@knowsuchagency/fulcrum 3.15.2 → 4.0.0

package/README.md

@@ -78,7 +78,7 @@ Every hour, your assistant reviews pending events, checks on blocked or overdue
 npx @knowsuchagency/fulcrum@latest up
 ```
 
-Fulcrum will check for dependencies (bun, dtach, AI agent CLI), offer to install any that are missing, and start the server on http://localhost:7777.
+Fulcrum will check for dependencies (bun, dtach, fnox, age, AI agent CLI), offer to install any that are missing, set up encrypted secret storage, and start the server on http://localhost:7777.
 
 ### Desktop App
 
@@ -216,7 +216,7 @@ A two-tier memory system gives agents both always-on context and on-demand recal
 
 ### System Monitoring
 
-Track CPU, memory, and disk usage while your agents work. Jobs is a top-level page (`/jobs`, Cmd+6) for managing systemd (Linux) or launchd (macOS) timers. The Messages tab under Monitoring shows all channel messages (WhatsApp, Discord, Telegram, Slack, Email) with filtering by channel and direction.
+Track CPU, memory, and disk usage while your agents work. Jobs is a top-level page (`/jobs`, Cmd+6) for managing systemd (Linux) or launchd (macOS) timers. The Messages tab under Monitoring shows all channel messages (WhatsApp, Discord, Telegram, Slack, Email) with filtering by channel and direction. The Observer tab tracks every observe-only message processing attempt with circuit breaker status, aggregate stats, and a filterable invocations list.
 
 ![System Monitoring](https://raw.githubusercontent.com/knowsuchagency/fulcrum/main/screenshots/system-monitoring-dark.png)
 
@@ -315,6 +315,8 @@ For browser-only access, use Tailscale or Cloudflare Tunnels to expose your serv
 <details>
 <summary><strong>Configuration</strong></summary>
 
+Sensitive credentials (API keys, tokens, webhook URLs) are encrypted using [fnox](https://github.com/yarlson/fnox) with age encryption. The age key and encrypted secrets live in the fulcrum directory (`age.txt` and `fnox.toml`). Non-sensitive settings are stored in `settings.json`. Existing plain-text secrets are automatically migrated to fnox on server start.
+
 Settings are stored in `.fulcrum/settings.json`. The fulcrum directory is resolved in this order:
 
 1. `FULCRUM_DIR` environment variable

package/bin/fulcrum.js

@@ -785,31 +785,31 @@ var init_prompt = __esm(() => {
 });
 
 // cli/src/utils/server.ts
-import { existsSync, readFileSync, writeFileSync, mkdirSync, cpSync } from "fs";
+import { existsSync, mkdirSync, cpSync } from "fs";
+import { execSync } from "child_process";
 import { join } from "path";
 import { homedir } from "os";
-function getPortFromSettings(settings) {
-  if (!settings)
-    return null;
-  if (settings.server?.port) {
-    return settings.server.port;
-  }
-  if (settings.port) {
-    return settings.port;
-  }
-  return null;
-}
 function expandPath(p) {
   if (p.startsWith("~/")) {
     return join(homedir(), p.slice(2));
   }
   return p;
 }
-function readSettingsFile(path) {
+function getPortFromFnox(fulcrumDir) {
+  const fnoxConfigPath = join(fulcrumDir, "fnox.toml");
+  const ageKeyPath = join(fulcrumDir, "age.txt");
+  if (!existsSync(fnoxConfigPath) || !existsSync(ageKeyPath))
+    return null;
   try {
-    if (existsSync(path)) {
-      const content = readFileSync(path, "utf-8");
-      return JSON.parse(content);
+    const value = execSync(`fnox get FULCRUM_SERVER_PORT -c "${fnoxConfigPath}" --if-missing ignore`, {
+      env: { ...process.env, FNOX_AGE_KEY_FILE: ageKeyPath },
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "ignore"]
+    }).trim();
+    if (value) {
+      const port = parseInt(value, 10);
+      if (!isNaN(port) && port > 0)
+        return port;
     }
   } catch {}
   return null;
@@ -825,44 +825,39 @@ function discoverServerUrl(urlOverride, portOverride) {
     return process.env.FULCRUM_URL;
   }
   if (process.env.FULCRUM_DIR) {
-    const fulcrumDirSettings = join(expandPath(process.env.FULCRUM_DIR), "settings.json");
-    const settings = readSettingsFile(fulcrumDirSettings);
-    const port = getPortFromSettings(settings);
-    if (port) {
-      return `http://localhost:${port}`;
-    }
-  }
-  const cwdSettings = join(process.cwd(), ".fulcrum", "settings.json");
-  const localSettings = readSettingsFile(cwdSettings);
-  const localPort = getPortFromSettings(localSettings);
-  if (localPort) {
-    return `http://localhost:${localPort}`;
-  }
-  const globalSettings = join(homedir(), ".fulcrum", "settings.json");
-  const homeSettings = readSettingsFile(globalSettings);
-  const homePort = getPortFromSettings(homeSettings);
-  if (homePort) {
-    return `http://localhost:${homePort}`;
-  }
+    const port2 = getPortFromFnox(expandPath(process.env.FULCRUM_DIR));
+    if (port2)
+      return `http://localhost:${port2}`;
+  }
+  const cwdFulcrum = join(process.cwd(), ".fulcrum");
+  if (existsSync(cwdFulcrum)) {
+    const port2 = getPortFromFnox(cwdFulcrum);
+    if (port2)
+      return `http://localhost:${port2}`;
+  }
+  const globalFulcrum = join(homedir(), ".fulcrum");
+  const port = getPortFromFnox(globalFulcrum);
+  if (port)
+    return `http://localhost:${port}`;
   return `http://localhost:${DEFAULT_PORT}`;
 }
 function updateSettingsPort(port) {
   const fulcrumDir = getFulcrumDir();
-  const settingsPath = join(fulcrumDir, "settings.json");
-  let settings = {};
-  try {
-    if (existsSync(settingsPath)) {
-      settings = JSON.parse(readFileSync(settingsPath, "utf-8"));
-    }
-  } catch {}
-  if (!settings.server || typeof settings.server !== "object") {
-    settings.server = {};
-  }
-  settings.server.port = port;
+  const fnoxConfigPath = join(fulcrumDir, "fnox.toml");
+  const ageKeyPath = join(fulcrumDir, "age.txt");
   if (!existsSync(fulcrumDir)) {
     mkdirSync(fulcrumDir, { recursive: true });
   }
-  writeFileSync(settingsPath, JSON.stringify(settings, null, 2), "utf-8");
+  if (!existsSync(fnoxConfigPath) || !existsSync(ageKeyPath)) {
+    return;
+  }
+  try {
+    execSync(`fnox set FULCRUM_SERVER_PORT -p plain -c "${fnoxConfigPath}"`, {
+      env: { ...process.env, FNOX_AGE_KEY_FILE: ageKeyPath },
+      input: String(port),
+      stdio: ["pipe", "ignore", "ignore"]
+    });
+  } catch {}
 }
 function getFulcrumDir() {
   if (process.env.FULCRUM_DIR) {
@@ -895,15 +890,6 @@ function migrateFromVibora() {
       mkdirSync(fulcrumDir, { recursive: true });
     }
     cpSync(viboraDir, fulcrumDir, { recursive: true });
-    const settingsPath = join(fulcrumDir, "settings.json");
-    if (existsSync(settingsPath)) {
-      try {
-        let content = readFileSync(settingsPath, "utf-8");
-        content = content.replace(/\.vibora/g, ".fulcrum");
-        content = content.replace(/vibora\.(db|log|pid)/g, "fulcrum.$1");
-        writeFileSync(settingsPath, content, "utf-8");
-      } catch {}
-    }
     const oldDbPath = join(fulcrumDir, "vibora.db");
     const newDbPath = join(fulcrumDir, "fulcrum.db");
     if (existsSync(oldDbPath) && !existsSync(newDbPath)) {
@@ -965,7 +951,7 @@ var init_errors = __esm(() => {
 });
 
 // cli/src/client.ts
-import { readFileSync as readFileSync2 } from "fs";
+import { readFileSync } from "fs";
 import { basename } from "path";
 
 class FulcrumClient {
@@ -1228,7 +1214,7 @@ class FulcrumClient {
     return this.fetch(`/api/tasks/${taskId}/attachments`);
   }
   async uploadTaskAttachment(taskId, filePath) {
-    const fileContent = readFileSync2(filePath);
+    const fileContent = readFileSync(filePath);
     const filename = basename(filePath);
     const formData = new FormData;
     const blob = new Blob([fileContent]);
@@ -1315,7 +1301,7 @@ class FulcrumClient {
     return this.fetch(`/api/projects/${projectId}/attachments`);
   }
   async uploadProjectAttachment(projectId, filePath) {
-    const fileContent = readFileSync2(filePath);
+    const fileContent = readFileSync(filePath);
     const filename = basename(filePath);
     const formData = new FormData;
     const blob = new Blob([fileContent]);
@@ -46466,7 +46452,7 @@ async function runMcpServer(urlOverride, portOverride) {
   const client = new FulcrumClient(urlOverride, portOverride);
   const server = new McpServer({
     name: "fulcrum",
-    version: "3.15.2"
+    version: "4.0.0"
   });
   registerTools(server, client);
   const transport = new StdioServerTransport;
@@ -48330,9 +48316,9 @@ var configCommand = defineCommand({
 // cli/src/commands/opencode.ts
 import {
   mkdirSync as mkdirSync2,
-  writeFileSync as writeFileSync2,
+  writeFileSync,
   existsSync as existsSync2,
-  readFileSync as readFileSync3,
+  readFileSync as readFileSync2,
   unlinkSync,
   copyFileSync,
   renameSync
@@ -48650,7 +48636,7 @@ async function installOpenCodeIntegration() {
   try {
     console.log("Installing OpenCode plugin...");
     mkdirSync2(PLUGIN_DIR, { recursive: true });
-    writeFileSync2(PLUGIN_PATH, fulcrum_opencode_default, "utf-8");
+    writeFileSync(PLUGIN_PATH, fulcrum_opencode_default, "utf-8");
     console.log("\u2713 Installed plugin at " + PLUGIN_PATH);
     console.log("Configuring MCP server...");
     const mcpConfigured = addMcpServer();
@@ -48699,7 +48685,7 @@ function addMcpServer() {
   let config = {};
   if (existsSync2(OPENCODE_CONFIG_PATH)) {
     try {
-      const content = readFileSync3(OPENCODE_CONFIG_PATH, "utf-8");
+      const content = readFileSync2(OPENCODE_CONFIG_PATH, "utf-8");
       config = JSON.parse(content);
     } catch {
       console.log("\u26A0 Could not parse existing opencode.json, skipping MCP configuration");
@@ -48722,7 +48708,7 @@ function addMcpServer() {
   };
   const tempPath = OPENCODE_CONFIG_PATH + ".tmp";
   try {
-    writeFileSync2(tempPath, JSON.stringify(config, null, 2), "utf-8");
+    writeFileSync(tempPath, JSON.stringify(config, null, 2), "utf-8");
     renameSync(tempPath, OPENCODE_CONFIG_PATH);
   } catch (error) {
     try {
@@ -48742,7 +48728,7 @@ function removeMcpServer() {
   }
   let config;
   try {
-    const content = readFileSync3(OPENCODE_CONFIG_PATH, "utf-8");
+    const content = readFileSync2(OPENCODE_CONFIG_PATH, "utf-8");
     config = JSON.parse(content);
   } catch {
     console.log("\u26A0 Could not parse opencode.json, skipping MCP removal");
@@ -48762,7 +48748,7 @@ function removeMcpServer() {
   }
   const tempPath = OPENCODE_CONFIG_PATH + ".tmp";
   try {
-    writeFileSync2(tempPath, JSON.stringify(config, null, 2), "utf-8");
+    writeFileSync(tempPath, JSON.stringify(config, null, 2), "utf-8");
     renameSync(tempPath, OPENCODE_CONFIG_PATH);
   } catch (error) {
     try {
@@ -48799,7 +48785,7 @@ var opencodeCommand = defineCommand({
 
 // cli/src/commands/claude.ts
 import { spawnSync } from "child_process";
-import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync3, existsSync as existsSync3, rmSync, readFileSync as readFileSync4 } from "fs";
+import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync2, existsSync as existsSync3, rmSync, readFileSync as readFileSync3 } from "fs";
 import { homedir as homedir3 } from "os";
 import { dirname, join as join3 } from "path";
 init_errors();
@@ -48815,7 +48801,7 @@ var marketplace_default = `{
       "name": "fulcrum",
       "source": "./",
       "description": "Task orchestration for Claude Code",
-      "version": "3.15.2",
+      "version": "4.0.0",
       "skills": [
         "./skills/fulcrum"
       ],
@@ -49335,7 +49321,7 @@ function getInstalledVersion() {
     return null;
   }
   try {
-    const installed = JSON.parse(readFileSync4(installedMarketplace, "utf-8"));
+    const installed = JSON.parse(readFileSync3(installedMarketplace, "utf-8"));
     return installed.plugins?.[0]?.version || null;
   } catch {
     return null;
@@ -49371,7 +49357,7 @@ async function installClaudePlugin(options = {}) {
     for (const file of PLUGIN_FILES) {
       const fullPath = join3(MARKETPLACE_DIR, file.path);
       mkdirSync3(dirname(fullPath), { recursive: true });
-      writeFileSync3(fullPath, file.content, "utf-8");
+      writeFileSync2(fullPath, file.content, "utf-8");
     }
     log("\u2713 Created plugin files at " + MARKETPLACE_DIR);
     runClaude(["plugin", "marketplace", "remove", MARKETPLACE_NAME]);
@@ -49658,14 +49644,14 @@ var notifyCommand = defineCommand({
 
 // cli/src/commands/up.ts
 import { spawn as spawn2 } from "child_process";
-import { existsSync as existsSync5 } from "fs";
-import { dirname as dirname3, join as join5 } from "path";
+import { existsSync as existsSync6 } from "fs";
+import { dirname as dirname3, join as join6 } from "path";
 import { fileURLToPath } from "url";
 init_errors();
 
 // cli/src/utils/process.ts
 init_server();
-import { existsSync as existsSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync4, unlinkSync as unlinkSync2, mkdirSync as mkdirSync4 } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync3, unlinkSync as unlinkSync2, mkdirSync as mkdirSync4 } from "fs";
 import { join as join4, dirname as dirname2 } from "path";
 function getPidPath() {
   return join4(getFulcrumDir(), "fulcrum.pid");
@@ -49676,13 +49662,13 @@ function writePid(pid) {
   if (!existsSync4(dir)) {
     mkdirSync4(dir, { recursive: true });
   }
-  writeFileSync4(pidPath, pid.toString(), "utf-8");
+  writeFileSync3(pidPath, pid.toString(), "utf-8");
 }
 function readPid() {
   const pidPath = getPidPath();
   try {
     if (existsSync4(pidPath)) {
-      const content = readFileSync5(pidPath, "utf-8").trim();
+      const content = readFileSync4(pidPath, "utf-8").trim();
       const pid = parseInt(content, 10);
       return isNaN(pid) ? null : pid;
     }
@@ -49738,7 +49724,7 @@ async function confirm(message) {
 init_server();
 
 // cli/src/utils/dependencies.ts
-import { execSync, spawnSync as spawnSync2 } from "child_process";
+import { execSync as execSync2, spawnSync as spawnSync2 } from "child_process";
 var DEPENDENCIES = [
   {
     name: "bun",
@@ -49801,13 +49787,34 @@ var DEPENDENCIES = [
       dnf: "sudo dnf install -y gh",
       pacman: "sudo pacman -S --noconfirm github-cli"
     }
+  },
+  {
+    name: "fnox",
+    command: "fnox",
+    description: "Encrypted secrets management",
+    required: true,
+    install: {
+      brew: "brew install fnox"
+    }
+  },
+  {
+    name: "age",
+    command: "age-keygen",
+    description: "Age encryption key generation",
+    required: true,
+    install: {
+      brew: "brew install age",
+      apt: "sudo apt install -y age",
+      dnf: "sudo dnf install -y age",
+      pacman: "sudo pacman -S --noconfirm age"
+    }
   }
 ];
 function detectPackageManager() {
   const managers = ["brew", "apt", "dnf", "pacman"];
   for (const pm of managers) {
     try {
-      execSync(`which ${pm}`, { stdio: "ignore" });
+      execSync2(`which ${pm}`, { stdio: "ignore" });
       return pm;
     } catch {}
   }
@@ -49815,7 +49822,7 @@ function detectPackageManager() {
 }
 function isCommandInstalled(command) {
   try {
-    execSync(`which ${command}`, { stdio: "ignore" });
+    execSync2(`which ${command}`, { stdio: "ignore" });
     return true;
   } catch {}
   return isShellAlias(command);
@@ -49824,7 +49831,7 @@ function isShellAlias(command) {
   const shell = process.env.SHELL || "/bin/bash";
   const shellName = shell.split("/").pop() || "bash";
   try {
-    execSync(`${shellName} -ic "type ${command}" 2>/dev/null`, { stdio: "ignore" });
+    execSync2(`${shellName} -ic "type ${command}" 2>/dev/null`, { stdio: "ignore" });
     return true;
   } catch {
     return false;
@@ -49832,14 +49839,14 @@ function isShellAlias(command) {
 }
 function getCommandVersion(command) {
   try {
-    const output2 = execSync(`${command} --version`, { encoding: "utf-8", stdio: ["pipe", "pipe", "ignore"] });
+    const output2 = execSync2(`${command} --version`, { encoding: "utf-8", stdio: ["pipe", "pipe", "ignore"] });
     return output2.trim().split(`
 `)[0];
   } catch {}
   const shell = process.env.SHELL || "/bin/bash";
   const shellName = shell.split("/").pop() || "bash";
   try {
-    const output2 = execSync(`${shellName} -ic "${command} --version" 2>/dev/null`, {
+    const output2 = execSync2(`${shellName} -ic "${command} --version" 2>/dev/null`, {
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "ignore"]
     });
@@ -49940,6 +49947,94 @@ function installUv() {
     return false;
   return installDependency(dep);
 }
+function isFnoxInstalled() {
+  return isCommandInstalled("fnox");
+}
+function installFnox() {
+  const dep = getDependency("fnox");
+  if (!dep)
+    return false;
+  return installDependency(dep);
+}
+function isAgeInstalled() {
+  return isCommandInstalled("age-keygen");
+}
+function installAge() {
+  const dep = getDependency("age");
+  if (!dep)
+    return false;
+  return installDependency(dep);
+}
+
+// cli/src/utils/fnox-setup.ts
+init_errors();
+import { execSync as execSync3 } from "child_process";
+import { existsSync as existsSync5, readFileSync as readFileSync5, writeFileSync as writeFileSync4, chmodSync } from "fs";
+import { join as join5 } from "path";
+function ensureFnoxSetup(fulcrumDir) {
+  const ageKeyPath = join5(fulcrumDir, "age.txt");
+  const fnoxConfigPath = join5(fulcrumDir, "fnox.toml");
+  let publicKey;
+  if (!existsSync5(ageKeyPath)) {
+    console.error("Generating age encryption key...");
+    try {
+      const output2 = execSync3(`age-keygen -o "${ageKeyPath}" 2>&1`, { encoding: "utf-8" });
+      const match = output2.match(/Public key: (age1\S+)/);
+      if (!match) {
+        throw new Error(`Could not parse public key from age-keygen output: ${output2}`);
+      }
+      publicKey = match[1];
+    } catch (err) {
+      throw new CliError("FNOX_SETUP_FAILED", `Failed to generate age key: ${err instanceof Error ? err.message : String(err)}`, ExitCodes.ERROR);
+    }
+    chmodSync(ageKeyPath, 384);
+    console.error("Age encryption key generated.");
+  } else {
+    const content = readFileSync5(ageKeyPath, "utf-8");
+    const match = content.match(/# public key: (age1\S+)/);
+    if (!match) {
+      throw new CliError("FNOX_SETUP_FAILED", `Could not parse public key from existing ${ageKeyPath}`, ExitCodes.ERROR);
+    }
+    publicKey = match[1];
+  }
+  if (!existsSync5(fnoxConfigPath)) {
+    console.error("Creating fnox configuration...");
+    const config = `[providers.plain]
+type = "plain"
+
+[providers.age]
+type = "age"
+recipients = ["${publicKey}"]
+`;
+    writeFileSync4(fnoxConfigPath, config, "utf-8");
+    console.error("fnox configuration created.");
+  } else {
+    const existingConfig = readFileSync5(fnoxConfigPath, "utf-8");
+    if (!existingConfig.includes("[providers.plain]")) {
+      const updatedConfig = `[providers.plain]
+type = "plain"
+
+${existingConfig}`;
+      writeFileSync4(fnoxConfigPath, updatedConfig, "utf-8");
+      console.error("Added plain provider to fnox configuration.");
+    }
+  }
+  const env2 = { ...process.env, FNOX_AGE_KEY_FILE: ageKeyPath };
+  const fnoxArgs = `-c "${fnoxConfigPath}"`;
+  try {
+    execSync3(`fnox set FULCRUM_SETUP_TEST test_value ${fnoxArgs}`, { env: env2, stdio: "ignore" });
+    const value = execSync3(`fnox get FULCRUM_SETUP_TEST ${fnoxArgs}`, { env: env2, encoding: "utf-8" }).trim();
+    execSync3(`fnox remove FULCRUM_SETUP_TEST ${fnoxArgs}`, { env: env2, stdio: "ignore" });
+    if (value !== "test_value") {
+      throw new Error(`Round-trip test failed: expected "test_value", got "${value}"`);
+    }
+  } catch (err) {
+    throw new CliError("FNOX_SETUP_FAILED", `fnox verification failed: ${err instanceof Error ? err.message : String(err)}
+` + `  Age key: ${ageKeyPath}
+` + `  Config: ${fnoxConfigPath}
+` + `  Ensure fnox and age are properly installed.`, ExitCodes.ERROR);
+  }
+}
 
 // cli/src/commands/update.ts
 import { spawn, spawnSync as spawnSync3 } from "child_process";
@@ -50019,7 +50114,7 @@ function compareVersions(v1, v2) {
 var package_default = {
   name: "@knowsuchagency/fulcrum",
   private: true,
-  version: "3.15.2",
+  version: "4.0.0",
   description: "Harness Attention. Orchestrate Agents. Ship.",
   license: "PolyForm-Perimeter-1.0.0",
   type: "module",
@@ -50295,7 +50390,7 @@ function getPackageRoot() {
   const currentFile = fileURLToPath(import.meta.url);
   let dir = dirname3(currentFile);
   for (let i2 = 0;i2 < 5; i2++) {
-    if (existsSync5(join5(dir, "server", "index.js"))) {
+    if (existsSync6(join6(dir, "server", "index.js"))) {
       return dir;
     }
     dir = dirname3(dir);
@@ -50377,6 +50472,38 @@ Found existing Vibora data at ${viboraDir}`);
       throw new CliError("MISSING_DEPENDENCY", `uv is required. Install manually: ${getInstallCommand(uvDep)}`, ExitCodes.ERROR);
     }
   }
+  if (!isFnoxInstalled()) {
+    const fnoxDep = getDependency("fnox");
+    const method = getInstallMethod(fnoxDep);
+    console.error("fnox is required for encrypted secrets management but is not installed.");
+    console.error("  fnox encrypts sensitive settings like API keys and tokens.");
+    const shouldInstall = autoYes || await confirm(`Would you like to install fnox via ${method}?`);
+    if (shouldInstall) {
+      const success = installFnox();
+      if (!success) {
+        throw new CliError("INSTALL_FAILED", "Failed to install fnox", ExitCodes.ERROR);
+      }
+      console.error("fnox installed successfully!");
+    } else {
+      throw new CliError("MISSING_DEPENDENCY", `fnox is required. Install manually: ${getInstallCommand(fnoxDep)}`, ExitCodes.ERROR);
+    }
+  }
+  if (!isAgeInstalled()) {
+    const ageDep = getDependency("age");
+    const method = getInstallMethod(ageDep);
+    console.error("age is required for encryption but is not installed.");
+    console.error("  age generates encryption keys used by fnox to encrypt secrets.");
+    const shouldInstall = autoYes || await confirm(`Would you like to install age via ${method}?`);
+    if (shouldInstall) {
+      const success = installAge();
+      if (!success) {
+        throw new CliError("INSTALL_FAILED", "Failed to install age", ExitCodes.ERROR);
+      }
+      console.error("age installed successfully!");
+    } else {
+      throw new CliError("MISSING_DEPENDENCY", `age is required. Install manually: ${getInstallCommand(ageDep)}`, ExitCodes.ERROR);
+    }
+  }
   if (isClaudeInstalled() && needsPluginUpdate()) {
     console.error("Updating Fulcrum plugin for Claude Code...");
     await installClaudePlugin({ silent: true });
@@ -50409,7 +50536,7 @@ Found existing Vibora data at ${viboraDir}`);
   }
   const host = flags.host ? "0.0.0.0" : "localhost";
   const packageRoot = getPackageRoot();
-  const serverPath = join5(packageRoot, "server", "index.js");
+  const serverPath = join6(packageRoot, "server", "index.js");
   const platform2 = process.platform;
   const arch = process.arch;
   let ptyLibName;
@@ -50420,8 +50547,9 @@ Found existing Vibora data at ${viboraDir}`);
   } else {
     ptyLibName = arch === "arm64" ? "librust_pty_arm64.so" : "librust_pty.so";
   }
-  const ptyLibPath = join5(packageRoot, "lib", ptyLibName);
+  const ptyLibPath = join6(packageRoot, "lib", ptyLibName);
   const fulcrumDir = getFulcrumDir();
+  ensureFnoxSetup(fulcrumDir);
   const debug = flags.debug === "true";
   console.error(`Starting Fulcrum server${debug ? " (debug mode)" : ""}...`);
   const serverProc = spawn2("bun", [serverPath], {
@@ -50436,6 +50564,8 @@ Found existing Vibora data at ${viboraDir}`);
       FULCRUM_PACKAGE_ROOT: packageRoot,
       FULCRUM_VERSION: package_default.version,
       BUN_PTY_LIB: ptyLibPath,
+      FNOX_AGE_KEY_FILE: join6(fulcrumDir, "age.txt"),
+      FULCRUM_FNOX_INSTALLED: "1",
       ...isClaudeInstalled() && { FULCRUM_CLAUDE_INSTALLED: "1" },
       ...isOpencodeInstalled() && { FULCRUM_OPENCODE_INSTALLED: "1" },
       ...debug && { LOG_LEVEL: "debug", DEBUG: "1" }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@knowsuchagency/fulcrum",
-  "version": "3.15.2",
+  "version": "4.0.0",
   "description": "Harness Attention. Orchestrate Agents. Ship.",
   "license": "PolyForm-Perimeter-1.0.0",
   "repository": {