@askexenow/exe-os 0.9.87 → 0.9.89

package/deploy/compose/docker-compose.yml

@@ -245,7 +245,7 @@ services:
     environment:
       NODE_ENV: production
       EXED_PORT: "8765"
-      EXED_HOST: 0.0.0.0
+      EXED_HOST: "127.0.0.1"
       EXED_MCP_TOKEN: ${EXED_MCP_TOKEN:?EXED_MCP_TOKEN is required}
       EXED_DEVICE_ID: ${EXED_DEVICE_ID:-vps-default}
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
@@ -286,11 +286,11 @@ services:
       EXE_GATEWAY_HOME: /data
       EXE_GATEWAY_CONFIG: /data/gateway.json
       EXE_GATEWAY_PORT: "3100"
-      EXE_GATEWAY_HOST: 0.0.0.0
+      EXE_GATEWAY_HOST: "127.0.0.1"
       EXE_GATEWAY_AUTH_TOKEN: ${EXE_GATEWAY_AUTH_TOKEN:?EXE_GATEWAY_AUTH_TOKEN is required}
       EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN: ${EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN:?EXE_GATEWAY_WHATSAPP_VERIFY_TOKEN is required}
       EXE_GATEWAY_WS_RELAY_ENABLED: "true"
-      EXE_GATEWAY_WS_RELAY_HOST: 0.0.0.0
+      EXE_GATEWAY_WS_RELAY_HOST: "127.0.0.1"
       EXE_GATEWAY_WS_RELAY_PORT: "3101"
       EXE_GATEWAY_WS_RELAY_AUTH_TOKEN: ${EXE_GATEWAY_WS_RELAY_AUTH_TOKEN:?EXE_GATEWAY_WS_RELAY_AUTH_TOKEN is required}
       WHATSAPP_ACCESS_TOKEN: ${WHATSAPP_ACCESS_TOKEN:-}

package/dist/bin/age-ontology-load.js

@@ -3,6 +3,12 @@
 // src/bin/age-ontology-load.ts
 import { Client } from "pg";
 
+// src/lib/pg-ssl.ts
+function pgSslConfig() {
+  if (process.env.EXE_DB_SSL_DISABLED === "true") return {};
+  return { ssl: { rejectUnauthorized: process.env.EXE_DB_SSL_ALLOW_SELFSIGNED !== "true" } };
+}
+
 // src/lib/background-jobs.ts
 import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync, unlinkSync } from "fs";
 import { execFileSync } from "child_process";
@@ -272,8 +278,8 @@ async function main() {
   if (!ageUrl) throw new Error("AGE_DATABASE_URL is required for Apache AGE target");
   const graph = process.env.AGE_GRAPH_NAME || "exe_ontology";
   const limit = Number(process.argv[process.argv.indexOf("--limit") + 1] || "1000");
-  const source = new Client({ connectionString: sourceUrl });
-  const age = new Client({ connectionString: ageUrl });
+  const source = new Client({ connectionString: sourceUrl, ...pgSslConfig() });
+  const age = new Client({ connectionString: ageUrl, ...pgSslConfig() });
   await source.connect();
   await age.connect();
   try {

package/dist/bin/agentic-ontology-backfill.js

@@ -1487,6 +1487,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1528,6 +1529,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;

package/dist/bin/agentic-reflection-backfill.js

@@ -1487,6 +1487,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1528,6 +1529,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;

package/dist/bin/agentic-semantic-label.js

@@ -1487,6 +1487,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1528,6 +1529,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;

package/dist/bin/backfill-conversations.js

@@ -1627,6 +1627,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1668,6 +1669,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -5109,6 +5120,7 @@ import { fileURLToPath as fileURLToPath2 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath2(importMetaUrl));

package/dist/bin/backfill-responses.js

@@ -1627,6 +1627,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1668,6 +1669,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -5108,6 +5119,7 @@ import { fileURLToPath as fileURLToPath2 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath2(importMetaUrl));

package/dist/bin/backfill-vectors.js

@@ -1623,6 +1623,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1664,6 +1665,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -4187,6 +4198,7 @@ import { fileURLToPath as fileURLToPath2 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath2(importMetaUrl));

package/dist/bin/bulk-sync-postgres.js

@@ -1487,6 +1487,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1528,6 +1529,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -4337,6 +4348,21 @@ var init_crdt_sync = __esm({
   }
 });
 
+// src/lib/pg-ssl.ts
+var pg_ssl_exports = {};
+__export(pg_ssl_exports, {
+  pgSslConfig: () => pgSslConfig
+});
+function pgSslConfig() {
+  if (process.env.EXE_DB_SSL_DISABLED === "true") return {};
+  return { ssl: { rejectUnauthorized: process.env.EXE_DB_SSL_ALLOW_SELFSIGNED !== "true" } };
+}
+var init_pg_ssl = __esm({
+  "src/lib/pg-ssl.ts"() {
+    "use strict";
+  }
+});
+
 // src/lib/store.ts
 init_memory();
 init_database();
@@ -4829,7 +4855,8 @@ function loadPgClient() {
         return new Ctor();
       }
       const { Pool } = await import("pg");
-      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL, ...pgSslConfig2() });
       return {
         async $queryRawUnsafe(query, ...values) {
           const result = await pool.query(query, values);
@@ -4879,6 +4906,7 @@ async function pushToPostgres(records) {
   return inserted;
 }
 var ROSTER_DELETIONS_PATH = path10.join(EXE_AI_DIR, "roster-deletions.json");
+var CODE_CONTEXT_DIR = path10.join(EXE_AI_DIR, "code-context");
 
 // src/bin/bulk-sync-postgres.ts
 var BATCH_SIZE = 500;

package/dist/bin/cc-doctor.js

@@ -12,6 +12,7 @@ import { fileURLToPath } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath(importMetaUrl));
@@ -587,7 +588,7 @@ function runHealthCheck() {
   const failed = results.filter((r) => !r.pass).length;
   return { results, passed, failed };
 }
-if (isMainModule(import.meta.url)) {
+if (isMainModule(import.meta.url) && (process.argv[1] ?? "").includes("exe-healthcheck")) {
   const { results, passed, failed } = runHealthCheck();
   console.log("\n  exe-os Health Check\n");
   for (const r of results) {
@@ -620,7 +621,7 @@ function runCcDoctor() {
   const failed = results.filter((r) => !r.pass).length;
   return { results, passed, failed };
 }
-if (isMainModule(import.meta.url)) {
+if (isMainModule(import.meta.url) && (process.argv[1] ?? "").includes("cc-doctor")) {
   const { results, passed, failed } = runCcDoctor();
   console.log("\n  CC Install Health Check\n");
   for (const r of results) {

package/dist/bin/cleanup-stale-review-tasks.js

@@ -1713,6 +1713,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -1754,6 +1755,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -5922,6 +5933,7 @@ import { fileURLToPath as fileURLToPath3 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath3(importMetaUrl));

package/dist/bin/cli.js

@@ -4349,6 +4349,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync3 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -4390,6 +4391,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync3(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync3(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -5752,6 +5763,7 @@ import { fileURLToPath as fileURLToPath3 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath3(importMetaUrl));
@@ -6565,6 +6577,21 @@ var init_crdt_sync = __esm({
   }
 });
 
+// src/lib/pg-ssl.ts
+var pg_ssl_exports = {};
+__export(pg_ssl_exports, {
+  pgSslConfig: () => pgSslConfig
+});
+function pgSslConfig() {
+  if (process.env.EXE_DB_SSL_DISABLED === "true") return {};
+  return { ssl: { rejectUnauthorized: process.env.EXE_DB_SSL_ALLOW_SELFSIGNED !== "true" } };
+}
+var init_pg_ssl = __esm({
+  "src/lib/pg-ssl.ts"() {
+    "use strict";
+  }
+});
+
 // src/lib/db-backup.ts
 var db_backup_exports = {};
 __export(db_backup_exports, {
@@ -6678,6 +6705,7 @@ __export(cloud_sync_exports, {
   cloudPull: () => cloudPull,
   cloudPullBehaviors: () => cloudPullBehaviors,
   cloudPullBlob: () => cloudPullBlob,
+  cloudPullCodeContext: () => cloudPullCodeContext,
   cloudPullConversations: () => cloudPullConversations,
   cloudPullDocuments: () => cloudPullDocuments,
   cloudPullGlobalProcedures: () => cloudPullGlobalProcedures,
@@ -6687,6 +6715,7 @@ __export(cloud_sync_exports, {
   cloudPush: () => cloudPush,
   cloudPushBehaviors: () => cloudPushBehaviors,
   cloudPushBlob: () => cloudPushBlob,
+  cloudPushCodeContext: () => cloudPushCodeContext,
   cloudPushConversations: () => cloudPushConversations,
   cloudPushDocuments: () => cloudPushDocuments,
   cloudPushGlobalProcedures: () => cloudPushGlobalProcedures,
@@ -6765,7 +6794,8 @@ function loadPgClient() {
         return new Ctor();
       }
       const { Pool } = await import("pg");
-      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL, ...pgSslConfig2() });
       return {
         async $queryRawUnsafe(query, ...values) {
           const result = await pool.query(query, values);
@@ -7310,6 +7340,17 @@ async function cloudSync(config) {
   } catch (err) {
     logError(`[cloud-sync] DB backup upload error: ${err instanceof Error ? err.message : String(err)}`);
   }
+  let codeContextResult = { pushed: 0, pulled: 0 };
+  try {
+    codeContextResult.pushed = await cloudPushCodeContext(config);
+  } catch (err) {
+    logError(`[cloud-sync] Code context push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    codeContextResult.pulled = await cloudPullCodeContext(config);
+  } catch (err) {
+    logError(`[cloud-sync] Code context pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
   return {
     pushed,
     pulled,
@@ -7319,7 +7360,8 @@ async function cloudSync(config) {
     tasks: tasksResult,
     conversations: conversationsResult,
     documents: documentsResult,
-    roster: rosterResult
+    roster: rosterResult,
+    codeContext: codeContextResult
   };
 }
 function recordRosterDeletion(name) {
@@ -7957,7 +7999,99 @@ async function cloudPullDocuments(config) {
   }
   return { pulled };
 }
-var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, _pgPromise, _pgFailed, CLOUD_REUPLOAD_REQUIRED_MESSAGE, ROSTER_DELETIONS_PATH;
+async function cloudPushCodeContext(config) {
+  assertSecureEndpoint(config.endpoint);
+  if (!existsSync16(CODE_CONTEXT_DIR)) return 0;
+  const files = readdirSync2(CODE_CONTEXT_DIR).filter(
+    (f) => f.endsWith(".json") && !f.endsWith(".vectors.json") && !f.startsWith(".")
+  );
+  if (files.length === 0) return 0;
+  const metaPath = path16.join(CODE_CONTEXT_DIR, ".sync-meta.json");
+  let syncMeta = {};
+  if (existsSync16(metaPath)) {
+    try {
+      syncMeta = JSON.parse(readFileSync12(metaPath, "utf-8"));
+    } catch {
+    }
+  }
+  let pushed = 0;
+  for (const file of files) {
+    const filePath = path16.join(CODE_CONTEXT_DIR, file);
+    try {
+      const stat2 = statSync4(filePath);
+      const lastPushed = syncMeta[file] ?? 0;
+      if (stat2.mtimeMs <= lastPushed) continue;
+      const content = readFileSync12(filePath, "utf-8");
+      const header = content.substring(0, 300);
+      if (header.includes("/tmp") || header.includes("/var/folders") || header.includes(".worktrees/")) continue;
+      const compressed = compress(Buffer.from(content, "utf8"));
+      const encrypted = encryptSyncBlob(compressed);
+      const resp = await fetchWithRetry(`${config.endpoint}/sync/push-code-context`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${config.apiKey}`,
+          "Content-Type": "application/json",
+          "X-Device-Id": loadDeviceId()
+        },
+        body: JSON.stringify({ key: file, blob: encrypted })
+      });
+      if (resp.ok) {
+        syncMeta[file] = stat2.mtimeMs;
+        pushed++;
+      }
+    } catch {
+    }
+  }
+  if (pushed > 0) {
+    try {
+      writeFileSync10(metaPath, JSON.stringify(syncMeta));
+    } catch {
+    }
+  }
+  return pushed;
+}
+async function cloudPullCodeContext(config) {
+  assertSecureEndpoint(config.endpoint);
+  try {
+    const resp = await fetchWithRetry(`${config.endpoint}/sync/pull-code-context`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "X-Device-Id": loadDeviceId()
+      }
+    });
+    if (!resp.ok) return 0;
+    const data = await resp.json();
+    if (!data.indexes || data.indexes.length === 0) return 0;
+    mkdirSync9(CODE_CONTEXT_DIR, { recursive: true });
+    let pulled = 0;
+    for (const { key, blob } of data.indexes) {
+      try {
+        if (key.endsWith(".vectors.json")) continue;
+        const localPath = path16.join(CODE_CONTEXT_DIR, key);
+        const compressed = decryptSyncBlob(blob);
+        const content = decompress(compressed).toString("utf8");
+        if (!existsSync16(localPath)) {
+          writeFileSync10(localPath, content, "utf-8");
+          pulled++;
+        } else {
+          const localContent = readFileSync12(localPath, "utf-8");
+          if (localContent.length !== content.length) {
+            writeFileSync10(localPath, content, "utf-8");
+            pulled++;
+          }
+        }
+      } catch {
+      }
+    }
+    return pulled;
+  } catch (err) {
+    process.stderr.write(`[cloud-sync] Code context pull failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return 0;
+  }
+}
+var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, _pgPromise, _pgFailed, CLOUD_REUPLOAD_REQUIRED_MESSAGE, ROSTER_DELETIONS_PATH, CODE_CONTEXT_DIR;
 var init_cloud_sync = __esm({
   "src/lib/cloud-sync.ts"() {
     "use strict";
@@ -7978,6 +8112,7 @@ var init_cloud_sync = __esm({
     _pgFailed = false;
     CLOUD_REUPLOAD_REQUIRED_MESSAGE = "Cloud sync is blocked because this device rotated its memory encryption key. Run `exe-os cloud reupload` first to re-upload the cloud backup with the new key.";
     ROSTER_DELETIONS_PATH = path16.join(EXE_AI_DIR, "roster-deletions.json");
+    CODE_CONTEXT_DIR = path16.join(EXE_AI_DIR, "code-context");
   }
 });
 
@@ -13327,7 +13462,7 @@ function readQueue() {
 function writeQueue(queue) {
   ensureDir2();
   const tmp = `${QUEUE_PATH}.tmp`;
-  writeFileSync18(tmp, JSON.stringify(queue, null, 2));
+  writeFileSync18(tmp, JSON.stringify(queue, null, 2), { mode: 384 });
   renameSync5(tmp, QUEUE_PATH);
 }
 function queueIntercom(targetSession, reason) {
@@ -18498,7 +18633,7 @@ import {
   readFileSync as readFileSync26,
   writeFileSync as writeFileSync23,
   mkdirSync as mkdirSync22,
-  chmodSync as chmodSync3,
+  chmodSync as chmodSync4,
   readdirSync as readdirSync9,
   unlinkSync as unlinkSync15
 } from "fs";
@@ -18519,7 +18654,7 @@ function generateSessionWrappers(packageRoot, homeDir) {
   for (const src of candidates) {
     if (existsSync31(src)) {
       writeFileSync23(exeStartDst, readFileSync26(src));
-      chmodSync3(exeStartDst, 493);
+      chmodSync4(exeStartDst, 493);
       break;
     }
   }
@@ -18583,7 +18718,7 @@ exec "${exeStartDst}" "$0" "$@"
 exec node "${codexLauncher}" --agent ${emp.name} "$@"
 `;
       writeFileSync23(wrapperPath, content);
-      chmodSync3(wrapperPath, 493);
+      chmodSync4(wrapperPath, 493);
       created++;
     }
   }
@@ -18593,7 +18728,7 @@ exec node "${codexLauncher}" --agent ${emp.name} "$@"
 function writeWrapper(wrapperPath, content) {
   try {
     writeFileSync23(wrapperPath, content);
-    chmodSync3(wrapperPath, 493);
+    chmodSync4(wrapperPath, 493);
   } catch {
   }
 }
@@ -19687,6 +19822,10 @@ async function runUpdate(cliArgs) {
 \u{1F4E6} Update available: v${result.localVersion} \u2192 v${result.remoteVersion}
 `);
   let proceed = autoMode;
+  if (!proceed && !process.stdin.isTTY) {
+    console.log("Non-interactive mode detected (no TTY). Use --yes to auto-confirm, or run interactively.");
+    process.exit(1);
+  }
   if (!proceed) {
     const rl = createInterface5({ input: process.stdin, output: process.stdout });
     const answer = await new Promise((resolve) => {
@@ -20138,8 +20277,9 @@ function hydrateEnv(raw, opts) {
     else if (key === "MONITOR_AGENT_KEY") continue;
     else if (key === "EXE_GATEWAY_WS_RELAY_AUTH_TOKEN") replacements[key] = randomHexSecret(24);
     else if (key.endsWith("_PASSWORD")) replacements[key] = randomSecret(24);
-    else if (key.endsWith("_SECRET") || key.endsWith("_TOKEN") || key.endsWith("_KEY") || key.endsWith("_SALT")) replacements[key] = value.replace(/CHANGEME[A-Z0-9_]*/g, randomSecret(32));
-    else if (key === "EXED_MCP_TOKEN") replacements[key] = randomSecret(32);
+    else if (key.endsWith("_TOKEN")) replacements[key] = randomHexSecret(32);
+    else if (key.endsWith("_SECRET") || key.endsWith("_SALT")) replacements[key] = randomSecret(32);
+    else if (key.endsWith("_KEY") && key !== "EXE_LICENSE_KEY") continue;
   }
   if (domain) next = next.replaceAll("CHANGEME_DOMAIN", domain);
   next = patchEnv(next, replacements);
@@ -20536,8 +20676,8 @@ Options:
 }
 function printChanges(changes, composeFile, envFile) {
   if (changes.length === 0) {
-    const running = areCliContainersRunning(composeFile, envFile);
-    if (running) {
+    const running2 = areCliContainersRunning(composeFile, envFile);
+    if (running2) {
       console.log("Stack .env matches target manifest. Checking container health...\n");
       const unhealthy = printContainerHealth(composeFile, envFile);
       if (unhealthy > 0) {
@@ -20546,16 +20686,28 @@ function printChanges(changes, composeFile, envFile) {
       } else {
         console.log("\n\u2705 Stack already matches target manifest. All services healthy.");
       }
+      return unhealthy;
     } else {
       console.log("\u26A0\uFE0F  Stack .env matches target manifest but containers are not running. Will start them.");
+      return 1;
     }
-    return;
   }
   console.log("Planned image tag changes:");
   for (const c of changes) {
     console.log(`  - ${c.service}: ${c.key}`);
     console.log(`      ${c.before ?? "<unset>"} \u2192 ${c.after}`);
   }
+  const running = areCliContainersRunning(composeFile, envFile);
+  if (running) {
+    console.log("\nCurrent container health:");
+    const unhealthy = printContainerHealth(composeFile, envFile);
+    if (unhealthy > 0) {
+      console.log(`
+\u{1F534} ${unhealthy} service(s) currently unhealthy or crashlooping.`);
+    }
+    return unhealthy;
+  }
+  return 0;
 }
 function areCliContainersRunning(composeFile, envFile) {
   try {
@@ -20665,9 +20817,12 @@ async function main7(args2 = process.argv.slice(2)) {
   console.log(`Compose:  ${opts.composeFile}`);
   console.log(`Env:      ${opts.envFile}
 `);
-  printChanges(plan.changes, opts.composeFile, opts.envFile);
+  const unhealthyCount = printChanges(plan.changes, opts.composeFile, opts.envFile);
   printBreaking(plan.breakingChanges);
-  if (opts.check || opts.dryRun) return;
+  if (opts.check || opts.dryRun) {
+    if (unhealthyCount > 0) process.exitCode = 1;
+    return;
+  }
   if (!opts.yes) {
     console.error("\nRefusing to update without --yes. Re-run with --yes after reviewing the plan.");
     process.exit(2);