@askexenow/exe-os 0.9.82 → 0.9.84

package/dist/bin/stack-update.js

@@ -19,12 +19,13 @@ function isMainModule(importMetaUrl) {
 }
 
 // src/lib/stack-update.ts
-import { execFileSync } from "child_process";
-import { createVerify, verify as verifySignature } from "crypto";
-import { existsSync as existsSync4, mkdirSync as mkdirSync3, readdirSync, readFileSync as readFileSync3, renameSync as renameSync2, writeFileSync as writeFileSync2 } from "fs";
+import { execFileSync, spawnSync } from "child_process";
+import { createVerify, randomBytes, verify as verifySignature } from "crypto";
+import { copyFileSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readdirSync, readFileSync as readFileSync3, renameSync as renameSync2, writeFileSync as writeFileSync2 } from "fs";
 import http from "http";
 import https from "https";
 import path3 from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
 
 // src/lib/license.ts
 import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
@@ -382,10 +383,139 @@ Re-run with --allow-breaking ${missing.map((c) => c.id).join(",")}`
     );
   }
 }
+function commandSucceeds(cmd, args = []) {
+  const res = spawnSync(cmd, args, { stdio: "ignore" });
+  return res.status === 0;
+}
+function shellSucceeds(command) {
+  const res = spawnSync("sh", ["-lc", command], { stdio: "ignore" });
+  return res.status === 0;
+}
+function resolvePackageRoot() {
+  const here = path3.dirname(fileURLToPath2(import.meta.url));
+  const candidates = [
+    path3.resolve(here, "..", ".."),
+    path3.resolve(here, ".."),
+    process.cwd()
+  ];
+  for (const c of candidates) {
+    if (existsSync4(path3.join(c, "package.json")) && existsSync4(path3.join(c, "deploy", "compose", "docker-compose.yml"))) return c;
+  }
+  return process.cwd();
+}
+function copyTemplateIfMissing(srcRel, dest, created) {
+  if (existsSync4(dest)) return;
+  const src = path3.join(resolvePackageRoot(), srcRel);
+  if (!existsSync4(src)) throw new Error(`Missing packaged stack template: ${srcRel}. Reinstall/update exe-os and retry.`);
+  mkdirSync3(path3.dirname(dest), { recursive: true });
+  copyFileSync(src, dest);
+  created.push(dest);
+}
+function installDockerUbuntu(exec) {
+  if (process.platform !== "linux") throw new Error("Docker auto-install is only supported on Linux. Install Docker manually, then retry.");
+  if (!existsSync4("/etc/os-release")) throw new Error("Cannot detect Linux distro; install Docker manually, then retry.");
+  const osRelease = readFileSync3("/etc/os-release", "utf8");
+  if (!/ID=(ubuntu|debian)|ID_LIKE=.*debian/.test(osRelease)) {
+    throw new Error("Docker auto-install currently supports Ubuntu/Debian only. Install Docker manually, then retry.");
+  }
+  const script = [
+    "set -e",
+    "sudo apt-get update",
+    "sudo apt-get install -y ca-certificates curl gnupg",
+    "sudo install -m 0755 -d /etc/apt/keyrings",
+    "if [ ! -f /etc/apt/keyrings/docker.gpg ]; then curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg; sudo chmod a+r /etc/apt/keyrings/docker.gpg; fi",
+    ". /etc/os-release",
+    'CODENAME="${VERSION_CODENAME:-bookworm}"',
+    'if [ "${ID:-}" = "debian" ]; then DOCKER_DISTRO=debian; else DOCKER_DISTRO=ubuntu; fi',
+    `printf 'deb [arch=%s signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/%s %s stable\\n' "$(dpkg --print-architecture)" "$DOCKER_DISTRO" "$CODENAME" | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null`,
+    "sudo apt-get update",
+    "sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin",
+    "sudo systemctl enable --now docker",
+    "sudo docker version >/dev/null",
+    "sudo docker compose version >/dev/null"
+  ].join("\n");
+  exec("sh", ["-lc", script]);
+}
+function randomSecret(bytes = 32) {
+  return randomBytes(bytes).toString("base64url");
+}
+function hydrateEnv(raw, opts) {
+  let next = raw;
+  const license = opts.licenseKey || process.env.EXE_LICENSE_KEY || loadLicense() || "";
+  const domain = opts.domain || process.env.EXE_STACK_DOMAIN || process.env.CUSTOMER_DOMAIN || "";
+  const replacements = {};
+  const env = parseEnv(raw);
+  for (const [key, value] of env.entries()) {
+    if (!/CHANGEME/.test(value)) continue;
+    if (key === "EXE_LICENSE_KEY" && license) replacements[key] = license;
+    else if (key.endsWith("_PASSWORD")) replacements[key] = randomSecret(24);
+    else if (key.endsWith("_SECRET") || key.endsWith("_TOKEN") || key.endsWith("_KEY") || key.endsWith("_SALT")) replacements[key] = value.replace(/CHANGEME[A-Z0-9_]*/g, randomSecret(32));
+    else if (key === "EXED_MCP_TOKEN") replacements[key] = randomSecret(32);
+  }
+  if (domain) next = next.replaceAll("CHANGEME_DOMAIN", domain);
+  next = patchEnv(next, replacements);
+  const remaining = [...parseEnv(next).entries()].filter(([, value]) => /CHANGEME/.test(value)).map(([key, value]) => `${key}=${value}`);
+  return { raw: next, hadPlaceholders: /CHANGEME/.test(raw), remaining: [...new Set(remaining)] };
+}
+function bootstrapStackHost(options) {
+  const exec = options.exec ?? defaultExec;
+  const createdFiles = [];
+  const actions = [];
+  let dockerInstalled = commandSucceeds("docker", ["version"]);
+  let dockerComposeInstalled = shellSucceeds("docker compose version");
+  if ((!dockerInstalled || !dockerComposeInstalled) && options.installDocker) {
+    actions.push("install_docker");
+    installDockerUbuntu(exec);
+    dockerInstalled = commandSucceeds("docker", ["version"]);
+    dockerComposeInstalled = shellSucceeds("docker compose version");
+  }
+  copyTemplateIfMissing("deploy/compose/docker-compose.yml", options.composeFile, createdFiles);
+  copyTemplateIfMissing("deploy/compose/.env.customer.example", options.envFile, createdFiles);
+  const brandingDest = path3.join(path3.dirname(options.envFile), "branding.json");
+  copyTemplateIfMissing("deploy/compose/gateway.json", path3.join(path3.dirname(options.envFile), "gateway.json"), createdFiles);
+  if (!existsSync4(brandingDest)) writeFileSync2(brandingDest, JSON.stringify({ brandName: "Hygo", productName: "Hygo OS" }, null, 2) + "\n", { mode: 384 });
+  let envHadPlaceholders = false;
+  let envRemainingPlaceholders = [];
+  if (existsSync4(options.envFile)) {
+    const envRaw = readFileSync3(options.envFile, "utf8");
+    const hydrated = hydrateEnv(envRaw, options);
+    envHadPlaceholders = hydrated.hadPlaceholders;
+    envRemainingPlaceholders = hydrated.remaining;
+    if (hydrated.raw !== envRaw) {
+      writeFileSync2(options.envFile, hydrated.raw, { mode: 384 });
+      actions.push("hydrate_env_secrets");
+    }
+  }
+  return {
+    dockerInstalled,
+    dockerComposeInstalled,
+    composeFileExists: existsSync4(options.composeFile),
+    envFileExists: existsSync4(options.envFile),
+    envHadPlaceholders,
+    envRemainingPlaceholders,
+    licensePresent: !!(options.licenseKey || process.env.EXE_LICENSE_KEY || loadLicense()),
+    createdFiles,
+    actions
+  };
+}
+function assertHostReadyForApply(report) {
+  const blockers = [];
+  if (!report.dockerInstalled) blockers.push("Docker is not installed/running. Re-run with --yes to auto-install on Ubuntu/Debian, or install Docker manually.");
+  if (!report.dockerComposeInstalled) blockers.push("Docker Compose plugin is missing. Re-run with --yes to auto-install on Ubuntu/Debian, or install docker-compose-plugin manually.");
+  if (!report.composeFileExists) blockers.push("docker-compose.yml is missing and could not be created.");
+  if (!report.envFileExists) blockers.push(".env is missing and could not be created.");
+  if (!report.licensePresent) blockers.push("Exe OS license key is missing. Run `exe-os setup`, `exe-os --activate <key>`, or pass --license-key.");
+  const hardPlaceholders = report.envRemainingPlaceholders.filter((p) => !/WHATSAPP|API_ROUTER|MONITOR_AGENT/.test(p));
+  if (hardPlaceholders.length > 0) blockers.push(`Required .env placeholders remain: ${hardPlaceholders.join(", ")}`);
+  if (blockers.length > 0) throw new Error(`Stack host is not ready:
+- ${blockers.join("\n- ")}`);
+}
 async function runStackUpdate(options) {
   const exec = options.exec ?? defaultExec;
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
   if (options.rollback) return rollbackStackUpdate(options);
+  const report = bootstrapStackHost({ ...options, installDocker: options.installDocker ?? !!options.yes });
+  if (!options.dryRun) assertHostReadyForApply(report);
   const manifest = await loadStackManifest(options.manifestRef, options.fetchText, options.manifestPublicKey, options.manifestAuthToken);
   const envRaw = readFileSync3(options.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, options.targetVersion);
@@ -553,12 +683,16 @@ async function defaultPostJson(url, body, authToken) {
 function defaultStackPaths() {
   const cwdCompose = path3.resolve("docker-compose.yml");
   const cwdEnv = path3.resolve(".env");
+  const packagedManifest = path3.join(resolvePackageRoot(), "deploy", "stack-manifests", "v0.9.json");
+  const manifestRef = process.env.EXE_STACK_MANIFEST || (existsSync4(packagedManifest) ? packagedManifest : "https://update.askexe.com/stack-manifest.json");
   return {
     composeFile: process.env.EXE_STACK_COMPOSE_FILE || (existsSync4(cwdCompose) ? cwdCompose : "/opt/exe-stack/docker-compose.yml"),
     envFile: process.env.EXE_STACK_ENV_FILE || (existsSync4(cwdEnv) ? cwdEnv : "/opt/exe-stack/.env"),
-    manifestRef: process.env.EXE_STACK_MANIFEST || "https://update.askexe.com/stack-manifest.json",
-    auditUrl: process.env.EXE_STACK_AUDIT_URL || "https://update.askexe.com/v1/deploy-audits",
-    imageCredentialsUrl: process.env.EXE_STACK_IMAGE_CREDENTIALS_URL || "https://update.askexe.com/v1/image-credentials",
+    manifestRef,
+    // Only call update.askexe.com if explicitly configured or if a remote manifest was requested.
+    // Packaged manifests keep cold-start installs unblocked even before update-service entitlements are provisioned.
+    auditUrl: process.env.EXE_STACK_AUDIT_URL || (/^https?:\/\//.test(manifestRef) ? "https://update.askexe.com/v1/deploy-audits" : void 0),
+    imageCredentialsUrl: process.env.EXE_STACK_IMAGE_CREDENTIALS_URL || (/^https?:\/\//.test(manifestRef) ? "https://update.askexe.com/v1/image-credentials" : void 0),
     manifestAuthToken: process.env.EXE_STACK_UPDATE_TOKEN || process.env.EXE_LICENSE_KEY || loadLicense() || void 0,
     manifestPublicKey: loadDefaultPublicKey()
   };
@@ -589,7 +723,8 @@ function parseArgs(args) {
     rollback: false,
     deploymentPersona: process.env.EXE_STACK_DEPLOYMENT_PERSONA === "askexe-control-plane" ? "askexe-control-plane" : "customer",
     yes: false,
-    allowedBreakingChangeIds: []
+    allowedBreakingChangeIds: [],
+    noBootstrap: false
   };
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
@@ -600,8 +735,8 @@ function parseArgs(args) {
     else if (arg.startsWith("--target=")) opts.targetVersion = arg.split("=")[1];
     else if (arg === "--compose-file") opts.composeFile = next();
     else if (arg.startsWith("--compose-file=")) opts.composeFile = arg.split("=").slice(1).join("=");
-    else if (arg === "--env-file") opts.envFile = next();
-    else if (arg.startsWith("--env-file=")) opts.envFile = arg.split("=").slice(1).join("=");
+    else if (arg === "--env-file" || arg === "--stack-env-file") opts.envFile = next();
+    else if (arg.startsWith("--env-file=") || arg.startsWith("--stack-env-file=")) opts.envFile = arg.split("=").slice(1).join("=");
     else if (arg === "--lock-file") opts.lockFile = next();
     else if (arg === "--public-key") opts.manifestPublicKey = readFileSync4(next(), "utf8");
     else if (arg.startsWith("--public-key=")) opts.manifestPublicKey = readFileSync4(arg.split("=").slice(1).join("="), "utf8");
@@ -630,6 +765,9 @@ function parseArgs(args) {
     else if (arg.startsWith("--break-glass=")) opts.breakGlassReason = arg.split("=").slice(1).join("=");
     else if (arg === "--break-glass-audit-file") opts.breakGlassAuditFile = next();
     else if (arg.startsWith("--break-glass-audit-file=")) opts.breakGlassAuditFile = arg.split("=").slice(1).join("=");
+    else if (arg === "--domain") opts.domain = next();
+    else if (arg.startsWith("--domain=")) opts.domain = arg.split("=").slice(1).join("=");
+    else if (arg === "--no-bootstrap") opts.noBootstrap = true;
     else if (arg === "--dry-run") opts.dryRun = true;
     else if (arg === "--check") opts.check = true;
     else if (arg === "--yes" || arg === "-y") opts.yes = true;
@@ -654,10 +792,13 @@ Options:
   --manifest <ref>           Stack manifest JSON path or URL (default: update.askexe.com)
   --target <version>         Stack version to install (default: manifest.latest)
   --compose-file <path>      docker-compose.yml path (default: ./docker-compose.yml or /opt/exe-stack/docker-compose.yml)
-  --env-file <path>          .env path (default: ./.env or /opt/exe-stack/.env)
+  --stack-env-file <path>    .env path (default: ./.env or /opt/exe-stack/.env)
+  --env-file <path>          Alias; prefer --stack-env-file because Node 22 reserves --env-file
   --lock-file <path>         Lock file path (default: beside .env)
   --check                    Print available changes only
   --dry-run                  Plan only; do not run Docker
+  --domain <domain>          Fill CHANGEME_DOMAIN in new stack .env
+  --no-bootstrap             Do not create templates/hydrate .env/check host prereqs
   --public-key <path>        PEM public key for signed manifest verification
   --auth-token <token>       Bearer token for private update manifest/audit API
   --auth-token-env <name>    Read bearer token from an environment variable
@@ -695,6 +836,18 @@ function printBreaking(changes) {
     if (c.expectedDowntimeMinutes) console.log(`    Expected downtime: ${c.expectedDowntimeMinutes} minutes`);
   }
 }
+function printHostReport(report) {
+  console.log("Host preflight:");
+  console.log(`  Docker:         ${report.dockerInstalled ? "\u2705" : "\u274C"}`);
+  console.log(`  Docker Compose: ${report.dockerComposeInstalled ? "\u2705" : "\u274C"}`);
+  console.log(`  Compose file:   ${report.composeFileExists ? "\u2705" : "\u274C"}`);
+  console.log(`  Env file:       ${report.envFileExists ? "\u2705" : "\u274C"}`);
+  console.log(`  License:        ${report.licensePresent ? "\u2705" : "\u274C"}`);
+  if (report.createdFiles.length > 0) console.log(`  Created:        ${report.createdFiles.join(", ")}`);
+  if (report.actions.length > 0) console.log(`  Actions:        ${report.actions.join(", ")}`);
+  if (report.envRemainingPlaceholders.length > 0) console.log(`  Remaining placeholders: ${report.envRemainingPlaceholders.join(", ")}`);
+  console.log("");
+}
 async function main(args = process.argv.slice(2)) {
   const opts = parseArgs(args);
   if (opts.rollback) {
@@ -706,6 +859,12 @@ async function main(args = process.argv.slice(2)) {
     console.log(`\u2705 Stack rollback attempted using backup: ${result2.backupEnvFile ?? "latest backup"}`);
     return;
   }
+  let hostReport;
+  if (!opts.noBootstrap) {
+    hostReport = bootstrapStackHost({ ...opts, installDocker: opts.yes, domain: opts.domain });
+    printHostReport(hostReport);
+    if (!opts.check && !opts.dryRun) assertHostReadyForApply(hostReport);
+  }
   const manifest = await loadStackManifest(opts.manifestRef, void 0, opts.manifestPublicKey, opts.manifestAuthToken);
   const envRaw = readFileSync4(opts.envFile, "utf8");
   const plan = createStackUpdatePlan(manifest, envRaw, opts.targetVersion);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askexenow/exe-os",
-  "version": "0.9.82",
+  "version": "0.9.84",
   "description": "AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
@@ -57,7 +57,8 @@
     "stack.release.json",
     "stack.release.schema.json",
     "package.json",
-    "LICENSE"
+    "LICENSE",
+    "deploy/compose"
   ],
   "exports": {
     ".": "./dist/index.js",

package/stack.release.json

@@ -4,8 +4,8 @@
   "repo": "AskExe/exe-os",
   "service": "exed",
   "packageName": "@askexenow/exe-os",
-  "version": "0.9.5",
-  "image": "ghcr.io/askexe/exed:v0.9.5",
+  "version": "0.9.7",
+  "image": "ghcr.io/askexe/exed:v0.9.7",
   "imageEnv": "EXED_IMAGE_TAG",
   "stackParticipation": {
     "required": true,
@@ -42,9 +42,9 @@
     "breakingChanges": [],
     "dataSovereignty": "Customer-local memory/tasks/behaviors stay in SQLCipher/local storage. Updates must not overwrite roster, identity, behavior, or local memory files.",
     "releaseLine": "v0.9 private/customer pilot; v1.0 is public-beta stable.",
-    "highGhostStack": "0.9.5",
+    "highGhostStack": "0.9.7",
     "deploymentScope": "customer"
   },
   "deploymentScope": "customer",
-  "highGhostStack": "0.9.5"
+  "highGhostStack": "0.9.7"
 }