@askexenow/exe-os 0.9.87 → 0.9.88

package/dist/bin/exe-gateway.js

@@ -26,6 +26,21 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
+// src/lib/pg-ssl.ts
+var pg_ssl_exports = {};
+__export(pg_ssl_exports, {
+  pgSslConfig: () => pgSslConfig
+});
+function pgSslConfig() {
+  if (process.env.EXE_DB_SSL_DISABLED === "true") return {};
+  return { ssl: { rejectUnauthorized: process.env.EXE_DB_SSL_ALLOW_SELFSIGNED !== "true" } };
+}
+var init_pg_ssl = __esm({
+  "src/lib/pg-ssl.ts"() {
+    "use strict";
+  }
+});
+
 // src/lib/state-bus.ts
 var StateBus, orgBus;
 var init_state_bus = __esm({
@@ -1664,7 +1679,7 @@ var init_memory = __esm({
 });
 
 // src/lib/daemon-auth.ts
-import crypto from "crypto";
+import crypto2 from "crypto";
 import path6 from "path";
 import { existsSync as existsSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
 function normalizeToken(token) {
@@ -1683,7 +1698,7 @@ function readDaemonToken() {
 function ensureDaemonToken(seed) {
   const existing = readDaemonToken();
   if (existing) return existing;
-  const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
+  const token = normalizeToken(seed) ?? crypto2.randomBytes(32).toString("hex");
   ensurePrivateDirSync(EXE_AI_DIR);
   writeFileSync3(DAEMON_TOKEN_PATH, `${token}
 `, "utf8");
@@ -2358,6 +2373,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config2) {
   if (_walCheckpointTimer) {
@@ -2399,6 +2415,16 @@ async function initDatabase(config2) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config2.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config2.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -3960,7 +3986,7 @@ async function tryKeytar() {
 }
 function deriveMachineKey() {
   try {
-    const crypto10 = __require("crypto");
+    const crypto11 = __require("crypto");
     const material = [
       os6.hostname(),
       os6.userInfo().username,
@@ -3969,7 +3995,7 @@ function deriveMachineKey() {
       // Machine ID on Linux (stable across reboots)
       process.platform === "linux" ? readMachineId() : ""
     ].join("|");
-    return crypto10.createHash("sha256").update(material).digest();
+    return crypto11.createHash("sha256").update(material).digest();
   } catch {
     return null;
   }
@@ -3983,9 +4009,9 @@ function readMachineId() {
   }
 }
 function encryptWithMachineKey(plaintext, machineKey) {
-  const crypto10 = __require("crypto");
-  const iv = crypto10.randomBytes(12);
-  const cipher = crypto10.createCipheriv("aes-256-gcm", machineKey, iv);
+  const crypto11 = __require("crypto");
+  const iv = crypto11.randomBytes(12);
+  const cipher = crypto11.createCipheriv("aes-256-gcm", machineKey, iv);
   let encrypted = cipher.update(plaintext, "utf-8", "base64");
   encrypted += cipher.final("base64");
   const authTag = cipher.getAuthTag().toString("base64");
@@ -3994,13 +4020,13 @@ function encryptWithMachineKey(plaintext, machineKey) {
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
-    const crypto10 = __require("crypto");
+    const crypto11 = __require("crypto");
     const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
     if (parts.length !== 3) return null;
     const [ivB64, tagB64, cipherB64] = parts;
     const iv = Buffer.from(ivB64, "base64");
     const authTag = Buffer.from(tagB64, "base64");
-    const decipher = crypto10.createDecipheriv("aes-256-gcm", machineKey, iv);
+    const decipher = crypto11.createDecipheriv("aes-256-gcm", machineKey, iv);
     decipher.setAuthTag(authTag);
     let decrypted = decipher.update(cipherB64, "base64", "utf-8");
     decrypted += decipher.final("utf-8");
@@ -6452,13 +6478,13 @@ __export(graph_rag_exports, {
   resolveAlias: () => resolveAlias,
   storeExtraction: () => storeExtraction
 });
-import crypto2 from "crypto";
+import crypto3 from "crypto";
 function normalizeEntityName(name) {
   return name.replace(/\s*\([^)]*\)\s*/g, "").trim().toLowerCase();
 }
 function entityId(name, type) {
   const normalized = normalizeEntityName(name);
-  return crypto2.createHash("sha256").update(`${normalized}::${type.toLowerCase()}`).digest("hex").slice(0, 16);
+  return crypto3.createHash("sha256").update(`${normalized}::${type.toLowerCase()}`).digest("hex").slice(0, 16);
 }
 async function resolveAlias(client, name) {
   const normalized = normalizeEntityName(name);
@@ -6759,7 +6785,7 @@ async function storeExtraction(client, extraction, memoryId, timestamp) {
     const targetAlias = await resolveAlias(client, r.target);
     const sourceId = sourceAlias ?? entityId(r.source, r.sourceType);
     const targetId = targetAlias ?? entityId(r.target, r.targetType);
-    const relId = crypto2.randomUUID().slice(0, 16);
+    const relId = crypto3.randomUUID().slice(0, 16);
     try {
       await client.execute({
         sql: `INSERT OR IGNORE INTO entities (id, name, type, first_seen, last_seen)
@@ -6822,7 +6848,7 @@ async function storeExtraction(client, extraction, memoryId, timestamp) {
     }
   }
   for (const h of extraction.hyperedges) {
-    const hId = crypto2.randomUUID().slice(0, 16);
+    const hId = crypto3.randomUUID().slice(0, 16);
     try {
       await client.execute({
         sql: `INSERT OR IGNORE INTO hyperedges (id, label, relation, confidence, timestamp)
@@ -6886,7 +6912,7 @@ async function extractBatch(client, batchSize = 50, model = "claude-haiku-4-5-20
         totalEntities += stored.entitiesStored;
         totalRelationships += stored.relationshipsStored;
       }
-      const contentHash = crypto2.createHash("sha256").update(rawContent).digest("hex").slice(0, 32);
+      const contentHash = crypto3.createHash("sha256").update(rawContent).digest("hex").slice(0, 32);
       await client.execute({
         sql: "UPDATE memories SET graph_extracted = 1, content_hash = ?, graph_extracted_hash = ? WHERE id = ?",
         args: [contentHash, contentHash, memoryId]
@@ -9726,7 +9752,7 @@ function readQueue() {
 function writeQueue(queue) {
   ensureDir();
   const tmp = `${QUEUE_PATH}.tmp`;
-  writeFileSync6(tmp, JSON.stringify(queue, null, 2));
+  writeFileSync6(tmp, JSON.stringify(queue, null, 2), { mode: 384 });
   renameSync4(tmp, QUEUE_PATH);
 }
 function queueIntercom(targetSession, reason) {
@@ -10001,7 +10027,7 @@ var init_task_scope = __esm({
 });
 
 // src/lib/notifications.ts
-import crypto4 from "crypto";
+import crypto5 from "crypto";
 import path16 from "path";
 import os12 from "os";
 import {
@@ -10014,7 +10040,7 @@ import {
 async function writeNotification(notification) {
   try {
     const client = getClient();
-    const id = crypto4.randomUUID();
+    const id = crypto5.randomUUID();
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const sessionScope = notification.sessionScope === void 0 ? getCurrentSessionScope() : notification.sessionScope;
     await client.execute({
@@ -10058,7 +10084,7 @@ var init_notifications = __esm({
 });
 
 // src/lib/session-kill-telemetry.ts
-import crypto5 from "crypto";
+import crypto6 from "crypto";
 async function recordSessionKill(input) {
   try {
     const client = getClient();
@@ -10068,7 +10094,7 @@ async function recordSessionKill(input) {
                ticks_idle, estimated_tokens_saved)
             VALUES (?, ?, ?, ?, ?, ?, ?)`,
       args: [
-        crypto5.randomUUID(),
+        crypto6.randomUUID(),
         input.sessionName,
         input.agentId,
         (/* @__PURE__ */ new Date()).toISOString(),
@@ -10196,7 +10222,7 @@ var init_session_scope = __esm({
 });
 
 // src/lib/tasks-crud.ts
-import crypto6 from "crypto";
+import crypto7 from "crypto";
 import path18 from "path";
 import os13 from "os";
 import { execSync as execSync7 } from "child_process";
@@ -10317,7 +10343,7 @@ async function resolveTask(client, identifier, scopeSession) {
 }
 async function createTaskCore(input) {
   const client = getClient();
-  const id = crypto6.randomUUID();
+  const id = crypto7.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const slug = slugify(input.title);
   let earlySessionScope = null;
@@ -11282,10 +11308,10 @@ var init_tasks_notify = __esm({
 });
 
 // src/lib/behaviors.ts
-import crypto7 from "crypto";
+import crypto8 from "crypto";
 async function storeBehavior(opts) {
   const client = getClient();
-  const id = crypto7.randomUUID();
+  const id = crypto8.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   let vector = null;
   try {
@@ -11321,7 +11347,7 @@ __export(skill_learning_exports, {
   storeTrajectory: () => storeTrajectory,
   sweepTrajectories: () => sweepTrajectories
 });
-import crypto8 from "crypto";
+import crypto9 from "crypto";
 async function extractTrajectory(taskId, agentId) {
   const client = getClient();
   const result = await client.execute({
@@ -11350,11 +11376,11 @@ async function extractTrajectory(taskId, agentId) {
   return signature;
 }
 function hashSignature(signature) {
-  return crypto8.createHash("sha256").update(signature.join("|")).digest("hex").slice(0, 16);
+  return crypto9.createHash("sha256").update(signature.join("|")).digest("hex").slice(0, 16);
 }
 async function storeTrajectory(opts) {
   const client = getClient();
-  const id = crypto8.randomUUID();
+  const id = crypto9.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const signatureHash = hashSignature(opts.signature);
   await client.execute({
@@ -12925,10 +12951,10 @@ __export(messaging_exports, {
   sendMessage: () => sendMessage,
   setWsClientSend: () => setWsClientSend
 });
-import crypto9 from "crypto";
+import crypto10 from "crypto";
 function generateUlid() {
   const timestamp = Date.now().toString(36).padStart(10, "0");
-  const random = crypto9.randomBytes(10).toString("hex").slice(0, 16);
+  const random = crypto10.randomBytes(10).toString("hex").slice(0, 16);
   return (timestamp + random).toUpperCase();
 }
 function rowToMessage(row) {
@@ -13549,6 +13575,7 @@ import os16 from "os";
 import { fileURLToPath as fileURLToPath3 } from "url";
 
 // src/gateway/webhook-server.ts
+import crypto from "crypto";
 import {
   createServer
 } from "http";
@@ -13896,7 +13923,7 @@ var ReadOnlySqlRunner = class {
     this.config = config2;
   }
   async run(sql, maxRows) {
-    const databaseUrl = this.config.databaseUrl ?? process.env.EXE_GATEWAY_SQL_DATABASE_URL ?? process.env.EXE_COMPANY_BRAIN_SQL_DATABASE_URL ?? process.env.DATABASE_URL;
+    const databaseUrl = this.config.databaseUrl ?? process.env.EXE_GATEWAY_SQL_DATABASE_URL ?? process.env.MCP_READONLY_DATABASE_URL ?? process.env.EXE_COMPANY_BRAIN_SQL_DATABASE_URL ?? process.env.DATABASE_URL;
     if (!databaseUrl) {
       throw new Error("Read-only SQL is not configured. Set EXE_GATEWAY_SQL_DATABASE_URL or DATABASE_URL.");
     }
@@ -13904,7 +13931,8 @@ var ReadOnlySqlRunner = class {
     const limit = clampRows(maxRows ?? this.config.maxRows ?? DEFAULT_MAX_ROWS);
     const timeoutMs = this.config.statementTimeoutMs ?? DEFAULT_TIMEOUT_MS;
     const wrappedSql = `SELECT * FROM (${cleaned}) AS exe_readonly_sql LIMIT ${limit + 1}`;
-    const client = new Client({ connectionString: databaseUrl });
+    const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+    const client = new Client({ connectionString: databaseUrl, ...pgSslConfig2() });
     const start = Date.now();
     try {
       await client.connect();
@@ -13967,6 +13995,61 @@ function clampRows(value) {
 // src/gateway/webhook-server.ts
 var DEFAULT_HOST = process.env.EXE_WEBHOOK_HOST || "127.0.0.1";
 var BODY_SIZE_LIMIT = 1048576;
+function verifyWebhookSignature(rawBody, signature, secret, toleranceSec = 300) {
+  if (!signature) return false;
+  const dotIdx = signature.indexOf(".");
+  if (dotIdx < 0) return false;
+  const timestampStr = signature.slice(0, dotIdx);
+  const hash = signature.slice(dotIdx + 1);
+  const timestamp = parseInt(timestampStr, 10);
+  if (isNaN(timestamp)) return false;
+  if (Math.abs(Date.now() / 1e3 - timestamp) > toleranceSec) return false;
+  const expected = crypto.createHmac("sha256", secret).update(`${timestamp}.${rawBody}`).digest("hex");
+  if (hash.length !== expected.length) return false;
+  return crypto.timingSafeEqual(
+    Buffer.from(hash, "hex"),
+    Buffer.from(expected, "hex")
+  );
+}
+function readRawBody(req) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let size = 0;
+    let done = false;
+    req.on("data", (chunk) => {
+      size += chunk.length;
+      if (size > BODY_SIZE_LIMIT) {
+        if (!done) {
+          done = true;
+          req.resume();
+          reject(new Error("Body too large"));
+        }
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on("end", () => {
+      if (done) return;
+      done = true;
+      const raw = Buffer.concat(chunks).toString("utf-8");
+      if (!raw) {
+        resolve({ raw: "", parsed: {} });
+        return;
+      }
+      try {
+        resolve({ raw, parsed: JSON.parse(raw) });
+      } catch {
+        reject(new Error("Invalid JSON"));
+      }
+    });
+    req.on("error", (err) => {
+      if (!done) {
+        done = true;
+        reject(err);
+      }
+    });
+  });
+}
 var WebhookServer = class {
   constructor(config2, queryHandler = new QueryHandler()) {
     this.config = config2;
@@ -14110,13 +14193,26 @@ var WebhookServer = class {
   }
   async handleWebhookPost(req, res, url) {
     let body;
+    let rawBody = "";
     let parseError = null;
     try {
-      body = await readBody(req);
+      const result = await readRawBody(req);
+      rawBody = result.raw;
+      body = result.parsed;
     } catch (err) {
       parseError = err instanceof Error ? err : new Error(String(err));
     }
-    if (this.config.authToken && !this.verifyAuth(req)) {
+    if (this.config.webhookSigningSecret) {
+      const sig = req.headers["x-webhook-signature"];
+      if (!verifyWebhookSignature(
+        rawBody,
+        sig,
+        this.config.webhookSigningSecret
+      )) {
+        sendJson(res, 401, { error: "Invalid webhook signature" });
+        return;
+      }
+    } else if (this.config.authToken && !this.verifyAuth(req)) {
       sendJson(res, 401, { error: "Unauthorized" });
       return;
     }
@@ -14160,6 +14256,7 @@ var WebhookServer = class {
     if (!expectedToken) return false;
     const authHeader = req.headers.authorization ?? "";
     if (authHeader === `Bearer ${expectedToken}`) return true;
+    if (process.env.NODE_ENV === "production") return false;
     const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
     return url.searchParams.get("token") === expectedToken;
   }
@@ -14283,11 +14380,11 @@ init_crm_bridge();
 
 // src/lib/pipeline-router.ts
 init_database();
-import crypto3 from "crypto";
+import crypto4 from "crypto";
 async function sinkConversationStore(msg, agentResponse, agentName) {
   try {
     const client = getClient();
-    const id = crypto3.randomUUID();
+    const id = crypto4.randomUUID();
     const mediaJson = msg.media ? JSON.stringify(msg.media) : null;
     await client.execute({
       sql: `INSERT INTO conversations
@@ -14337,7 +14434,7 @@ async function sinkMemory(msg, agentResponse, agentName) {
     ].filter(Boolean).join("\n");
     const vector = await embed2(rawText);
     await writeMemory2({
-      id: crypto3.randomUUID(),
+      id: crypto4.randomUUID(),
       agent_id: agentName ?? "gateway",
       agent_role: "gateway",
       session_id: `gateway-${msg.platform}`,

package/dist/bin/exe-healthcheck.js

@@ -12,6 +12,7 @@ import { fileURLToPath } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath(importMetaUrl));
@@ -587,7 +588,7 @@ function runHealthCheck() {
   const failed = results.filter((r) => !r.pass).length;
   return { results, passed, failed };
 }
-if (isMainModule(import.meta.url)) {
+if (isMainModule(import.meta.url) && (process.argv[1] ?? "").includes("exe-healthcheck")) {
   const { results, passed, failed } = runHealthCheck();
   console.log("\n  exe-os Health Check\n");
   for (const r of results) {

package/dist/bin/exe-heartbeat.js

@@ -1741,6 +1741,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1782,6 +1783,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -6007,6 +6018,7 @@ import { fileURLToPath as fileURLToPath2 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath2(importMetaUrl));

package/dist/bin/exe-kill.js

@@ -1702,6 +1702,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1743,6 +1744,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;

package/dist/bin/exe-launch-agent.js

@@ -1800,6 +1800,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1841,6 +1842,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;

package/dist/bin/exe-new-employee.js

@@ -450,6 +450,7 @@ var init_memory = __esm({
 });
 
 // src/lib/database.ts
+import { chmodSync as chmodSync3 } from "fs";
 import { createClient } from "@libsql/client";
 function getClient() {
   if (!_adapterClient) {
@@ -1272,7 +1273,7 @@ var init_preferences = __esm({
 });
 
 // src/adapters/mcp-http-config.ts
-import { chmodSync as chmodSync3, existsSync as existsSync11, mkdirSync as mkdirSync6, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "fs";
+import { chmodSync as chmodSync4, existsSync as existsSync11, mkdirSync as mkdirSync6, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "fs";
 import { randomBytes } from "crypto";
 import path11 from "path";
 import os7 from "os";
@@ -1297,7 +1298,7 @@ function readOrCreateDaemonToken(homeDir = os7.homedir()) {
   writeFileSync7(tokenPath, `${token}
 `, "utf-8");
   try {
-    chmodSync3(tokenPath, 384);
+    chmodSync4(tokenPath, 384);
   } catch {
   }
   return token;
@@ -3186,6 +3187,7 @@ import { fileURLToPath } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath(importMetaUrl));

package/dist/bin/exe-pending-messages.js

@@ -1712,6 +1712,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1753,6 +1754,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;

package/dist/bin/exe-pending-notifications.js

@@ -1713,6 +1713,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1754,6 +1755,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -5923,6 +5934,7 @@ import { fileURLToPath as fileURLToPath3 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath3(importMetaUrl));

package/dist/bin/exe-pending-reviews.js

@@ -1713,6 +1713,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1754,6 +1755,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -5959,6 +5970,7 @@ import { fileURLToPath } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath(importMetaUrl));

package/dist/bin/exe-rename.js

@@ -1557,6 +1557,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1598,6 +1599,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -5287,6 +5298,7 @@ import { fileURLToPath as fileURLToPath2 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath2(importMetaUrl));