall();
 } else if (args.includes("--commands-only")) {
-  const { copySlashCommands: copySlashCommands2, resolvePackageRoot: resolvePackageRoot2 } = await Promise.resolve().then(() => (init_installer(), installer_exports));
+  const { copySlashCommands: copySlashCommands2, resolvePackageRoot: resolvePackageRoot3 } = await Promise.resolve().then(() => (init_installer(), installer_exports));
   try {
-    const packageRoot = resolvePackageRoot2();
+    const packageRoot = resolvePackageRoot3();
     const result = await copySlashCommands2(packageRoot);
     if (result.copied > 0) {
       process.stderr.write(