@askexenow/exe-os 0.9.98 → 0.9.100
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bin/agentic-ontology-backfill.js +7 -0
- package/dist/bin/agentic-reflection-backfill.js +7 -0
- package/dist/bin/agentic-semantic-label.js +7 -0
- package/dist/bin/backfill-conversations.js +7 -0
- package/dist/bin/backfill-responses.js +7 -0
- package/dist/bin/backfill-vectors.js +7 -0
- package/dist/bin/bulk-sync-postgres.js +7 -0
- package/dist/bin/cleanup-stale-review-tasks.js +7 -0
- package/dist/bin/cli.js +36 -10
- package/dist/bin/exe-agent.js +7 -0
- package/dist/bin/exe-assign.js +7 -0
- package/dist/bin/exe-boot.js +36 -10
- package/dist/bin/exe-call.js +7 -0
- package/dist/bin/exe-cloud.js +36 -10
- package/dist/bin/exe-dispatch.js +7 -0
- package/dist/bin/exe-doctor.js +36 -10
- package/dist/bin/exe-export-behaviors.js +7 -0
- package/dist/bin/exe-forget.js +7 -0
- package/dist/bin/exe-gateway.js +7 -0
- package/dist/bin/exe-heartbeat.js +7 -0
- package/dist/bin/exe-kill.js +7 -0
- package/dist/bin/exe-launch-agent.js +7 -0
- package/dist/bin/exe-new-employee.js +7 -0
- package/dist/bin/exe-pending-messages.js +7 -0
- package/dist/bin/exe-pending-notifications.js +7 -0
- package/dist/bin/exe-pending-reviews.js +7 -0
- package/dist/bin/exe-rename.js +7 -0
- package/dist/bin/exe-review.js +7 -0
- package/dist/bin/exe-search.js +7 -0
- package/dist/bin/exe-session-cleanup.js +7 -0
- package/dist/bin/exe-start-codex.js +7 -0
- package/dist/bin/exe-start-opencode.js +7 -0
- package/dist/bin/exe-status.js +7 -0
- package/dist/bin/exe-team.js +7 -0
- package/dist/bin/git-sweep.js +7 -0
- package/dist/bin/graph-backfill.js +7 -0
- package/dist/bin/graph-export.js +7 -0
- package/dist/bin/intercom-check.js +7 -0
- package/dist/bin/scan-tasks.js +7 -0
- package/dist/bin/setup.js +36 -10
- package/dist/bin/shard-migrate.js +7 -0
- package/dist/gateway/index.js +7 -0
- package/dist/hooks/bug-report-worker.js +7 -0
- package/dist/hooks/codex-stop-task-finalizer.js +7 -0
- package/dist/hooks/commit-complete.js +7 -0
- package/dist/hooks/error-recall.js +7 -0
- package/dist/hooks/ingest.js +7 -0
- package/dist/hooks/instructions-loaded.js +7 -0
- package/dist/hooks/notification.js +7 -0
- package/dist/hooks/post-compact.js +7 -0
- package/dist/hooks/post-tool-combined.js +7 -0
- package/dist/hooks/pre-compact.js +7 -0
- package/dist/hooks/pre-tool-use.js +7 -0
- package/dist/hooks/prompt-submit.js +7 -0
- package/dist/hooks/session-end.js +7 -0
- package/dist/hooks/session-start.js +7 -0
- package/dist/hooks/stop.js +7 -0
- package/dist/hooks/subagent-stop.js +7 -0
- package/dist/hooks/summary-worker.js +36 -10
- package/dist/index.js +7 -0
- package/dist/lib/cloud-sync.js +29 -10
- package/dist/lib/employee-templates.js +7 -0
- package/dist/lib/exe-daemon.js +36 -10
- package/dist/lib/hybrid-search.js +7 -0
- package/dist/lib/keychain.js +29 -10
- package/dist/lib/schedules.js +7 -0
- package/dist/lib/store.js +7 -0
- package/dist/mcp/server.js +36 -10
- package/dist/runtime/index.js +7 -0
- package/dist/tui/App.js +36 -10
- package/package.json +1 -1
- package/src/commands/exe/setup.md +1 -1
|
@@ -4872,6 +4872,13 @@ var init_platform_procedures = __esm({
|
|
|
4872
4872
|
priority: "p0",
|
|
4873
4873
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4874
4874
|
},
|
|
4875
|
+
// --- Encryption key + cloud sync ---
|
|
4876
|
+
{
|
|
4877
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4878
|
+
domain: "security",
|
|
4879
|
+
priority: "p0",
|
|
4880
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4881
|
+
},
|
|
4875
4882
|
// --- MCP is the ONLY data interface ---
|
|
4876
4883
|
{
|
|
4877
4884
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-rename.js
CHANGED
|
@@ -3171,6 +3171,13 @@ var init_platform_procedures = __esm({
|
|
|
3171
3171
|
priority: "p0",
|
|
3172
3172
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
3173
3173
|
},
|
|
3174
|
+
// --- Encryption key + cloud sync ---
|
|
3175
|
+
{
|
|
3176
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
3177
|
+
domain: "security",
|
|
3178
|
+
priority: "p0",
|
|
3179
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3180
|
+
},
|
|
3174
3181
|
// --- MCP is the ONLY data interface ---
|
|
3175
3182
|
{
|
|
3176
3183
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-review.js
CHANGED
|
@@ -4302,6 +4302,13 @@ var init_platform_procedures = __esm({
|
|
|
4302
4302
|
priority: "p0",
|
|
4303
4303
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4304
4304
|
},
|
|
4305
|
+
// --- Encryption key + cloud sync ---
|
|
4306
|
+
{
|
|
4307
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4308
|
+
domain: "security",
|
|
4309
|
+
priority: "p0",
|
|
4310
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4311
|
+
},
|
|
4305
4312
|
// --- MCP is the ONLY data interface ---
|
|
4306
4313
|
{
|
|
4307
4314
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-search.js
CHANGED
|
@@ -4287,6 +4287,13 @@ var init_platform_procedures = __esm({
|
|
|
4287
4287
|
priority: "p0",
|
|
4288
4288
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4289
4289
|
},
|
|
4290
|
+
// --- Encryption key + cloud sync ---
|
|
4291
|
+
{
|
|
4292
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4293
|
+
domain: "security",
|
|
4294
|
+
priority: "p0",
|
|
4295
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4296
|
+
},
|
|
4290
4297
|
// --- MCP is the ONLY data interface ---
|
|
4291
4298
|
{
|
|
4292
4299
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4331,6 +4331,13 @@ var init_platform_procedures = __esm({
|
|
|
4331
4331
|
priority: "p0",
|
|
4332
4332
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4333
4333
|
},
|
|
4334
|
+
// --- Encryption key + cloud sync ---
|
|
4335
|
+
{
|
|
4336
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4337
|
+
domain: "security",
|
|
4338
|
+
priority: "p0",
|
|
4339
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4340
|
+
},
|
|
4334
4341
|
// --- MCP is the ONLY data interface ---
|
|
4335
4342
|
{
|
|
4336
4343
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3603,6 +3603,13 @@ var init_platform_procedures = __esm({
|
|
|
3603
3603
|
priority: "p0",
|
|
3604
3604
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
3605
3605
|
},
|
|
3606
|
+
// --- Encryption key + cloud sync ---
|
|
3607
|
+
{
|
|
3608
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
3609
|
+
domain: "security",
|
|
3610
|
+
priority: "p0",
|
|
3611
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3612
|
+
},
|
|
3606
3613
|
// --- MCP is the ONLY data interface ---
|
|
3607
3614
|
{
|
|
3608
3615
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3603,6 +3603,13 @@ var init_platform_procedures = __esm({
|
|
|
3603
3603
|
priority: "p0",
|
|
3604
3604
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
3605
3605
|
},
|
|
3606
|
+
// --- Encryption key + cloud sync ---
|
|
3607
|
+
{
|
|
3608
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
3609
|
+
domain: "security",
|
|
3610
|
+
priority: "p0",
|
|
3611
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3612
|
+
},
|
|
3606
3613
|
// --- MCP is the ONLY data interface ---
|
|
3607
3614
|
{
|
|
3608
3615
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-status.js
CHANGED
|
@@ -4310,6 +4310,13 @@ var init_platform_procedures = __esm({
|
|
|
4310
4310
|
priority: "p0",
|
|
4311
4311
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4312
4312
|
},
|
|
4313
|
+
// --- Encryption key + cloud sync ---
|
|
4314
|
+
{
|
|
4315
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4316
|
+
domain: "security",
|
|
4317
|
+
priority: "p0",
|
|
4318
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4319
|
+
},
|
|
4313
4320
|
// --- MCP is the ONLY data interface ---
|
|
4314
4321
|
{
|
|
4315
4322
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-team.js
CHANGED
|
@@ -4299,6 +4299,13 @@ var init_platform_procedures = __esm({
|
|
|
4299
4299
|
priority: "p0",
|
|
4300
4300
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4301
4301
|
},
|
|
4302
|
+
// --- Encryption key + cloud sync ---
|
|
4303
|
+
{
|
|
4304
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4305
|
+
domain: "security",
|
|
4306
|
+
priority: "p0",
|
|
4307
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4308
|
+
},
|
|
4302
4309
|
// --- MCP is the ONLY data interface ---
|
|
4303
4310
|
{
|
|
4304
4311
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/git-sweep.js
CHANGED
|
@@ -8056,6 +8056,13 @@ var init_platform_procedures = __esm({
|
|
|
8056
8056
|
priority: "p0",
|
|
8057
8057
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
8058
8058
|
},
|
|
8059
|
+
// --- Encryption key + cloud sync ---
|
|
8060
|
+
{
|
|
8061
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
8062
|
+
domain: "security",
|
|
8063
|
+
priority: "p0",
|
|
8064
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8065
|
+
},
|
|
8059
8066
|
// --- MCP is the ONLY data interface ---
|
|
8060
8067
|
{
|
|
8061
8068
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3516,6 +3516,13 @@ var init_platform_procedures = __esm({
|
|
|
3516
3516
|
priority: "p0",
|
|
3517
3517
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
3518
3518
|
},
|
|
3519
|
+
// --- Encryption key + cloud sync ---
|
|
3520
|
+
{
|
|
3521
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
3522
|
+
domain: "security",
|
|
3523
|
+
priority: "p0",
|
|
3524
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
|
+
},
|
|
3519
3526
|
// --- MCP is the ONLY data interface ---
|
|
3520
3527
|
{
|
|
3521
3528
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/graph-export.js
CHANGED
|
@@ -4288,6 +4288,13 @@ var init_platform_procedures = __esm({
|
|
|
4288
4288
|
priority: "p0",
|
|
4289
4289
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4290
4290
|
},
|
|
4291
|
+
// --- Encryption key + cloud sync ---
|
|
4292
|
+
{
|
|
4293
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4294
|
+
domain: "security",
|
|
4295
|
+
priority: "p0",
|
|
4296
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4297
|
+
},
|
|
4291
4298
|
// --- MCP is the ONLY data interface ---
|
|
4292
4299
|
{
|
|
4293
4300
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4397,6 +4397,13 @@ var init_platform_procedures = __esm({
|
|
|
4397
4397
|
priority: "p0",
|
|
4398
4398
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4399
4399
|
},
|
|
4400
|
+
// --- Encryption key + cloud sync ---
|
|
4401
|
+
{
|
|
4402
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4403
|
+
domain: "security",
|
|
4404
|
+
priority: "p0",
|
|
4405
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4406
|
+
},
|
|
4400
4407
|
// --- MCP is the ONLY data interface ---
|
|
4401
4408
|
{
|
|
4402
4409
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/scan-tasks.js
CHANGED
|
@@ -8127,6 +8127,13 @@ var init_platform_procedures = __esm({
|
|
|
8127
8127
|
priority: "p0",
|
|
8128
8128
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
8129
8129
|
},
|
|
8130
|
+
// --- Encryption key + cloud sync ---
|
|
8131
|
+
{
|
|
8132
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
8133
|
+
domain: "security",
|
|
8134
|
+
priority: "p0",
|
|
8135
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8136
|
+
},
|
|
8130
8137
|
// --- MCP is the ONLY data interface ---
|
|
8131
8138
|
{
|
|
8132
8139
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/setup.js
CHANGED
|
@@ -718,20 +718,39 @@ async function getKeyStorageInfo() {
|
|
|
718
718
|
}
|
|
719
719
|
async function setMasterKey(key) {
|
|
720
720
|
const b64 = key.toString("base64");
|
|
721
|
-
|
|
722
|
-
|
|
721
|
+
let keychainOk = false;
|
|
722
|
+
if (macKeychainSet(b64)) {
|
|
723
|
+
const readBack = macKeychainGet();
|
|
724
|
+
if (readBack === b64) {
|
|
725
|
+
keychainOk = true;
|
|
726
|
+
} else {
|
|
727
|
+
process.stderr.write(
|
|
728
|
+
"[keychain] macOS Keychain write appeared to succeed but read-back failed.\n This can happen on macOS Tahoe with new permission patterns.\n"
|
|
729
|
+
);
|
|
730
|
+
}
|
|
731
|
+
} else if (linuxSecretSet(b64)) {
|
|
732
|
+
const readBack = linuxSecretGet();
|
|
733
|
+
if (readBack === b64) {
|
|
734
|
+
keychainOk = true;
|
|
735
|
+
} else {
|
|
736
|
+
process.stderr.write("[keychain] Linux secret-tool write appeared to succeed but read-back failed.\n");
|
|
737
|
+
}
|
|
723
738
|
}
|
|
724
|
-
|
|
725
|
-
|
|
726
|
-
|
|
727
|
-
|
|
728
|
-
|
|
729
|
-
|
|
739
|
+
if (!keychainOk) {
|
|
740
|
+
const keytar = await tryKeytar();
|
|
741
|
+
if (keytar) {
|
|
742
|
+
try {
|
|
743
|
+
await keytar.setPassword(SERVICE, ACCOUNT, b64);
|
|
744
|
+
keychainOk = true;
|
|
745
|
+
} catch {
|
|
746
|
+
}
|
|
730
747
|
}
|
|
731
748
|
}
|
|
732
749
|
const fallback = await writeMachineBoundFileFallback(b64);
|
|
733
|
-
if (
|
|
734
|
-
process.stderr.write("[keychain] Key stored
|
|
750
|
+
if (keychainOk) {
|
|
751
|
+
process.stderr.write("[keychain] Key stored in OS keychain (file backup also written).\n");
|
|
752
|
+
} else if (fallback === "encrypted") {
|
|
753
|
+
process.stderr.write("[keychain] Key stored encrypted (machine-bound file fallback).\n");
|
|
735
754
|
} else {
|
|
736
755
|
process.stderr.write(
|
|
737
756
|
"[keychain] WARNING: Key stored in plaintext file \u2014 no OS keychain available.\n"
|
|
@@ -6698,6 +6717,13 @@ var init_platform_procedures = __esm({
|
|
|
6698
6717
|
priority: "p0",
|
|
6699
6718
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
6700
6719
|
},
|
|
6720
|
+
// --- Encryption key + cloud sync ---
|
|
6721
|
+
{
|
|
6722
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
6723
|
+
domain: "security",
|
|
6724
|
+
priority: "p0",
|
|
6725
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
6726
|
+
},
|
|
6701
6727
|
// --- MCP is the ONLY data interface ---
|
|
6702
6728
|
{
|
|
6703
6729
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3516,6 +3516,13 @@ var init_platform_procedures = __esm({
|
|
|
3516
3516
|
priority: "p0",
|
|
3517
3517
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
3518
3518
|
},
|
|
3519
|
+
// --- Encryption key + cloud sync ---
|
|
3520
|
+
{
|
|
3521
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
3522
|
+
domain: "security",
|
|
3523
|
+
priority: "p0",
|
|
3524
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
|
+
},
|
|
3519
3526
|
// --- MCP is the ONLY data interface ---
|
|
3520
3527
|
{
|
|
3521
3528
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/gateway/index.js
CHANGED
|
@@ -4956,6 +4956,13 @@ var init_platform_procedures = __esm({
|
|
|
4956
4956
|
priority: "p0",
|
|
4957
4957
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4958
4958
|
},
|
|
4959
|
+
// --- Encryption key + cloud sync ---
|
|
4960
|
+
{
|
|
4961
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4962
|
+
domain: "security",
|
|
4963
|
+
priority: "p0",
|
|
4964
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4965
|
+
},
|
|
4959
4966
|
// --- MCP is the ONLY data interface ---
|
|
4960
4967
|
{
|
|
4961
4968
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4698,6 +4698,13 @@ var init_platform_procedures = __esm({
|
|
|
4698
4698
|
priority: "p0",
|
|
4699
4699
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4700
4700
|
},
|
|
4701
|
+
// --- Encryption key + cloud sync ---
|
|
4702
|
+
{
|
|
4703
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4704
|
+
domain: "security",
|
|
4705
|
+
priority: "p0",
|
|
4706
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4707
|
+
},
|
|
4701
4708
|
// --- MCP is the ONLY data interface ---
|
|
4702
4709
|
{
|
|
4703
4710
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4381,6 +4381,13 @@ var init_platform_procedures = __esm({
|
|
|
4381
4381
|
priority: "p0",
|
|
4382
4382
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4383
4383
|
},
|
|
4384
|
+
// --- Encryption key + cloud sync ---
|
|
4385
|
+
{
|
|
4386
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4387
|
+
domain: "security",
|
|
4388
|
+
priority: "p0",
|
|
4389
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4390
|
+
},
|
|
4384
4391
|
// --- MCP is the ONLY data interface ---
|
|
4385
4392
|
{
|
|
4386
4393
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -8121,6 +8121,13 @@ var init_platform_procedures = __esm({
|
|
|
8121
8121
|
priority: "p0",
|
|
8122
8122
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
8123
8123
|
},
|
|
8124
|
+
// --- Encryption key + cloud sync ---
|
|
8125
|
+
{
|
|
8126
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
8127
|
+
domain: "security",
|
|
8128
|
+
priority: "p0",
|
|
8129
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8130
|
+
},
|
|
8124
8131
|
// --- MCP is the ONLY data interface ---
|
|
8125
8132
|
{
|
|
8126
8133
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4289,6 +4289,13 @@ var init_platform_procedures = __esm({
|
|
|
4289
4289
|
priority: "p0",
|
|
4290
4290
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4291
4291
|
},
|
|
4292
|
+
// --- Encryption key + cloud sync ---
|
|
4293
|
+
{
|
|
4294
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4295
|
+
domain: "security",
|
|
4296
|
+
priority: "p0",
|
|
4297
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4298
|
+
},
|
|
4292
4299
|
// --- MCP is the ONLY data interface ---
|
|
4293
4300
|
{
|
|
4294
4301
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/hooks/ingest.js
CHANGED
|
@@ -4465,6 +4465,13 @@ var init_platform_procedures = __esm({
|
|
|
4465
4465
|
priority: "p0",
|
|
4466
4466
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4467
4467
|
},
|
|
4468
|
+
// --- Encryption key + cloud sync ---
|
|
4469
|
+
{
|
|
4470
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4471
|
+
domain: "security",
|
|
4472
|
+
priority: "p0",
|
|
4473
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4474
|
+
},
|
|
4468
4475
|
// --- MCP is the ONLY data interface ---
|
|
4469
4476
|
{
|
|
4470
4477
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4290,6 +4290,13 @@ var init_platform_procedures = __esm({
|
|
|
4290
4290
|
priority: "p0",
|
|
4291
4291
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4292
4292
|
},
|
|
4293
|
+
// --- Encryption key + cloud sync ---
|
|
4294
|
+
{
|
|
4295
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4296
|
+
domain: "security",
|
|
4297
|
+
priority: "p0",
|
|
4298
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4299
|
+
},
|
|
4293
4300
|
// --- MCP is the ONLY data interface ---
|
|
4294
4301
|
{
|
|
4295
4302
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4290,6 +4290,13 @@ var init_platform_procedures = __esm({
|
|
|
4290
4290
|
priority: "p0",
|
|
4291
4291
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4292
4292
|
},
|
|
4293
|
+
// --- Encryption key + cloud sync ---
|
|
4294
|
+
{
|
|
4295
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4296
|
+
domain: "security",
|
|
4297
|
+
priority: "p0",
|
|
4298
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4299
|
+
},
|
|
4293
4300
|
// --- MCP is the ONLY data interface ---
|
|
4294
4301
|
{
|
|
4295
4302
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4910,6 +4910,13 @@ var init_platform_procedures = __esm({
|
|
|
4910
4910
|
priority: "p0",
|
|
4911
4911
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4912
4912
|
},
|
|
4913
|
+
// --- Encryption key + cloud sync ---
|
|
4914
|
+
{
|
|
4915
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4916
|
+
domain: "security",
|
|
4917
|
+
priority: "p0",
|
|
4918
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4919
|
+
},
|
|
4913
4920
|
// --- MCP is the ONLY data interface ---
|
|
4914
4921
|
{
|
|
4915
4922
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4541,6 +4541,13 @@ var init_platform_procedures = __esm({
|
|
|
4541
4541
|
priority: "p0",
|
|
4542
4542
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4543
4543
|
},
|
|
4544
|
+
// --- Encryption key + cloud sync ---
|
|
4545
|
+
{
|
|
4546
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4547
|
+
domain: "security",
|
|
4548
|
+
priority: "p0",
|
|
4549
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4550
|
+
},
|
|
4544
4551
|
// --- MCP is the ONLY data interface ---
|
|
4545
4552
|
{
|
|
4546
4553
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -8105,6 +8105,13 @@ var init_platform_procedures = __esm({
|
|
|
8105
8105
|
priority: "p0",
|
|
8106
8106
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
8107
8107
|
},
|
|
8108
|
+
// --- Encryption key + cloud sync ---
|
|
8109
|
+
{
|
|
8110
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
8111
|
+
domain: "security",
|
|
8112
|
+
priority: "p0",
|
|
8113
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8114
|
+
},
|
|
8108
8115
|
// --- MCP is the ONLY data interface ---
|
|
8109
8116
|
{
|
|
8110
8117
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -5241,6 +5241,13 @@ var init_platform_procedures = __esm({
|
|
|
5241
5241
|
priority: "p0",
|
|
5242
5242
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
5243
5243
|
},
|
|
5244
|
+
// --- Encryption key + cloud sync ---
|
|
5245
|
+
{
|
|
5246
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
5247
|
+
domain: "security",
|
|
5248
|
+
priority: "p0",
|
|
5249
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
5250
|
+
},
|
|
5244
5251
|
// --- MCP is the ONLY data interface ---
|
|
5245
5252
|
{
|
|
5246
5253
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4698,6 +4698,13 @@ var init_platform_procedures = __esm({
|
|
|
4698
4698
|
priority: "p0",
|
|
4699
4699
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4700
4700
|
},
|
|
4701
|
+
// --- Encryption key + cloud sync ---
|
|
4702
|
+
{
|
|
4703
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4704
|
+
domain: "security",
|
|
4705
|
+
priority: "p0",
|
|
4706
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4707
|
+
},
|
|
4701
4708
|
// --- MCP is the ONLY data interface ---
|
|
4702
4709
|
{
|
|
4703
4710
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -8314,6 +8314,13 @@ var init_platform_procedures = __esm({
|
|
|
8314
8314
|
priority: "p0",
|
|
8315
8315
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
8316
8316
|
},
|
|
8317
|
+
// --- Encryption key + cloud sync ---
|
|
8318
|
+
{
|
|
8319
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
8320
|
+
domain: "security",
|
|
8321
|
+
priority: "p0",
|
|
8322
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8323
|
+
},
|
|
8317
8324
|
// --- MCP is the ONLY data interface ---
|
|
8318
8325
|
{
|
|
8319
8326
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4698,6 +4698,13 @@ var init_platform_procedures = __esm({
|
|
|
4698
4698
|
priority: "p0",
|
|
4699
4699
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4700
4700
|
},
|
|
4701
|
+
// --- Encryption key + cloud sync ---
|
|
4702
|
+
{
|
|
4703
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4704
|
+
domain: "security",
|
|
4705
|
+
priority: "p0",
|
|
4706
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4707
|
+
},
|
|
4701
4708
|
// --- MCP is the ONLY data interface ---
|
|
4702
4709
|
{
|
|
4703
4710
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/hooks/stop.js
CHANGED
|
@@ -4814,6 +4814,13 @@ var init_platform_procedures = __esm({
|
|
|
4814
4814
|
priority: "p0",
|
|
4815
4815
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4816
4816
|
},
|
|
4817
|
+
// --- Encryption key + cloud sync ---
|
|
4818
|
+
{
|
|
4819
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4820
|
+
domain: "security",
|
|
4821
|
+
priority: "p0",
|
|
4822
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4823
|
+
},
|
|
4817
4824
|
// --- MCP is the ONLY data interface ---
|
|
4818
4825
|
{
|
|
4819
4826
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4777,6 +4777,13 @@ var init_platform_procedures = __esm({
|
|
|
4777
4777
|
priority: "p0",
|
|
4778
4778
|
content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
|
|
4779
4779
|
},
|
|
4780
|
+
// --- Encryption key + cloud sync ---
|
|
4781
|
+
{
|
|
4782
|
+
title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
|
|
4783
|
+
domain: "security",
|
|
4784
|
+
priority: "p0",
|
|
4785
|
+
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4786
|
+
},
|
|
4780
4787
|
// --- MCP is the ONLY data interface ---
|
|
4781
4788
|
{
|
|
4782
4789
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|