@askexenow/exe-os 0.9.99 → 0.9.101
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bin/agentic-ontology-backfill.js +6 -0
- package/dist/bin/agentic-reflection-backfill.js +6 -0
- package/dist/bin/agentic-semantic-label.js +6 -0
- package/dist/bin/backfill-conversations.js +6 -0
- package/dist/bin/backfill-responses.js +6 -0
- package/dist/bin/backfill-vectors.js +6 -0
- package/dist/bin/bulk-sync-postgres.js +6 -0
- package/dist/bin/cleanup-stale-review-tasks.js +6 -0
- package/dist/bin/cli.js +35 -10
- package/dist/bin/exe-agent.js +6 -0
- package/dist/bin/exe-assign.js +6 -0
- package/dist/bin/exe-boot.js +35 -10
- package/dist/bin/exe-call.js +6 -0
- package/dist/bin/exe-cloud.js +35 -10
- package/dist/bin/exe-dispatch.js +6 -0
- package/dist/bin/exe-doctor.js +35 -10
- package/dist/bin/exe-export-behaviors.js +6 -0
- package/dist/bin/exe-forget.js +6 -0
- package/dist/bin/exe-gateway.js +6 -0
- package/dist/bin/exe-heartbeat.js +6 -0
- package/dist/bin/exe-kill.js +6 -0
- package/dist/bin/exe-launch-agent.js +6 -0
- package/dist/bin/exe-new-employee.js +6 -0
- package/dist/bin/exe-pending-messages.js +6 -0
- package/dist/bin/exe-pending-notifications.js +6 -0
- package/dist/bin/exe-pending-reviews.js +6 -0
- package/dist/bin/exe-rename.js +6 -0
- package/dist/bin/exe-review.js +6 -0
- package/dist/bin/exe-search.js +6 -0
- package/dist/bin/exe-session-cleanup.js +6 -0
- package/dist/bin/exe-start-codex.js +6 -0
- package/dist/bin/exe-start-opencode.js +6 -0
- package/dist/bin/exe-status.js +6 -0
- package/dist/bin/exe-team.js +6 -0
- package/dist/bin/git-sweep.js +6 -0
- package/dist/bin/graph-backfill.js +6 -0
- package/dist/bin/graph-export.js +6 -0
- package/dist/bin/intercom-check.js +6 -0
- package/dist/bin/scan-tasks.js +6 -0
- package/dist/bin/setup.js +35 -10
- package/dist/bin/shard-migrate.js +6 -0
- package/dist/gateway/index.js +6 -0
- package/dist/hooks/bug-report-worker.js +6 -0
- package/dist/hooks/codex-stop-task-finalizer.js +6 -0
- package/dist/hooks/commit-complete.js +6 -0
- package/dist/hooks/error-recall.js +6 -0
- package/dist/hooks/ingest.js +6 -0
- package/dist/hooks/instructions-loaded.js +6 -0
- package/dist/hooks/notification.js +6 -0
- package/dist/hooks/post-compact.js +6 -0
- package/dist/hooks/post-tool-combined.js +6 -0
- package/dist/hooks/pre-compact.js +6 -0
- package/dist/hooks/pre-tool-use.js +6 -0
- package/dist/hooks/prompt-submit.js +6 -0
- package/dist/hooks/session-end.js +6 -0
- package/dist/hooks/session-start.js +6 -0
- package/dist/hooks/stop.js +6 -0
- package/dist/hooks/subagent-stop.js +6 -0
- package/dist/hooks/summary-worker.js +35 -10
- package/dist/index.js +6 -0
- package/dist/lib/cloud-sync.js +29 -10
- package/dist/lib/employee-templates.js +6 -0
- package/dist/lib/exe-daemon.js +35 -10
- package/dist/lib/hybrid-search.js +6 -0
- package/dist/lib/keychain.js +29 -10
- package/dist/lib/schedules.js +6 -0
- package/dist/lib/store.js +6 -0
- package/dist/mcp/server.js +35 -10
- package/dist/runtime/index.js +6 -0
- package/dist/tui/App.js +35 -10
- package/package.json +1 -1
- package/src/commands/exe/setup.md +1 -1
|
@@ -4879,6 +4879,12 @@ var init_platform_procedures = __esm({
|
|
|
4879
4879
|
priority: "p0",
|
|
4880
4880
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4881
4881
|
},
|
|
4882
|
+
{
|
|
4883
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4884
|
+
domain: "architecture",
|
|
4885
|
+
priority: "p1",
|
|
4886
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4887
|
+
},
|
|
4882
4888
|
// --- MCP is the ONLY data interface ---
|
|
4883
4889
|
{
|
|
4884
4890
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-rename.js
CHANGED
|
@@ -3178,6 +3178,12 @@ var init_platform_procedures = __esm({
|
|
|
3178
3178
|
priority: "p0",
|
|
3179
3179
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3180
3180
|
},
|
|
3181
|
+
{
|
|
3182
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3183
|
+
domain: "architecture",
|
|
3184
|
+
priority: "p1",
|
|
3185
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3186
|
+
},
|
|
3181
3187
|
// --- MCP is the ONLY data interface ---
|
|
3182
3188
|
{
|
|
3183
3189
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-review.js
CHANGED
|
@@ -4309,6 +4309,12 @@ var init_platform_procedures = __esm({
|
|
|
4309
4309
|
priority: "p0",
|
|
4310
4310
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4311
4311
|
},
|
|
4312
|
+
{
|
|
4313
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4314
|
+
domain: "architecture",
|
|
4315
|
+
priority: "p1",
|
|
4316
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4317
|
+
},
|
|
4312
4318
|
// --- MCP is the ONLY data interface ---
|
|
4313
4319
|
{
|
|
4314
4320
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-search.js
CHANGED
|
@@ -4294,6 +4294,12 @@ var init_platform_procedures = __esm({
|
|
|
4294
4294
|
priority: "p0",
|
|
4295
4295
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4296
4296
|
},
|
|
4297
|
+
{
|
|
4298
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4299
|
+
domain: "architecture",
|
|
4300
|
+
priority: "p1",
|
|
4301
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4302
|
+
},
|
|
4297
4303
|
// --- MCP is the ONLY data interface ---
|
|
4298
4304
|
{
|
|
4299
4305
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4338,6 +4338,12 @@ var init_platform_procedures = __esm({
|
|
|
4338
4338
|
priority: "p0",
|
|
4339
4339
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4340
4340
|
},
|
|
4341
|
+
{
|
|
4342
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4343
|
+
domain: "architecture",
|
|
4344
|
+
priority: "p1",
|
|
4345
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4346
|
+
},
|
|
4341
4347
|
// --- MCP is the ONLY data interface ---
|
|
4342
4348
|
{
|
|
4343
4349
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3610,6 +3610,12 @@ var init_platform_procedures = __esm({
|
|
|
3610
3610
|
priority: "p0",
|
|
3611
3611
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3612
3612
|
},
|
|
3613
|
+
{
|
|
3614
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3615
|
+
domain: "architecture",
|
|
3616
|
+
priority: "p1",
|
|
3617
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3618
|
+
},
|
|
3613
3619
|
// --- MCP is the ONLY data interface ---
|
|
3614
3620
|
{
|
|
3615
3621
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3610,6 +3610,12 @@ var init_platform_procedures = __esm({
|
|
|
3610
3610
|
priority: "p0",
|
|
3611
3611
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3612
3612
|
},
|
|
3613
|
+
{
|
|
3614
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3615
|
+
domain: "architecture",
|
|
3616
|
+
priority: "p1",
|
|
3617
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3618
|
+
},
|
|
3613
3619
|
// --- MCP is the ONLY data interface ---
|
|
3614
3620
|
{
|
|
3615
3621
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-status.js
CHANGED
|
@@ -4317,6 +4317,12 @@ var init_platform_procedures = __esm({
|
|
|
4317
4317
|
priority: "p0",
|
|
4318
4318
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4319
4319
|
},
|
|
4320
|
+
{
|
|
4321
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4322
|
+
domain: "architecture",
|
|
4323
|
+
priority: "p1",
|
|
4324
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4325
|
+
},
|
|
4320
4326
|
// --- MCP is the ONLY data interface ---
|
|
4321
4327
|
{
|
|
4322
4328
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/exe-team.js
CHANGED
|
@@ -4306,6 +4306,12 @@ var init_platform_procedures = __esm({
|
|
|
4306
4306
|
priority: "p0",
|
|
4307
4307
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4308
4308
|
},
|
|
4309
|
+
{
|
|
4310
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4311
|
+
domain: "architecture",
|
|
4312
|
+
priority: "p1",
|
|
4313
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4314
|
+
},
|
|
4309
4315
|
// --- MCP is the ONLY data interface ---
|
|
4310
4316
|
{
|
|
4311
4317
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/git-sweep.js
CHANGED
|
@@ -8063,6 +8063,12 @@ var init_platform_procedures = __esm({
|
|
|
8063
8063
|
priority: "p0",
|
|
8064
8064
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8065
8065
|
},
|
|
8066
|
+
{
|
|
8067
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
8068
|
+
domain: "architecture",
|
|
8069
|
+
priority: "p1",
|
|
8070
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
8071
|
+
},
|
|
8066
8072
|
// --- MCP is the ONLY data interface ---
|
|
8067
8073
|
{
|
|
8068
8074
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3523,6 +3523,12 @@ var init_platform_procedures = __esm({
|
|
|
3523
3523
|
priority: "p0",
|
|
3524
3524
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
3525
|
},
|
|
3526
|
+
{
|
|
3527
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3528
|
+
domain: "architecture",
|
|
3529
|
+
priority: "p1",
|
|
3530
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3531
|
+
},
|
|
3526
3532
|
// --- MCP is the ONLY data interface ---
|
|
3527
3533
|
{
|
|
3528
3534
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/graph-export.js
CHANGED
|
@@ -4295,6 +4295,12 @@ var init_platform_procedures = __esm({
|
|
|
4295
4295
|
priority: "p0",
|
|
4296
4296
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4297
4297
|
},
|
|
4298
|
+
{
|
|
4299
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4300
|
+
domain: "architecture",
|
|
4301
|
+
priority: "p1",
|
|
4302
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4303
|
+
},
|
|
4298
4304
|
// --- MCP is the ONLY data interface ---
|
|
4299
4305
|
{
|
|
4300
4306
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4404,6 +4404,12 @@ var init_platform_procedures = __esm({
|
|
|
4404
4404
|
priority: "p0",
|
|
4405
4405
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4406
4406
|
},
|
|
4407
|
+
{
|
|
4408
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4409
|
+
domain: "architecture",
|
|
4410
|
+
priority: "p1",
|
|
4411
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4412
|
+
},
|
|
4407
4413
|
// --- MCP is the ONLY data interface ---
|
|
4408
4414
|
{
|
|
4409
4415
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/scan-tasks.js
CHANGED
|
@@ -8134,6 +8134,12 @@ var init_platform_procedures = __esm({
|
|
|
8134
8134
|
priority: "p0",
|
|
8135
8135
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8136
8136
|
},
|
|
8137
|
+
{
|
|
8138
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
8139
|
+
domain: "architecture",
|
|
8140
|
+
priority: "p1",
|
|
8141
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
8142
|
+
},
|
|
8137
8143
|
// --- MCP is the ONLY data interface ---
|
|
8138
8144
|
{
|
|
8139
8145
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/bin/setup.js
CHANGED
|
@@ -718,20 +718,39 @@ async function getKeyStorageInfo() {
|
|
|
718
718
|
}
|
|
719
719
|
async function setMasterKey(key) {
|
|
720
720
|
const b64 = key.toString("base64");
|
|
721
|
-
|
|
722
|
-
|
|
721
|
+
let keychainOk = false;
|
|
722
|
+
if (macKeychainSet(b64)) {
|
|
723
|
+
const readBack = macKeychainGet();
|
|
724
|
+
if (readBack === b64) {
|
|
725
|
+
keychainOk = true;
|
|
726
|
+
} else {
|
|
727
|
+
process.stderr.write(
|
|
728
|
+
"[keychain] macOS Keychain write appeared to succeed but read-back failed.\n This can happen on macOS Tahoe with new permission patterns.\n"
|
|
729
|
+
);
|
|
730
|
+
}
|
|
731
|
+
} else if (linuxSecretSet(b64)) {
|
|
732
|
+
const readBack = linuxSecretGet();
|
|
733
|
+
if (readBack === b64) {
|
|
734
|
+
keychainOk = true;
|
|
735
|
+
} else {
|
|
736
|
+
process.stderr.write("[keychain] Linux secret-tool write appeared to succeed but read-back failed.\n");
|
|
737
|
+
}
|
|
723
738
|
}
|
|
724
|
-
|
|
725
|
-
|
|
726
|
-
|
|
727
|
-
|
|
728
|
-
|
|
729
|
-
|
|
739
|
+
if (!keychainOk) {
|
|
740
|
+
const keytar = await tryKeytar();
|
|
741
|
+
if (keytar) {
|
|
742
|
+
try {
|
|
743
|
+
await keytar.setPassword(SERVICE, ACCOUNT, b64);
|
|
744
|
+
keychainOk = true;
|
|
745
|
+
} catch {
|
|
746
|
+
}
|
|
730
747
|
}
|
|
731
748
|
}
|
|
732
749
|
const fallback = await writeMachineBoundFileFallback(b64);
|
|
733
|
-
if (
|
|
734
|
-
process.stderr.write("[keychain] Key stored
|
|
750
|
+
if (keychainOk) {
|
|
751
|
+
process.stderr.write("[keychain] Key stored in OS keychain (file backup also written).\n");
|
|
752
|
+
} else if (fallback === "encrypted") {
|
|
753
|
+
process.stderr.write("[keychain] Key stored encrypted (machine-bound file fallback).\n");
|
|
735
754
|
} else {
|
|
736
755
|
process.stderr.write(
|
|
737
756
|
"[keychain] WARNING: Key stored in plaintext file \u2014 no OS keychain available.\n"
|
|
@@ -6705,6 +6724,12 @@ var init_platform_procedures = __esm({
|
|
|
6705
6724
|
priority: "p0",
|
|
6706
6725
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
6707
6726
|
},
|
|
6727
|
+
{
|
|
6728
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
6729
|
+
domain: "architecture",
|
|
6730
|
+
priority: "p1",
|
|
6731
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
6732
|
+
},
|
|
6708
6733
|
// --- MCP is the ONLY data interface ---
|
|
6709
6734
|
{
|
|
6710
6735
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -3523,6 +3523,12 @@ var init_platform_procedures = __esm({
|
|
|
3523
3523
|
priority: "p0",
|
|
3524
3524
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
3525
3525
|
},
|
|
3526
|
+
{
|
|
3527
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
3528
|
+
domain: "architecture",
|
|
3529
|
+
priority: "p1",
|
|
3530
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
3531
|
+
},
|
|
3526
3532
|
// --- MCP is the ONLY data interface ---
|
|
3527
3533
|
{
|
|
3528
3534
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/gateway/index.js
CHANGED
|
@@ -4963,6 +4963,12 @@ var init_platform_procedures = __esm({
|
|
|
4963
4963
|
priority: "p0",
|
|
4964
4964
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4965
4965
|
},
|
|
4966
|
+
{
|
|
4967
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4968
|
+
domain: "architecture",
|
|
4969
|
+
priority: "p1",
|
|
4970
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4971
|
+
},
|
|
4966
4972
|
// --- MCP is the ONLY data interface ---
|
|
4967
4973
|
{
|
|
4968
4974
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4705,6 +4705,12 @@ var init_platform_procedures = __esm({
|
|
|
4705
4705
|
priority: "p0",
|
|
4706
4706
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4707
4707
|
},
|
|
4708
|
+
{
|
|
4709
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4710
|
+
domain: "architecture",
|
|
4711
|
+
priority: "p1",
|
|
4712
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4713
|
+
},
|
|
4708
4714
|
// --- MCP is the ONLY data interface ---
|
|
4709
4715
|
{
|
|
4710
4716
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4388,6 +4388,12 @@ var init_platform_procedures = __esm({
|
|
|
4388
4388
|
priority: "p0",
|
|
4389
4389
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4390
4390
|
},
|
|
4391
|
+
{
|
|
4392
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4393
|
+
domain: "architecture",
|
|
4394
|
+
priority: "p1",
|
|
4395
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4396
|
+
},
|
|
4391
4397
|
// --- MCP is the ONLY data interface ---
|
|
4392
4398
|
{
|
|
4393
4399
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -8128,6 +8128,12 @@ var init_platform_procedures = __esm({
|
|
|
8128
8128
|
priority: "p0",
|
|
8129
8129
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8130
8130
|
},
|
|
8131
|
+
{
|
|
8132
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
8133
|
+
domain: "architecture",
|
|
8134
|
+
priority: "p1",
|
|
8135
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
8136
|
+
},
|
|
8131
8137
|
// --- MCP is the ONLY data interface ---
|
|
8132
8138
|
{
|
|
8133
8139
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4296,6 +4296,12 @@ var init_platform_procedures = __esm({
|
|
|
4296
4296
|
priority: "p0",
|
|
4297
4297
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4298
4298
|
},
|
|
4299
|
+
{
|
|
4300
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4301
|
+
domain: "architecture",
|
|
4302
|
+
priority: "p1",
|
|
4303
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4304
|
+
},
|
|
4299
4305
|
// --- MCP is the ONLY data interface ---
|
|
4300
4306
|
{
|
|
4301
4307
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/hooks/ingest.js
CHANGED
|
@@ -4472,6 +4472,12 @@ var init_platform_procedures = __esm({
|
|
|
4472
4472
|
priority: "p0",
|
|
4473
4473
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4474
4474
|
},
|
|
4475
|
+
{
|
|
4476
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4477
|
+
domain: "architecture",
|
|
4478
|
+
priority: "p1",
|
|
4479
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4480
|
+
},
|
|
4475
4481
|
// --- MCP is the ONLY data interface ---
|
|
4476
4482
|
{
|
|
4477
4483
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4297,6 +4297,12 @@ var init_platform_procedures = __esm({
|
|
|
4297
4297
|
priority: "p0",
|
|
4298
4298
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4299
4299
|
},
|
|
4300
|
+
{
|
|
4301
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4302
|
+
domain: "architecture",
|
|
4303
|
+
priority: "p1",
|
|
4304
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4305
|
+
},
|
|
4300
4306
|
// --- MCP is the ONLY data interface ---
|
|
4301
4307
|
{
|
|
4302
4308
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4297,6 +4297,12 @@ var init_platform_procedures = __esm({
|
|
|
4297
4297
|
priority: "p0",
|
|
4298
4298
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4299
4299
|
},
|
|
4300
|
+
{
|
|
4301
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4302
|
+
domain: "architecture",
|
|
4303
|
+
priority: "p1",
|
|
4304
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4305
|
+
},
|
|
4300
4306
|
// --- MCP is the ONLY data interface ---
|
|
4301
4307
|
{
|
|
4302
4308
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4917,6 +4917,12 @@ var init_platform_procedures = __esm({
|
|
|
4917
4917
|
priority: "p0",
|
|
4918
4918
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4919
4919
|
},
|
|
4920
|
+
{
|
|
4921
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4922
|
+
domain: "architecture",
|
|
4923
|
+
priority: "p1",
|
|
4924
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4925
|
+
},
|
|
4920
4926
|
// --- MCP is the ONLY data interface ---
|
|
4921
4927
|
{
|
|
4922
4928
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4548,6 +4548,12 @@ var init_platform_procedures = __esm({
|
|
|
4548
4548
|
priority: "p0",
|
|
4549
4549
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4550
4550
|
},
|
|
4551
|
+
{
|
|
4552
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4553
|
+
domain: "architecture",
|
|
4554
|
+
priority: "p1",
|
|
4555
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4556
|
+
},
|
|
4551
4557
|
// --- MCP is the ONLY data interface ---
|
|
4552
4558
|
{
|
|
4553
4559
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -8112,6 +8112,12 @@ var init_platform_procedures = __esm({
|
|
|
8112
8112
|
priority: "p0",
|
|
8113
8113
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8114
8114
|
},
|
|
8115
|
+
{
|
|
8116
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
8117
|
+
domain: "architecture",
|
|
8118
|
+
priority: "p1",
|
|
8119
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
8120
|
+
},
|
|
8115
8121
|
// --- MCP is the ONLY data interface ---
|
|
8116
8122
|
{
|
|
8117
8123
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -5248,6 +5248,12 @@ var init_platform_procedures = __esm({
|
|
|
5248
5248
|
priority: "p0",
|
|
5249
5249
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
5250
5250
|
},
|
|
5251
|
+
{
|
|
5252
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
5253
|
+
domain: "architecture",
|
|
5254
|
+
priority: "p1",
|
|
5255
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
5256
|
+
},
|
|
5251
5257
|
// --- MCP is the ONLY data interface ---
|
|
5252
5258
|
{
|
|
5253
5259
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4705,6 +4705,12 @@ var init_platform_procedures = __esm({
|
|
|
4705
4705
|
priority: "p0",
|
|
4706
4706
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4707
4707
|
},
|
|
4708
|
+
{
|
|
4709
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4710
|
+
domain: "architecture",
|
|
4711
|
+
priority: "p1",
|
|
4712
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4713
|
+
},
|
|
4708
4714
|
// --- MCP is the ONLY data interface ---
|
|
4709
4715
|
{
|
|
4710
4716
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -8321,6 +8321,12 @@ var init_platform_procedures = __esm({
|
|
|
8321
8321
|
priority: "p0",
|
|
8322
8322
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
8323
8323
|
},
|
|
8324
|
+
{
|
|
8325
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
8326
|
+
domain: "architecture",
|
|
8327
|
+
priority: "p1",
|
|
8328
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
8329
|
+
},
|
|
8324
8330
|
// --- MCP is the ONLY data interface ---
|
|
8325
8331
|
{
|
|
8326
8332
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4705,6 +4705,12 @@ var init_platform_procedures = __esm({
|
|
|
4705
4705
|
priority: "p0",
|
|
4706
4706
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4707
4707
|
},
|
|
4708
|
+
{
|
|
4709
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4710
|
+
domain: "architecture",
|
|
4711
|
+
priority: "p1",
|
|
4712
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4713
|
+
},
|
|
4708
4714
|
// --- MCP is the ONLY data interface ---
|
|
4709
4715
|
{
|
|
4710
4716
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
package/dist/hooks/stop.js
CHANGED
|
@@ -4821,6 +4821,12 @@ var init_platform_procedures = __esm({
|
|
|
4821
4821
|
priority: "p0",
|
|
4822
4822
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4823
4823
|
},
|
|
4824
|
+
{
|
|
4825
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4826
|
+
domain: "architecture",
|
|
4827
|
+
priority: "p1",
|
|
4828
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4829
|
+
},
|
|
4824
4830
|
// --- MCP is the ONLY data interface ---
|
|
4825
4831
|
{
|
|
4826
4832
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|
|
@@ -4784,6 +4784,12 @@ var init_platform_procedures = __esm({
|
|
|
4784
4784
|
priority: "p0",
|
|
4785
4785
|
content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
|
|
4786
4786
|
},
|
|
4787
|
+
{
|
|
4788
|
+
title: "Cloud endpoint is cloud.askexe.com \u2014 not askexe.com/cloud",
|
|
4789
|
+
domain: "architecture",
|
|
4790
|
+
priority: "p1",
|
|
4791
|
+
content: "All cloud API calls (auth, sync, licensing, device registry, WebSocket) go to https://cloud.askexe.com, NOT https://askexe.com/cloud. This is a Cloudflare Workers Custom Domain that bypasses the zone-level managed challenge on askexe.com. Datacenter IPs (Hetzner, AWS, etc.) get HTTP 403 on askexe.com due to Bot Fight Mode, but cloud.askexe.com routes directly to the Worker before WAF rules evaluate. If a customer reports 403/challenge errors on cloud sync: verify they are on the latest exe-os version (cloud.askexe.com endpoint). Fix: `npm install -g @askexenow/exe-os@latest`. The EXE_CLOUD_ENDPOINT env var can override the endpoint if needed."
|
|
4792
|
+
},
|
|
4787
4793
|
// --- MCP is the ONLY data interface ---
|
|
4788
4794
|
{
|
|
4789
4795
|
title: "MCP disconnect \u2014 ask the user, never work around it",
|