@askexenow/exe-os 0.9.99 → 0.9.101
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bin/agentic-ontology-backfill.js +6 -0
- package/dist/bin/agentic-reflection-backfill.js +6 -0
- package/dist/bin/agentic-semantic-label.js +6 -0
- package/dist/bin/backfill-conversations.js +6 -0
- package/dist/bin/backfill-responses.js +6 -0
- package/dist/bin/backfill-vectors.js +6 -0
- package/dist/bin/bulk-sync-postgres.js +6 -0
- package/dist/bin/cleanup-stale-review-tasks.js +6 -0
- package/dist/bin/cli.js +35 -10
- package/dist/bin/exe-agent.js +6 -0
- package/dist/bin/exe-assign.js +6 -0
- package/dist/bin/exe-boot.js +35 -10
- package/dist/bin/exe-call.js +6 -0
- package/dist/bin/exe-cloud.js +35 -10
- package/dist/bin/exe-dispatch.js +6 -0
- package/dist/bin/exe-doctor.js +35 -10
- package/dist/bin/exe-export-behaviors.js +6 -0
- package/dist/bin/exe-forget.js +6 -0
- package/dist/bin/exe-gateway.js +6 -0
- package/dist/bin/exe-heartbeat.js +6 -0
- package/dist/bin/exe-kill.js +6 -0
- package/dist/bin/exe-launch-agent.js +6 -0
- package/dist/bin/exe-new-employee.js +6 -0
- package/dist/bin/exe-pending-messages.js +6 -0
- package/dist/bin/exe-pending-notifications.js +6 -0
- package/dist/bin/exe-pending-reviews.js +6 -0
- package/dist/bin/exe-rename.js +6 -0
- package/dist/bin/exe-review.js +6 -0
- package/dist/bin/exe-search.js +6 -0
- package/dist/bin/exe-session-cleanup.js +6 -0
- package/dist/bin/exe-start-codex.js +6 -0
- package/dist/bin/exe-start-opencode.js +6 -0
- package/dist/bin/exe-status.js +6 -0
- package/dist/bin/exe-team.js +6 -0
- package/dist/bin/git-sweep.js +6 -0
- package/dist/bin/graph-backfill.js +6 -0
- package/dist/bin/graph-export.js +6 -0
- package/dist/bin/intercom-check.js +6 -0
- package/dist/bin/scan-tasks.js +6 -0
- package/dist/bin/setup.js +35 -10
- package/dist/bin/shard-migrate.js +6 -0
- package/dist/gateway/index.js +6 -0
- package/dist/hooks/bug-report-worker.js +6 -0
- package/dist/hooks/codex-stop-task-finalizer.js +6 -0
- package/dist/hooks/commit-complete.js +6 -0
- package/dist/hooks/error-recall.js +6 -0
- package/dist/hooks/ingest.js +6 -0
- package/dist/hooks/instructions-loaded.js +6 -0
- package/dist/hooks/notification.js +6 -0
- package/dist/hooks/post-compact.js +6 -0
- package/dist/hooks/post-tool-combined.js +6 -0
- package/dist/hooks/pre-compact.js +6 -0
- package/dist/hooks/pre-tool-use.js +6 -0
- package/dist/hooks/prompt-submit.js +6 -0
- package/dist/hooks/session-end.js +6 -0
- package/dist/hooks/session-start.js +6 -0
- package/dist/hooks/stop.js +6 -0
- package/dist/hooks/subagent-stop.js +6 -0
- package/dist/hooks/summary-worker.js +35 -10
- package/dist/index.js +6 -0
- package/dist/lib/cloud-sync.js +29 -10
- package/dist/lib/employee-templates.js +6 -0
- package/dist/lib/exe-daemon.js +35 -10
- package/dist/lib/hybrid-search.js +6 -0
- package/dist/lib/keychain.js +29 -10
- package/dist/lib/schedules.js +6 -0
- package/dist/lib/store.js +6 -0
- package/dist/mcp/server.js +35 -10
- package/dist/runtime/index.js +6 -0
- package/dist/tui/App.js +35 -10
- package/package.json +1 -1
- package/src/commands/exe/setup.md +1 -1
|
@@ -3523,6 +3523,12 @@ var init_platform_procedures = __esm({
|
|
|
3523
3523
|
priority: "p0",
|
|
3524
3524
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
3525
|
},
|
|
3526
|
+
{
|
|
3527
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3528
|
+
domain: "architecture",
|
|
3529
|
+
priority: "p1",
|
|
3530
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3531
|
+
},
|
|
3526
3532
|
// --- MCP is the ONLY data interface ---
|
|
3527
3533
|
{
|
|
3528
3534
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3523,6 +3523,12 @@ var init_platform_procedures = __esm({
|
|
|
3523
3523
|
priority: "p0",
|
|
3524
3524
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
3525
|
},
|
|
3526
|
+
{
|
|
3527
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3528
|
+
domain: "architecture",
|
|
3529
|
+
priority: "p1",
|
|
3530
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3531
|
+
},
|
|
3526
3532
|
// --- MCP is the ONLY data interface ---
|
|
3527
3533
|
{
|
|
3528
3534
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3523,6 +3523,12 @@ var init_platform_procedures = __esm({
|
|
|
3523
3523
|
priority: "p0",
|
|
3524
3524
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
3525
|
},
|
|
3526
|
+
{
|
|
3527
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3528
|
+
domain: "architecture",
|
|
3529
|
+
priority: "p1",
|
|
3530
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3531
|
+
},
|
|
3526
3532
|
// --- MCP is the ONLY data interface ---
|
|
3527
3533
|
{
|
|
3528
3534
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3663,6 +3663,12 @@ var init_platform_procedures = __esm({
|
|
|
3663
3663
|
priority: "p0",
|
|
3664
3664
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3665
3665
|
},
|
|
3666
|
+
{
|
|
3667
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3668
|
+
domain: "architecture",
|
|
3669
|
+
priority: "p1",
|
|
3670
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3671
|
+
},
|
|
3666
3672
|
// --- MCP is the ONLY data interface ---
|
|
3667
3673
|
{
|
|
3668
3674
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3663,6 +3663,12 @@ var init_platform_procedures = __esm({
|
|
|
3663
3663
|
priority: "p0",
|
|
3664
3664
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3665
3665
|
},
|
|
3666
|
+
{
|
|
3667
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3668
|
+
domain: "architecture",
|
|
3669
|
+
priority: "p1",
|
|
3670
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3671
|
+
},
|
|
3666
3672
|
// --- MCP is the ONLY data interface ---
|
|
3667
3673
|
{
|
|
3668
3674
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3659,6 +3659,12 @@ var init_platform_procedures = __esm({
|
|
|
3659
3659
|
priority: "p0",
|
|
3660
3660
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3661
3661
|
},
|
|
3662
|
+
{
|
|
3663
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3664
|
+
domain: "architecture",
|
|
3665
|
+
priority: "p1",
|
|
3666
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3667
|
+
},
|
|
3662
3668
|
// --- MCP is the ONLY data interface ---
|
|
3663
3669
|
{
|
|
3664
3670
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3831,6 +3831,12 @@ var init_platform_procedures = __esm({
|
|
|
3831
3831
|
priority: "p0",
|
|
3832
3832
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3833
3833
|
},
|
|
3834
|
+
{
|
|
3835
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3836
|
+
domain: "architecture",
|
|
3837
|
+
priority: "p1",
|
|
3838
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3839
|
+
},
|
|
3834
3840
|
// --- MCP is the ONLY data interface ---
|
|
3835
3841
|
{
|
|
3836
3842
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4306,6 +4306,12 @@ var init_platform_procedures = __esm({
|
|
|
4306
4306
|
priority: "p0",
|
|
4307
4307
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4308
4308
|
},
|
|
4309
|
+
{
|
|
4310
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4311
|
+
domain: "architecture",
|
|
4312
|
+
priority: "p1",
|
|
4313
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4314
|
+
},
|
|
4309
4315
|
// --- MCP is the ONLY data interface ---
|
|
4310
4316
|
{
|
|
4311
4317
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/cli.js
CHANGED
|
@@ -2896,20 +2896,39 @@ async function getKeyStorageInfo() {
|
|
|
2896
2896
|
}
|
|
2897
2897
|
async function setMasterKey(key) {
|
|
2898
2898
|
const b64 = key.toString("base64");
|
|
2899
|
-
|
|
2900
|
-
|
|
2899
|
+
let keychainOk = false;
|
|
2900
|
+
if (macKeychainSet(b64)) {
|
|
2901
|
+
const readBack = macKeychainGet();
|
|
2902
|
+
if (readBack === b64) {
|
|
2903
|
+
keychainOk = true;
|
|
2904
|
+
} else {
|
|
2905
|
+
process.stderr.write(
|
|
2906
|
+
"[keychain] macOS Keychain write appeared to succeed but read-back failed.\n This can happen on macOS Tahoe with new permission patterns.\n"
|
|
2907
|
+
);
|
|
2908
|
+
}
|
|
2909
|
+
} else if (linuxSecretSet(b64)) {
|
|
2910
|
+
const readBack = linuxSecretGet();
|
|
2911
|
+
if (readBack === b64) {
|
|
2912
|
+
keychainOk = true;
|
|
2913
|
+
} else {
|
|
2914
|
+
process.stderr.write("[keychain] Linux secret-tool write appeared to succeed but read-back failed.\n");
|
|
2915
|
+
}
|
|
2901
2916
|
}
|
|
2902
|
-
|
|
2903
|
-
|
|
2904
|
-
|
|
2905
|
-
|
|
2906
|
-
|
|
2907
|
-
|
|
2917
|
+
if (!keychainOk) {
|
|
2918
|
+
const keytar = await tryKeytar();
|
|
2919
|
+
if (keytar) {
|
|
2920
|
+
try {
|
|
2921
|
+
await keytar.setPassword(SERVICE, ACCOUNT, b64);
|
|
2922
|
+
keychainOk = true;
|
|
2923
|
+
} catch {
|
|
2924
|
+
}
|
|
2908
2925
|
}
|
|
2909
2926
|
}
|
|
2910
2927
|
const fallback = await writeMachineBoundFileFallback(b64);
|
|
2911
|
-
if (
|
|
2912
|
-
process.stderr.write("[keychain] Key stored
|
|
2928
|
+
if (keychainOk) {
|
|
2929
|
+
process.stderr.write("[keychain] Key stored in OS keychain (file backup also written).\n");
|
|
2930
|
+
} else if (fallback === "encrypted") {
|
|
2931
|
+
process.stderr.write("[keychain] Key stored encrypted (machine-bound file fallback).\n");
|
|
2913
2932
|
} else {
|
|
2914
2933
|
process.stderr.write(
|
|
2915
2934
|
"[keychain] WARNING: Key stored in plaintext file \u2014 no OS keychain available.\n"
|
|
@@ -8993,6 +9012,12 @@ var init_platform_procedures = __esm({
|
|
|
8993
9012
|
priority: "p0",
|
|
8994
9013
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8995
9014
|
},
|
|
9015
|
+
{
|
|
9016
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
9017
|
+
domain: "architecture",
|
|
9018
|
+
priority: "p1",
|
|
9019
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
9020
|
+
},
|
|
8996
9021
|
// --- MCP is the ONLY data interface ---
|
|
8997
9022
|
{
|
|
8998
9023
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-agent.js
CHANGED
|
@@ -1500,6 +1500,12 @@ var PLATFORM_PROCEDURES = [
|
|
|
1500
1500
|
priority: "p0",
|
|
1501
1501
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
1502
1502
|
},
|
|
1503
|
+
{
|
|
1504
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
1505
|
+
domain: "architecture",
|
|
1506
|
+
priority: "p1",
|
|
1507
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
1508
|
+
},
|
|
1503
1509
|
// --- MCP is the ONLY data interface ---
|
|
1504
1510
|
{
|
|
1505
1511
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-assign.js
CHANGED
|
@@ -3673,6 +3673,12 @@ var init_platform_procedures = __esm({
|
|
|
3673
3673
|
priority: "p0",
|
|
3674
3674
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3675
3675
|
},
|
|
3676
|
+
{
|
|
3677
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3678
|
+
domain: "architecture",
|
|
3679
|
+
priority: "p1",
|
|
3680
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3681
|
+
},
|
|
3676
3682
|
// --- MCP is the ONLY data interface ---
|
|
3677
3683
|
{
|
|
3678
3684
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-boot.js
CHANGED
|
@@ -3410,6 +3410,12 @@ var init_platform_procedures = __esm({
|
|
|
3410
3410
|
priority: "p0",
|
|
3411
3411
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3412
3412
|
},
|
|
3413
|
+
{
|
|
3414
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3415
|
+
domain: "architecture",
|
|
3416
|
+
priority: "p1",
|
|
3417
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3418
|
+
},
|
|
3413
3419
|
// --- MCP is the ONLY data interface ---
|
|
3414
3420
|
{
|
|
3415
3421
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3942,20 +3948,39 @@ async function getKeyStorageInfo() {
|
|
|
3942
3948
|
}
|
|
3943
3949
|
async function setMasterKey(key) {
|
|
3944
3950
|
const b64 = key.toString("base64");
|
|
3945
|
-
|
|
3946
|
-
|
|
3951
|
+
let keychainOk = false;
|
|
3952
|
+
if (macKeychainSet(b64)) {
|
|
3953
|
+
const readBack = macKeychainGet();
|
|
3954
|
+
if (readBack === b64) {
|
|
3955
|
+
keychainOk = true;
|
|
3956
|
+
} else {
|
|
3957
|
+
process.stderr.write(
|
|
3958
|
+
"[keychain] macOS Keychain write appeared to succeed but read-back failed.\n This can happen on macOS Tahoe with new permission patterns.\n"
|
|
3959
|
+
);
|
|
3960
|
+
}
|
|
3961
|
+
} else if (linuxSecretSet(b64)) {
|
|
3962
|
+
const readBack = linuxSecretGet();
|
|
3963
|
+
if (readBack === b64) {
|
|
3964
|
+
keychainOk = true;
|
|
3965
|
+
} else {
|
|
3966
|
+
process.stderr.write("[keychain] Linux secret-tool write appeared to succeed but read-back failed.\n");
|
|
3967
|
+
}
|
|
3947
3968
|
}
|
|
3948
|
-
|
|
3949
|
-
|
|
3950
|
-
|
|
3951
|
-
|
|
3952
|
-
|
|
3953
|
-
|
|
3969
|
+
if (!keychainOk) {
|
|
3970
|
+
const keytar = await tryKeytar();
|
|
3971
|
+
if (keytar) {
|
|
3972
|
+
try {
|
|
3973
|
+
await keytar.setPassword(SERVICE, ACCOUNT, b64);
|
|
3974
|
+
keychainOk = true;
|
|
3975
|
+
} catch {
|
|
3976
|
+
}
|
|
3954
3977
|
}
|
|
3955
3978
|
}
|
|
3956
3979
|
const fallback = await writeMachineBoundFileFallback(b64);
|
|
3957
|
-
if (
|
|
3958
|
-
process.stderr.write("[keychain] Key stored
|
|
3980
|
+
if (keychainOk) {
|
|
3981
|
+
process.stderr.write("[keychain] Key stored in OS keychain (file backup also written).\n");
|
|
3982
|
+
} else if (fallback === "encrypted") {
|
|
3983
|
+
process.stderr.write("[keychain] Key stored encrypted (machine-bound file fallback).\n");
|
|
3959
3984
|
} else {
|
|
3960
3985
|
process.stderr.write(
|
|
3961
3986
|
"[keychain] WARNING: Key stored in plaintext file \u2014 no OS keychain available.\n"
|
package/dist/bin/exe-call.js
CHANGED
|
@@ -438,6 +438,12 @@ var init_platform_procedures = __esm({
|
|
|
438
438
|
priority: "p0",
|
|
439
439
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
440
440
|
},
|
|
441
|
+
{
|
|
442
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
443
|
+
domain: "architecture",
|
|
444
|
+
priority: "p1",
|
|
445
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
446
|
+
},
|
|
441
447
|
// --- MCP is the ONLY data interface ---
|
|
442
448
|
{
|
|
443
449
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-cloud.js
CHANGED
|
@@ -413,20 +413,39 @@ async function getKeyStorageInfo() {
|
|
|
413
413
|
}
|
|
414
414
|
async function setMasterKey(key) {
|
|
415
415
|
const b64 = key.toString("base64");
|
|
416
|
-
|
|
417
|
-
|
|
416
|
+
let keychainOk = false;
|
|
417
|
+
if (macKeychainSet(b64)) {
|
|
418
|
+
const readBack = macKeychainGet();
|
|
419
|
+
if (readBack === b64) {
|
|
420
|
+
keychainOk = true;
|
|
421
|
+
} else {
|
|
422
|
+
process.stderr.write(
|
|
423
|
+
"[keychain] macOS Keychain write appeared to succeed but read-back failed.\n This can happen on macOS Tahoe with new permission patterns.\n"
|
|
424
|
+
);
|
|
425
|
+
}
|
|
426
|
+
} else if (linuxSecretSet(b64)) {
|
|
427
|
+
const readBack = linuxSecretGet();
|
|
428
|
+
if (readBack === b64) {
|
|
429
|
+
keychainOk = true;
|
|
430
|
+
} else {
|
|
431
|
+
process.stderr.write("[keychain] Linux secret-tool write appeared to succeed but read-back failed.\n");
|
|
432
|
+
}
|
|
418
433
|
}
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
|
|
434
|
+
if (!keychainOk) {
|
|
435
|
+
const keytar = await tryKeytar();
|
|
436
|
+
if (keytar) {
|
|
437
|
+
try {
|
|
438
|
+
await keytar.setPassword(SERVICE, ACCOUNT, b64);
|
|
439
|
+
keychainOk = true;
|
|
440
|
+
} catch {
|
|
441
|
+
}
|
|
425
442
|
}
|
|
426
443
|
}
|
|
427
444
|
const fallback = await writeMachineBoundFileFallback(b64);
|
|
428
|
-
if (
|
|
429
|
-
process.stderr.write("[keychain] Key stored
|
|
445
|
+
if (keychainOk) {
|
|
446
|
+
process.stderr.write("[keychain] Key stored in OS keychain (file backup also written).\n");
|
|
447
|
+
} else if (fallback === "encrypted") {
|
|
448
|
+
process.stderr.write("[keychain] Key stored encrypted (machine-bound file fallback).\n");
|
|
430
449
|
} else {
|
|
431
450
|
process.stderr.write(
|
|
432
451
|
"[keychain] WARNING: Key stored in plaintext file \u2014 no OS keychain available.\n"
|
|
@@ -6802,6 +6821,12 @@ var init_platform_procedures = __esm({
|
|
|
6802
6821
|
priority: "p0",
|
|
6803
6822
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
6804
6823
|
},
|
|
6824
|
+
{
|
|
6825
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
6826
|
+
domain: "architecture",
|
|
6827
|
+
priority: "p1",
|
|
6828
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
6829
|
+
},
|
|
6805
6830
|
// --- MCP is the ONLY data interface ---
|
|
6806
6831
|
{
|
|
6807
6832
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-dispatch.js
CHANGED
|
@@ -8113,6 +8113,12 @@ var init_platform_procedures = __esm({
|
|
|
8113
8113
|
priority: "p0",
|
|
8114
8114
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8115
8115
|
},
|
|
8116
|
+
{
|
|
8117
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
8118
|
+
domain: "architecture",
|
|
8119
|
+
priority: "p1",
|
|
8120
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
8121
|
+
},
|
|
8116
8122
|
// --- MCP is the ONLY data interface ---
|
|
8117
8123
|
{
|
|
8118
8124
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-doctor.js
CHANGED
|
@@ -1068,20 +1068,39 @@ async function getKeyStorageInfo() {
|
|
|
1068
1068
|
}
|
|
1069
1069
|
async function setMasterKey(key) {
|
|
1070
1070
|
const b64 = key.toString("base64");
|
|
1071
|
-
|
|
1072
|
-
|
|
1071
|
+
let keychainOk = false;
|
|
1072
|
+
if (macKeychainSet(b64)) {
|
|
1073
|
+
const readBack = macKeychainGet();
|
|
1074
|
+
if (readBack === b64) {
|
|
1075
|
+
keychainOk = true;
|
|
1076
|
+
} else {
|
|
1077
|
+
process.stderr.write(
|
|
1078
|
+
"[keychain] macOS Keychain write appeared to succeed but read-back failed.\n This can happen on macOS Tahoe with new permission patterns.\n"
|
|
1079
|
+
);
|
|
1080
|
+
}
|
|
1081
|
+
} else if (linuxSecretSet(b64)) {
|
|
1082
|
+
const readBack = linuxSecretGet();
|
|
1083
|
+
if (readBack === b64) {
|
|
1084
|
+
keychainOk = true;
|
|
1085
|
+
} else {
|
|
1086
|
+
process.stderr.write("[keychain] Linux secret-tool write appeared to succeed but read-back failed.\n");
|
|
1087
|
+
}
|
|
1073
1088
|
}
|
|
1074
|
-
|
|
1075
|
-
|
|
1076
|
-
|
|
1077
|
-
|
|
1078
|
-
|
|
1079
|
-
|
|
1089
|
+
if (!keychainOk) {
|
|
1090
|
+
const keytar = await tryKeytar();
|
|
1091
|
+
if (keytar) {
|
|
1092
|
+
try {
|
|
1093
|
+
await keytar.setPassword(SERVICE, ACCOUNT, b64);
|
|
1094
|
+
keychainOk = true;
|
|
1095
|
+
} catch {
|
|
1096
|
+
}
|
|
1080
1097
|
}
|
|
1081
1098
|
}
|
|
1082
1099
|
const fallback = await writeMachineBoundFileFallback(b64);
|
|
1083
|
-
if (
|
|
1084
|
-
process.stderr.write("[keychain] Key stored
|
|
1100
|
+
if (keychainOk) {
|
|
1101
|
+
process.stderr.write("[keychain] Key stored in OS keychain (file backup also written).\n");
|
|
1102
|
+
} else if (fallback === "encrypted") {
|
|
1103
|
+
process.stderr.write("[keychain] Key stored encrypted (machine-bound file fallback).\n");
|
|
1085
1104
|
} else {
|
|
1086
1105
|
process.stderr.write(
|
|
1087
1106
|
"[keychain] WARNING: Key stored in plaintext file \u2014 no OS keychain available.\n"
|
|
@@ -4615,6 +4634,12 @@ var init_platform_procedures = __esm({
|
|
|
4615
4634
|
priority: "p0",
|
|
4616
4635
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4617
4636
|
},
|
|
4637
|
+
{
|
|
4638
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4639
|
+
domain: "architecture",
|
|
4640
|
+
priority: "p1",
|
|
4641
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4642
|
+
},
|
|
4618
4643
|
// --- MCP is the ONLY data interface ---
|
|
4619
4644
|
{
|
|
4620
4645
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4371,6 +4371,12 @@ var init_platform_procedures = __esm({
|
|
|
4371
4371
|
priority: "p0",
|
|
4372
4372
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4373
4373
|
},
|
|
4374
|
+
{
|
|
4375
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4376
|
+
domain: "architecture",
|
|
4377
|
+
priority: "p1",
|
|
4378
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4379
|
+
},
|
|
4374
4380
|
// --- MCP is the ONLY data interface ---
|
|
4375
4381
|
{
|
|
4376
4382
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-forget.js
CHANGED
|
@@ -4295,6 +4295,12 @@ var init_platform_procedures = __esm({
|
|
|
4295
4295
|
priority: "p0",
|
|
4296
4296
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4297
4297
|
},
|
|
4298
|
+
{
|
|
4299
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4300
|
+
domain: "architecture",
|
|
4301
|
+
priority: "p1",
|
|
4302
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4303
|
+
},
|
|
4298
4304
|
// --- MCP is the ONLY data interface ---
|
|
4299
4305
|
{
|
|
4300
4306
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-gateway.js
CHANGED
|
@@ -4979,6 +4979,12 @@ var init_platform_procedures = __esm({
|
|
|
4979
4979
|
priority: "p0",
|
|
4980
4980
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4981
4981
|
},
|
|
4982
|
+
{
|
|
4983
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4984
|
+
domain: "architecture",
|
|
4985
|
+
priority: "p1",
|
|
4986
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4987
|
+
},
|
|
4982
4988
|
// --- MCP is the ONLY data interface ---
|
|
4983
4989
|
{
|
|
4984
4990
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4334,6 +4334,12 @@ var init_platform_procedures = __esm({
|
|
|
4334
4334
|
priority: "p0",
|
|
4335
4335
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4336
4336
|
},
|
|
4337
|
+
{
|
|
4338
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4339
|
+
domain: "architecture",
|
|
4340
|
+
priority: "p1",
|
|
4341
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4342
|
+
},
|
|
4337
4343
|
// --- MCP is the ONLY data interface ---
|
|
4338
4344
|
{
|
|
4339
4345
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-kill.js
CHANGED
|
@@ -4295,6 +4295,12 @@ var init_platform_procedures = __esm({
|
|
|
4295
4295
|
priority: "p0",
|
|
4296
4296
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4297
4297
|
},
|
|
4298
|
+
{
|
|
4299
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4300
|
+
domain: "architecture",
|
|
4301
|
+
priority: "p1",
|
|
4302
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4303
|
+
},
|
|
4298
4304
|
// --- MCP is the ONLY data interface ---
|
|
4299
4305
|
{
|
|
4300
4306
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4393,6 +4393,12 @@ var init_platform_procedures = __esm({
|
|
|
4393
4393
|
priority: "p0",
|
|
4394
4394
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4395
4395
|
},
|
|
4396
|
+
{
|
|
4397
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4398
|
+
domain: "architecture",
|
|
4399
|
+
priority: "p1",
|
|
4400
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4401
|
+
},
|
|
4396
4402
|
// --- MCP is the ONLY data interface ---
|
|
4397
4403
|
{
|
|
4398
4404
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -2815,6 +2815,12 @@ var PLATFORM_PROCEDURES = [
|
|
|
2815
2815
|
priority: "p0",
|
|
2816
2816
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
2817
2817
|
},
|
|
2818
|
+
{
|
|
2819
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
2820
|
+
domain: "architecture",
|
|
2821
|
+
priority: "p1",
|
|
2822
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
2823
|
+
},
|
|
2818
2824
|
// --- MCP is the ONLY data interface ---
|
|
2819
2825
|
{
|
|
2820
2826
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4774,6 +4774,12 @@ var init_platform_procedures = __esm({
|
|
|
4774
4774
|
priority: "p0",
|
|
4775
4775
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4776
4776
|
},
|
|
4777
|
+
{
|
|
4778
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4779
|
+
domain: "architecture",
|
|
4780
|
+
priority: "p1",
|
|
4781
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4782
|
+
},
|
|
4777
4783
|
// --- MCP is the ONLY data interface ---
|
|
4778
4784
|
{
|
|
4779
4785
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4840,6 +4840,12 @@ var init_platform_procedures = __esm({
|
|
|
4840
4840
|
priority: "p0",
|
|
4841
4841
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4842
4842
|
},
|
|
4843
|
+
{
|
|
4844
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4845
|
+
domain: "architecture",
|
|
4846
|
+
priority: "p1",
|
|
4847
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4848
|
+
},
|
|
4843
4849
|
// --- MCP is the ONLY data interface ---
|
|
4844
4850
|
{
|
|
4845
4851
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|