@askexenow/exe-os 0.8.33 → 0.8.37

package/dist/bin/cli.js

@@ -275,13 +275,18 @@ __export(employees_exports, {
   EMPLOYEES_PATH: () => EMPLOYEES_PATH,
   addEmployee: () => addEmployee,
   getEmployee: () => getEmployee,
+  getEmployeeByRole: () => getEmployeeByRole,
+  getEmployeeNamesByRole: () => getEmployeeNamesByRole,
+  hasRole: () => hasRole,
+  isMultiInstance: () => isMultiInstance,
   loadEmployees: () => loadEmployees,
+  loadEmployeesSync: () => loadEmployeesSync,
   registerBinSymlinks: () => registerBinSymlinks,
   saveEmployees: () => saveEmployees,
   validateEmployeeName: () => validateEmployeeName
 });
 import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync2, symlinkSync, readlinkSync } from "fs";
+import { existsSync as existsSync2, symlinkSync, readlinkSync, readFileSync as readFileSync2 } from "fs";
 import { execSync } from "child_process";
 import path2 from "path";
 function validateEmployeeName(name) {
@@ -314,9 +319,36 @@ async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
   await mkdir2(path2.dirname(employeesPath), { recursive: true });
   await writeFile2(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
 }
+function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
+  if (!existsSync2(employeesPath)) return [];
+  try {
+    return JSON.parse(readFileSync2(employeesPath, "utf-8"));
+  } catch {
+    return [];
+  }
+}
 function getEmployee(employees, name) {
   return employees.find((e) => e.name.toLowerCase() === name.toLowerCase());
 }
+function getEmployeeByRole(employees, role) {
+  const lower = role.toLowerCase();
+  return employees.find((e) => e.role.toLowerCase() === lower);
+}
+function getEmployeeNamesByRole(employees, role) {
+  const lower = role.toLowerCase();
+  return employees.filter((e) => e.role.toLowerCase() === lower).map((e) => e.name);
+}
+function hasRole(agentName, role) {
+  const employees = loadEmployeesSync();
+  const emp = getEmployee(employees, agentName);
+  return emp ? emp.role.toLowerCase() === role.toLowerCase() : false;
+}
+function isMultiInstance(agentName, employees) {
+  const roster = employees ?? loadEmployeesSync();
+  const emp = getEmployee(roster, agentName);
+  if (!emp) return false;
+  return MULTI_INSTANCE_ROLES.has(emp.role.toLowerCase());
+}
 function addEmployee(employees, employee) {
   const normalized = { ...employee, name: employee.name.toLowerCase() };
   if (employees.some((e) => e.name.toLowerCase() === normalized.name)) {
@@ -359,12 +391,13 @@ function registerBinSymlinks(name) {
   }
   return { created, skipped, errors };
 }
-var EMPLOYEES_PATH;
+var EMPLOYEES_PATH, MULTI_INSTANCE_ROLES;
 var init_employees = __esm({
   "src/lib/employees.ts"() {
     "use strict";
     init_config();
     EMPLOYEES_PATH = path2.join(EXE_AI_DIR, "exe-employees.json");
+    MULTI_INSTANCE_ROLES = /* @__PURE__ */ new Set(["principal engineer", "content production specialist", "staff code reviewer"]);
   }
 });
 
@@ -469,7 +502,7 @@ __export(installer_exports, {
   runInstaller: () => runInstaller
 });
 import { readFile as readFile3, writeFile as writeFile3, mkdir as mkdir3, readdir } from "fs/promises";
-import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync3 } from "fs";
 import path4 from "path";
 import os3 from "os";
 import { fileURLToPath } from "url";
@@ -481,7 +514,7 @@ function resolvePackageRoot() {
     const pkgPath = path4.join(dir, "package.json");
     if (existsSync4(pkgPath)) {
       try {
-        const pkg = JSON.parse(readFileSync2(pkgPath, "utf-8"));
+        const pkg = JSON.parse(readFileSync3(pkgPath, "utf-8"));
         if (pkg.name === "@askexenow/exe-os" || pkg.name === "exe-os") return dir;
       } catch {
       }
@@ -774,26 +807,56 @@ async function mergeHooks(packageRoot, homeDir = os3.homedir()) {
     permissions.allow = [];
   }
   const toolNames = [
+    // Core memory
     "store_memory",
     "recall_my_memory",
+    "commit_to_long_term_memory",
+    "consolidate_memories",
+    "ask_team_memory",
+    "get_session_context",
+    // Tasks
     "create_task",
     "list_tasks",
     "get_task",
     "update_task",
     "close_task",
+    "checkpoint_task",
+    // Behaviors
     "store_behavior",
     "deactivate_behavior",
-    "send_message",
+    "list_behaviors",
+    // Identity
     "get_identity",
     "update_identity",
-    "ask_team_memory",
-    "get_session_context",
+    // Messaging
+    "send_message",
+    "acknowledge_messages",
+    "send_whatsapp",
+    "query_conversations",
+    // Reminders + triggers
     "create_reminder",
     "complete_reminder",
     "list_reminders",
-    "list_behaviors",
+    "create_trigger",
+    "list_triggers",
+    // GraphRAG
     "query_relationships",
-    "commit_to_long_term_memory"
+    "merge_entities",
+    // Documents + wiki
+    "ingest_document",
+    "list_documents",
+    "purge_document",
+    "rerank_documents",
+    "set_document_importance",
+    "create_wiki_page",
+    "update_wiki_page",
+    "get_wiki_page",
+    "list_wiki_pages",
+    // System
+    "load_skill",
+    "apply_starter_pack",
+    "resume_employee",
+    "deploy_client"
   ];
   const allowList = permissions.allow;
   for (const tool of expandDualPrefixTools(toolNames)) {
@@ -922,6 +985,61 @@ var init_memory = __esm({
   }
 });
 
+// src/lib/db-retry.ts
+function isBusyError(err) {
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    return msg.includes("sqlite_busy") || msg.includes("database is locked");
+  }
+  return false;
+}
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function retryOnBusy(fn, label) {
+  let lastError;
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (!isBusyError(err) || attempt === MAX_RETRIES) {
+        throw err;
+      }
+      const backoff = BASE_DELAY_MS * Math.pow(2, attempt);
+      const jitter = Math.floor(Math.random() * MAX_JITTER_MS);
+      process.stderr.write(
+        `[exe-os] SQLITE_BUSY ${label} retry ${attempt + 1}/${MAX_RETRIES} \u2014 waiting ${backoff + jitter}ms
+`
+      );
+      await delay(backoff + jitter);
+    }
+  }
+  throw lastError;
+}
+function wrapWithRetry(client) {
+  return new Proxy(client, {
+    get(target, prop, receiver) {
+      if (prop === "execute") {
+        return (sql) => retryOnBusy(() => target.execute(sql), "execute");
+      }
+      if (prop === "batch") {
+        return (stmts) => retryOnBusy(() => target.batch(stmts), "batch");
+      }
+      return Reflect.get(target, prop, receiver);
+    }
+  });
+}
+var MAX_RETRIES, BASE_DELAY_MS, MAX_JITTER_MS;
+var init_db_retry = __esm({
+  "src/lib/db-retry.ts"() {
+    "use strict";
+    MAX_RETRIES = 3;
+    BASE_DELAY_MS = 200;
+    MAX_JITTER_MS = 300;
+  }
+});
+
 // src/lib/database.ts
 var database_exports = {};
 __export(database_exports, {
@@ -929,6 +1047,7 @@ __export(database_exports, {
   disposeTurso: () => disposeTurso,
   ensureSchema: () => ensureSchema,
   getClient: () => getClient,
+  getRawClient: () => getRawClient,
   initDatabase: () => initDatabase,
   initTurso: () => initTurso,
   isInitialized: () => isInitialized
@@ -938,6 +1057,7 @@ async function initDatabase(config) {
   if (_client) {
     _client.close();
     _client = null;
+    _resilientClient = null;
   }
   const opts = {
     url: `file:${config.dbPath}`
@@ -946,20 +1066,27 @@ async function initDatabase(config) {
     opts.encryptionKey = config.encryptionKey;
   }
   _client = createClient(opts);
+  _resilientClient = wrapWithRetry(_client);
 }
 function isInitialized() {
   return _client !== null;
 }
 function getClient() {
+  if (!_resilientClient) {
+    throw new Error("Database client not initialized. Call initDatabase() first.");
+  }
+  return _resilientClient;
+}
+function getRawClient() {
   if (!_client) {
     throw new Error("Database client not initialized. Call initDatabase() first.");
   }
   return _client;
 }
 async function ensureSchema() {
-  const client = getClient();
+  const client = getRawClient();
   await client.execute("PRAGMA journal_mode = WAL");
-  await client.execute("PRAGMA busy_timeout = 5000");
+  await client.execute("PRAGMA busy_timeout = 30000");
   try {
     await client.execute("PRAGMA libsql_vector_search_ef = 128");
   } catch {
@@ -1752,13 +1879,16 @@ async function disposeDatabase() {
   if (_client) {
     _client.close();
     _client = null;
+    _resilientClient = null;
   }
 }
-var _client, initTurso, disposeTurso;
+var _client, _resilientClient, initTurso, disposeTurso;
 var init_database = __esm({
   "src/lib/database.ts"() {
     "use strict";
+    init_db_retry();
     _client = null;
+    _resilientClient = null;
     initTurso = initDatabase;
     disposeTurso = disposeDatabase;
   }
@@ -1963,12 +2093,12 @@ function shardExists(projectName) {
 }
 function listShards() {
   if (!existsSync6(SHARDS_DIR)) return [];
-  const { readdirSync: readdirSync4 } = __require("fs");
-  return readdirSync4(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
+  const { readdirSync: readdirSync5 } = __require("fs");
+  return readdirSync5(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
 async function ensureShardSchema(client) {
   await client.execute("PRAGMA journal_mode = WAL");
-  await client.execute("PRAGMA busy_timeout = 5000");
+  await client.execute("PRAGMA busy_timeout = 30000");
   try {
     await client.execute("PRAGMA libsql_vector_search_ef = 128");
   } catch {
@@ -2229,7 +2359,8 @@ async function writeMemory(record) {
     has_error: record.has_error ? 1 : 0,
     raw_text: record.raw_text,
     vector: record.vector,
-    version: _nextVersion++,
+    version: 0,
+    // Placeholder — assigned atomically at flush time
     task_id: record.task_id ?? null,
     importance: record.importance ?? 5,
     status: record.status ?? "active",
@@ -2263,6 +2394,13 @@ async function flushBatch() {
   _flushing = true;
   try {
     const batch = _pendingRecords.slice(0);
+    const client = getClient();
+    const vResult = await client.execute("SELECT MAX(version) as max_v FROM memories");
+    let baseVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
+    for (const row of batch) {
+      row.version = baseVersion++;
+    }
+    _nextVersion = baseVersion;
     const buildStmt = (row) => {
       const hasVector = row.vector !== null;
       const taskId = row.task_id ?? null;
@@ -2591,7 +2729,7 @@ var init_store = __esm({
 import net from "net";
 import { spawn } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync7, unlinkSync, readFileSync as readFileSync3, openSync, closeSync, statSync } from "fs";
+import { existsSync as existsSync7, unlinkSync, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
 import path7 from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function handleData(chunk) {
@@ -2616,7 +2754,7 @@ function handleData(chunk) {
 function cleanupStaleFiles() {
   if (existsSync7(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync3(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, 0);
@@ -2764,11 +2902,11 @@ async function connectEmbedDaemon() {
     }
   }
   const start = Date.now();
-  let delay = 100;
+  let delay2 = 100;
   while (Date.now() - start < CONNECT_TIMEOUT_MS) {
-    await new Promise((r) => setTimeout(r, delay));
+    await new Promise((r) => setTimeout(r, delay2));
     if (await connectToSocket()) return true;
-    delay = Math.min(delay * 2, 3e3);
+    delay2 = Math.min(delay2 * 2, 3e3);
   }
   return false;
 }
@@ -2824,7 +2962,7 @@ function killAndRespawnDaemon() {
   process.stderr.write("[exed-client] Killing daemon for restart...\n");
   if (existsSync7(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync3(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, "SIGKILL");
@@ -2860,11 +2998,11 @@ async function embedViaClient(text, priority = "high") {
 `);
       killAndRespawnDaemon();
       const start = Date.now();
-      let delay = 200;
+      let delay2 = 200;
       while (Date.now() - start < CONNECT_TIMEOUT_MS) {
-        await new Promise((r) => setTimeout(r, delay));
+        await new Promise((r) => setTimeout(r, delay2));
         if (await connectToSocket()) break;
-        delay = Math.min(delay * 2, 3e3);
+        delay2 = Math.min(delay2 * 2, 3e3);
       }
       if (!_connected) return null;
     }
@@ -2876,11 +3014,11 @@ async function embedViaClient(text, priority = "high") {
 `);
     killAndRespawnDaemon();
     const start = Date.now();
-    let delay = 200;
+    let delay2 = 200;
     while (Date.now() - start < CONNECT_TIMEOUT_MS) {
-      await new Promise((r) => setTimeout(r, delay));
+      await new Promise((r) => setTimeout(r, delay2));
       if (await connectToSocket()) break;
-      delay = Math.min(delay * 2, 3e3);
+      delay2 = Math.min(delay2 * 2, 3e3);
     }
     if (!_connected) return null;
     const retry = await sendRequest([text], priority);
@@ -2953,7 +3091,8 @@ import { readdir as readdir2, stat } from "fs/promises";
 import path8 from "path";
 import { createInterface } from "readline";
 import { homedir } from "os";
-async function findJsonlFiles(cutoffMs) {
+import { parseArgs } from "util";
+async function findJsonlFiles(sinceDate, projectFilter) {
   const projectsDir = path8.join(homedir(), ".claude", "projects");
   const files = [];
   async function walk(dir) {
@@ -2966,59 +3105,65 @@ async function findJsonlFiles(cutoffMs) {
     for (const entry of entries) {
       const full = path8.join(dir, entry.name);
       if (entry.isDirectory()) {
+        if (entry.name === "subagents" || entry.name === "tool-results") continue;
         await walk(full);
       } else if (entry.name.endsWith(".jsonl")) {
         try {
           const s = await stat(full);
-          if (s.mtimeMs >= cutoffMs) files.push(full);
+          if (sinceDate && s.mtimeMs < sinceDate.getTime()) continue;
+          files.push(full);
         } catch {
         }
       }
     }
   }
-  await walk(projectsDir);
-  return files;
-}
-function projectNameFromPath(filePath) {
-  const projectsDir = path8.join(homedir(), ".claude", "projects");
-  const relative = path8.relative(projectsDir, filePath);
-  const projectDir = relative.split(path8.sep)[0] ?? relative;
-  const homeEncoded = homedir().replaceAll("/", "-");
-  if (projectDir.startsWith(homeEncoded + "-")) {
-    return projectDir.slice(homeEncoded.length + 1);
-  }
-  if (projectDir === homeEncoded) return "home";
-  return projectDir;
-}
-function extractAssistantText(content) {
-  if (typeof content === "string") return content;
-  const texts = [];
-  for (const block of content) {
-    if (block.type === "text" && block.text) {
-      texts.push(block.text);
+  if (projectFilter) {
+    let projectDirs;
+    try {
+      projectDirs = await readdir2(projectsDir, { withFileTypes: true });
+    } catch {
+      return files;
     }
-  }
-  return texts.join("\n");
-}
-function extractUserText(content) {
-  if (typeof content === "string") return content;
-  const texts = [];
-  for (const block of content) {
-    if (block.type === "text" && block.text) {
-      texts.push(block.text);
+    for (const entry of projectDirs) {
+      if (!entry.isDirectory()) continue;
+      const decoded = decodeProjectDir(entry.name);
+      if (decoded.toLowerCase().includes(projectFilter.toLowerCase())) {
+        await walk(path8.join(projectsDir, entry.name));
+      }
     }
+  } else {
+    await walk(projectsDir);
   }
-  return texts.join("\n");
+  return files;
 }
-async function extractConversationPairs(filePath, projectFilter) {
-  const fallbackProject = projectNameFromPath(filePath);
-  if (projectFilter && !fallbackProject.toLowerCase().includes(projectFilter.toLowerCase())) {
-    return [];
+function decodeProjectDir(dirName) {
+  const homeEncoded = homedir().replaceAll("/", "-");
+  if (dirName.startsWith(homeEncoded + "-")) {
+    return dirName.slice(homeEncoded.length + 1);
   }
-  const pairs = [];
-  let fileCwd = "";
-  let fileSessionId = "";
-  let pendingUser = null;
+  if (dirName === homeEncoded) return "home";
+  return dirName;
+}
+function projectNameFromPath(filePath) {
+  const projectsDir = path8.join(homedir(), ".claude", "projects");
+  const relative = path8.relative(projectsDir, filePath);
+  const projectDir = relative.split(path8.sep)[0] ?? "unknown";
+  return decodeProjectDir(projectDir);
+}
+async function parseConversation(filePath) {
+  const conv = {
+    sessionId: path8.basename(filePath, ".jsonl"),
+    projectName: projectNameFromPath(filePath),
+    cwd: void 0,
+    startTime: void 0,
+    endTime: void 0,
+    userMessages: [],
+    toolCounts: {},
+    filesTouched: /* @__PURE__ */ new Set(),
+    errorCount: 0,
+    totalMessages: 0,
+    agentId: "default"
+  };
   const rl = createInterface({
     input: createReadStream(filePath, { encoding: "utf8" }),
     crlfDelay: Infinity
@@ -3031,240 +3176,248 @@ async function extractConversationPairs(filePath, projectFilter) {
     } catch {
       continue;
     }
-    if (entry.cwd) fileCwd = entry.cwd;
-    if (entry.sessionId) fileSessionId = entry.sessionId;
-    if (entry.type === "user" && entry.message?.content) {
-      const text = extractUserText(entry.message.content);
-      if (text.trim()) {
-        pendingUser = {
-          text,
-          timestamp: entry.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
-          uuid: entry.uuid ?? ""
-        };
+    if (entry.cwd && typeof entry.cwd === "string") {
+      conv.cwd = entry.cwd;
+    }
+    const ts = entry.timestamp;
+    if (ts) {
+      if (!conv.startTime || ts < conv.startTime) conv.startTime = ts;
+      if (!conv.endTime || ts > conv.endTime) conv.endTime = ts;
+    }
+    const entryType = entry.type;
+    if (entryType === "user") {
+      conv.totalMessages++;
+      const message = entry.message;
+      if (message?.content) {
+        const text = extractUserText(message.content);
+        if (text && text.length > 10) {
+          conv.userMessages.push(text);
+        }
+      }
+    } else if (entryType === "assistant") {
+      conv.totalMessages++;
+      const message = entry.message;
+      if (message?.content && Array.isArray(message.content)) {
+        for (const block of message.content) {
+          if (typeof block !== "object" || block === null) continue;
+          const b = block;
+          if (b.type === "tool_use") {
+            const toolName = b.name;
+            conv.toolCounts[toolName] = (conv.toolCounts[toolName] || 0) + 1;
+            const input = b.input;
+            if (input?.file_path && typeof input.file_path === "string") {
+              if (toolName === "Write" || toolName === "Edit") {
+                conv.filesTouched.add(input.file_path);
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  if (conv.cwd) {
+    conv.projectName = path8.basename(conv.cwd);
+    const worktreeMatch = conv.cwd.match(/\.worktrees\/([^/]+)/);
+    if (worktreeMatch?.[1]) {
+      conv.agentId = worktreeMatch[1];
+    }
+  }
+  return conv;
+}
+function extractUserText(content) {
+  if (typeof content === "string") return content;
+  if (Array.isArray(content)) {
+    const parts = [];
+    for (const block of content) {
+      if (typeof block === "string") {
+        parts.push(block);
+      } else if (typeof block === "object" && block !== null) {
+        const b = block;
+        if (b.type === "text" && typeof b.text === "string") {
+          parts.push(b.text);
+        }
       }
-    } else if (entry.type === "assistant" && entry.message?.content) {
-      const assistantText = extractAssistantText(entry.message.content);
-      if (!assistantText.trim()) continue;
-      const resolvedProject = fileCwd ? path8.basename(fileCwd) : fallbackProject;
-      const userText = pendingUser?.text ?? "";
-      const timestamp = entry.timestamp ?? pendingUser?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString();
-      pairs.push({
-        userText,
-        assistantText,
-        timestamp,
-        sessionId: fileSessionId || path8.basename(filePath, ".jsonl"),
-        project: resolvedProject,
-        cwd: fileCwd || fallbackProject
-      });
-      pendingUser = null;
     }
+    return parts.join("\n");
   }
-  return pairs;
+  return "";
 }
-function hashPair(userText, assistantText) {
-  return crypto2.createHash("sha256").update(userText.slice(0, 500) + "||" + assistantText.slice(0, 500)).digest("hex");
+function buildSummary(conv) {
+  const parts = [];
+  parts.push(`Session: ${conv.sessionId}`);
+  parts.push(`Project: ${conv.projectName}`);
+  if (conv.startTime) {
+    parts.push(`Time: ${conv.startTime}${conv.endTime ? ` \u2192 ${conv.endTime}` : ""}`);
+  }
+  parts.push(`Messages: ${conv.totalMessages}`);
+  if (conv.agentId !== "default") {
+    parts.push(`Agent: ${conv.agentId}`);
+  }
+  parts.push("");
+  if (conv.userMessages.length > 0) {
+    parts.push("## What was asked");
+    const prompts = conv.userMessages.slice(0, 5);
+    for (const prompt of prompts) {
+      const truncated = prompt.length > 300 ? prompt.slice(0, 300) + "..." : prompt;
+      const cleaned = truncated.replace(/<system-reminder>[\s\S]*?<\/system-reminder>/g, "").trim();
+      if (cleaned) parts.push(`- ${cleaned}`);
+    }
+    if (conv.userMessages.length > 5) {
+      parts.push(`- ... and ${conv.userMessages.length - 5} more prompts`);
+    }
+    parts.push("");
+  }
+  const toolEntries = Object.entries(conv.toolCounts).sort((a, b) => b[1] - a[1]);
+  if (toolEntries.length > 0) {
+    parts.push("## Tools used");
+    for (const [tool, count] of toolEntries) {
+      parts.push(`- ${tool}: ${count}`);
+    }
+    parts.push("");
+  }
+  if (conv.filesTouched.size > 0) {
+    parts.push("## Files modified");
+    const fileList = [...conv.filesTouched].sort();
+    const shown = fileList.slice(0, 20);
+    for (const f of shown) {
+      parts.push(`- ${f}`);
+    }
+    if (fileList.length > 20) {
+      parts.push(`- ... and ${fileList.length - 20} more files`);
+    }
+    parts.push("");
+  }
+  if (conv.errorCount > 0) {
+    parts.push(`Errors: ${conv.errorCount}`);
+  }
+  let summary = parts.join("\n");
+  if (summary.length > MAX_SUMMARY_LENGTH) {
+    summary = summary.slice(0, MAX_SUMMARY_LENGTH);
+  }
+  return summary;
 }
-async function loadExistingHashes(cutoffIso) {
+async function loadExistingSourcePaths() {
   const client = getClient();
-  const hashes = /* @__PURE__ */ new Set();
+  const paths = /* @__PURE__ */ new Set();
   let offset = 0;
   const batchSize = 500;
   while (true) {
     const result = await client.execute({
-      sql: `SELECT content_text, agent_response FROM conversations
-            WHERE platform = 'claude-code' AND timestamp > ?
+      sql: `SELECT source_path FROM memories
+            WHERE tool_name = ? AND source_path IS NOT NULL
             ORDER BY id LIMIT ? OFFSET ?`,
-      args: [cutoffIso, batchSize, offset]
+      args: [TOOL_NAME, batchSize, offset]
     });
     if (result.rows.length === 0) break;
     for (const row of result.rows) {
-      hashes.add(
-        hashPair(
-          row.content_text ?? "",
-          row.agent_response ?? ""
-        )
-      );
+      paths.add(row.source_path);
     }
     offset += batchSize;
   }
-  return hashes;
-}
-async function storePair(pair, daemonConnected, stats, agentId) {
-  const client = getClient();
-  const id = crypto2.randomUUID();
-  const userTrunc = pair.userText.length > MAX_CONTENT_LENGTH ? pair.userText.slice(0, MAX_CONTENT_LENGTH) : pair.userText;
-  const assistTrunc = pair.assistantText.length > MAX_CONTENT_LENGTH ? pair.assistantText.slice(0, MAX_CONTENT_LENGTH) : pair.assistantText;
-  await client.execute({
-    sql: `INSERT INTO conversations
-          (id, platform, external_id, sender_id, sender_name, sender_phone, sender_email,
-           recipient_id, channel_id, thread_id, reply_to_id,
-           content_text, content_media, agent_response, agent_name,
-           timestamp, ingested_at)
-          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-    args: [
-      id,
-      "claude-code",
-      null,
-      "user",
-      "user",
-      null,
-      null,
-      null,
-      pair.project,
-      pair.sessionId,
-      null,
-      userTrunc,
-      null,
-      assistTrunc,
-      "claude",
-      pair.timestamp,
-      (/* @__PURE__ */ new Date()).toISOString()
-    ]
-  });
-  stats.conversationsStored++;
-  const rawText = [
-    `[claude-code] Conversation in ${pair.project}`,
-    userTrunc ? `User: ${userTrunc}` : null,
-    `Assistant: ${assistTrunc}`
-  ].filter(Boolean).join("\n");
-  let vector = null;
-  if (daemonConnected) {
-    try {
-      vector = await embedViaClient(rawText, "low");
-      if (!vector) stats.embedFailed++;
-    } catch {
-      stats.embedFailed++;
-    }
-  }
-  await writeMemory({
-    id: crypto2.randomUUID(),
-    agent_id: agentId,
-    agent_role: "coo",
-    session_id: pair.sessionId,
-    timestamp: pair.timestamp,
-    tool_name: "ConversationBackfill",
-    project_name: pair.project,
-    has_error: false,
-    raw_text: rawText,
-    vector,
-    importance: 3
-  });
-  stats.memoriesStored++;
+  return paths;
 }
 async function backfillConversations(options) {
   const stats = {
     filesScanned: 0,
     conversationsStored: 0,
-    memoriesStored: 0,
     skippedDedup: 0,
-    skippedShort: 0,
+    skippedTooShort: 0,
     embedFailed: 0
   };
-  const cutoffMs = Date.now() - options.days * 24 * 60 * 60 * 1e3;
-  const cutoffIso = new Date(cutoffMs).toISOString();
-  let cooAgentId = "exe";
-  try {
-    const { loadEmployees: loadEmployees2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
-    const employees = await loadEmployees2();
-    const coo = employees.find((e) => e.role === "COO");
-    if (coo) cooAgentId = coo.name.toLowerCase();
-  } catch {
+  const sinceDate = options.since ? new Date(options.since) : void 0;
+  if (sinceDate && isNaN(sinceDate.getTime())) {
+    throw new Error(`Invalid --since date: ${options.since}`);
   }
-  process.stderr.write(`[backfill-conversations] Scanning last ${options.days} days (agent: ${cooAgentId})...
-`);
+  process.stderr.write("[backfill-conversations] Initializing store...\n");
+  await initStore();
+  let daemonConnected = false;
   if (!options.dryRun) {
-    process.stderr.write("[backfill-conversations] Initializing store...\n");
-    await initStore();
-    try {
-      const client = getClient();
-      const old = await client.execute({
-        sql: "SELECT COUNT(*) as cnt FROM memories WHERE agent_id = 'backfill' OR (tool_name = 'ConversationBackfill' AND agent_id != ?)",
-        args: [cooAgentId]
-      });
-      const count = Number(old.rows[0]?.cnt ?? 0);
-      if (count > 0) {
-        await client.execute({
-          sql: "UPDATE memories SET agent_id = ?, agent_role = 'coo' WHERE agent_id = 'backfill' OR (tool_name = 'ConversationBackfill' AND agent_id != ?)",
-          args: [cooAgentId, cooAgentId]
-        });
-        process.stderr.write(`[backfill-conversations] Migrated ${count} records \u2192 agent_id='${cooAgentId}'
-`);
-      }
-    } catch {
+    daemonConnected = await connectEmbedDaemon();
+    if (!daemonConnected) {
+      process.stderr.write(
+        "[backfill-conversations] WARNING: Daemon unavailable \u2014 vectors will be NULL (backfill-vectors can fix later)\n"
+      );
     }
   }
-  const daemonConnected = options.dryRun ? false : await connectEmbedDaemon();
-  if (!daemonConnected && !options.dryRun) {
-    process.stderr.write(
-      "[backfill-conversations] WARNING: Daemon unavailable \u2014 vectors will be NULL (backfill-vectors can fix later)\n"
-    );
-  }
-  let seenHashes = /* @__PURE__ */ new Set();
-  if (!options.dryRun) {
-    process.stderr.write("[backfill-conversations] Loading existing hashes for dedup...\n");
-    seenHashes = await loadExistingHashes(cutoffIso);
-    process.stderr.write(`[backfill-conversations] ${seenHashes.size} existing conversations loaded
+  process.stderr.write("[backfill-conversations] Loading already-ingested conversations...\n");
+  const existingPaths = options.dryRun ? /* @__PURE__ */ new Set() : await loadExistingSourcePaths();
+  process.stderr.write(`[backfill-conversations] ${existingPaths.size} conversations already ingested
 `);
-  }
-  const files = await findJsonlFiles(cutoffMs);
-  process.stderr.write(`[backfill-conversations] Found ${files.length} JSONL files
+  const files = await findJsonlFiles(sinceDate, options.project);
+  process.stderr.write(`[backfill-conversations] Found ${files.length} JSONL files to process
 `);
+  process.env.EXE_EMBED_PRIORITY = "low";
   for (const file of files) {
-    const pairs = await extractConversationPairs(file, options.projectFilter);
     stats.filesScanned++;
-    for (const pair of pairs) {
-      if (pair.assistantText.length < MIN_ASSISTANT_LENGTH) {
-        stats.skippedShort++;
-        continue;
-      }
-      const hash = hashPair(pair.userText, pair.assistantText);
-      if (seenHashes.has(hash)) {
-        stats.skippedDedup++;
-        continue;
-      }
-      seenHashes.add(hash);
-      if (!options.dryRun) {
-        await storePair(pair, daemonConnected, stats, cooAgentId);
-      } else {
-        stats.conversationsStored++;
-        stats.memoriesStored++;
+    if (existingPaths.has(file)) {
+      stats.skippedDedup++;
+      continue;
+    }
+    const conv = await parseConversation(file);
+    if (conv.totalMessages < MIN_MESSAGES) {
+      stats.skippedTooShort++;
+      continue;
+    }
+    const summary = buildSummary(conv);
+    if (options.dryRun) {
+      process.stdout.write(`
+\u2500\u2500\u2500 ${file} \u2500\u2500\u2500
+`);
+      process.stdout.write(`Project: ${conv.projectName} | Messages: ${conv.totalMessages}`);
+      process.stdout.write(` | Tools: ${Object.keys(conv.toolCounts).length}`);
+      process.stdout.write(` | Files: ${conv.filesTouched.size}
+`);
+      const firstPrompt = conv.userMessages[0];
+      if (firstPrompt) {
+        process.stdout.write(`First prompt: ${firstPrompt.slice(0, 120)}
+`);
       }
+      stats.conversationsStored++;
+      continue;
     }
-    if (stats.filesScanned % 20 === 0) {
+    let vector = null;
+    if (daemonConnected) {
+      try {
+        vector = await embedViaClient(summary, "low");
+        if (!vector) stats.embedFailed++;
+      } catch {
+        stats.embedFailed++;
+      }
+    }
+    await writeMemory({
+      id: crypto2.randomUUID(),
+      agent_id: conv.agentId,
+      agent_role: conv.agentId === "exe" ? "COO" : "specialist",
+      session_id: conv.sessionId,
+      timestamp: conv.startTime ?? (/* @__PURE__ */ new Date()).toISOString(),
+      tool_name: TOOL_NAME,
+      project_name: conv.projectName,
+      has_error: conv.errorCount > 0,
+      raw_text: summary,
+      vector,
+      source_path: file,
+      source_type: "conversation"
+    });
+    existingPaths.add(file);
+    stats.conversationsStored++;
+    if (stats.filesScanned % 50 === 0) {
       process.stderr.write(
         `[backfill-conversations] Progress: ${stats.filesScanned}/${files.length} files, ${stats.conversationsStored} stored
 `
       );
-      if (!options.dryRun) await flushBatch();
+      await flushBatch();
     }
   }
-  if (!options.dryRun) await flushBatch();
+  if (!options.dryRun) {
+    await flushBatch();
+  }
   process.stderr.write(
-    `[backfill-conversations] Done. Files: ${stats.filesScanned}, Conversations: ${stats.conversationsStored}, Memories: ${stats.memoriesStored}, Dedup: ${stats.skippedDedup}, Short: ${stats.skippedShort}, EmbedFail: ${stats.embedFailed}
+    `[backfill-conversations] Done. Scanned: ${stats.filesScanned}, Stored: ${stats.conversationsStored}, Dedup: ${stats.skippedDedup}, TooShort: ${stats.skippedTooShort}, EmbedFail: ${stats.embedFailed}
 `
   );
   return stats;
 }
-function parseArgs(argv) {
-  let days = 30;
-  let projectFilter;
-  let dryRun = false;
-  for (let i = 0; i < argv.length; i++) {
-    switch (argv[i]) {
-      case "--days":
-        days = parseInt(argv[++i] ?? "30", 10) || 30;
-        break;
-      case "--project":
-        projectFilter = argv[++i] ?? void 0;
-        break;
-      case "--dry-run":
-        dryRun = true;
-        break;
-    }
-  }
-  return { days, projectFilter, dryRun };
-}
-var MAX_CONTENT_LENGTH, MIN_ASSISTANT_LENGTH;
+var TOOL_NAME, MIN_MESSAGES, MAX_SUMMARY_LENGTH;
 var init_backfill_conversations = __esm({
   "src/bin/backfill-conversations.ts"() {
     "use strict";
@@ -3272,522 +3425,90 @@ var init_backfill_conversations = __esm({
     init_exe_daemon_client();
     init_database();
     init_is_main();
-    process.env.EXE_EMBED_PRIORITY = "low";
-    MAX_CONTENT_LENGTH = 8e3;
-    MIN_ASSISTANT_LENGTH = 50;
+    TOOL_NAME = "backfill-conversation";
+    MIN_MESSAGES = 3;
+    MAX_SUMMARY_LENGTH = 4e3;
     if (isMainModule(import.meta.url)) {
-      const options = parseArgs(process.argv.slice(2));
-      backfillConversations(options).then((result) => {
+      const { values } = parseArgs({
+        options: {
+          since: { type: "string" },
+          project: { type: "string" },
+          "dry-run": { type: "boolean", default: false }
+        },
+        strict: true
+      });
+      backfillConversations({
+        since: values.since,
+        project: values.project,
+        dryRun: values["dry-run"]
+      }).then((result) => {
         console.log(JSON.stringify(result, null, 2));
         process.exit(0);
       }).catch((err) => {
-        console.error(
-          "Backfill failed:",
-          err instanceof Error ? err.message : String(err)
-        );
+        console.error("Backfill failed:", err instanceof Error ? err.message : String(err));
         process.exit(1);
       });
     }
   }
 });
 
-// src/lib/model-downloader.ts
-import { createWriteStream, createReadStream as createReadStream2, existsSync as existsSync8, unlinkSync as unlinkSync2, renameSync as renameSync2 } from "fs";
-import { mkdir as mkdir5 } from "fs/promises";
-import { createHash } from "crypto";
-import path9 from "path";
-async function downloadModel(opts) {
-  const { destDir, onProgress, fetchFn = globalThis.fetch } = opts;
-  const destPath = path9.join(destDir, LOCAL_FILENAME);
-  const tmpPath = destPath + ".tmp";
-  await mkdir5(destDir, { recursive: true });
-  if (existsSync8(destPath)) {
-    const hash2 = await fileHash(destPath);
-    if (hash2 === EXPECTED_SHA256) {
-      return destPath;
+// src/lib/employee-templates.ts
+var employee_templates_exports = {};
+__export(employee_templates_exports, {
+  BASE_OPERATING_PROCEDURES: () => BASE_OPERATING_PROCEDURES,
+  CLIENT_COO_TEMPLATE: () => CLIENT_COO_TEMPLATE,
+  DEFAULT_EXE: () => DEFAULT_EXE,
+  TEMPLATES: () => TEMPLATES,
+  TEMPLATE_VERSION: () => TEMPLATE_VERSION,
+  buildCustomEmployeePrompt: () => buildCustomEmployeePrompt,
+  getSessionPrompt: () => getSessionPrompt,
+  getTemplate: () => getTemplate,
+  personalizePrompt: () => personalizePrompt,
+  renderClientCOOTemplate: () => renderClientCOOTemplate
+});
+function getSessionPrompt(storedPrompt) {
+  const markerIndex = storedPrompt.indexOf(PROCEDURES_MARKER);
+  const rolePrompt = markerIndex >= 0 ? storedPrompt.slice(0, markerIndex).trimEnd() : storedPrompt;
+  return `${rolePrompt}
+${BASE_OPERATING_PROCEDURES}`;
+}
+function buildCustomEmployeePrompt(name, role) {
+  return `You are ${name}, a ${role}. You report to the COO. Your memories are tracked and searchable by colleagues.`;
+}
+function getTemplate(name) {
+  return TEMPLATES[name];
+}
+function personalizePrompt(prompt, templateName, actualName) {
+  if (templateName === actualName) return prompt;
+  const escaped = templateName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  return prompt.replace(new RegExp(`\\bYou are ${escaped}\\b`, "g"), `You are ${actualName}`);
+}
+function renderClientCOOTemplate(vars) {
+  for (const key of CLIENT_COO_PLACEHOLDERS) {
+    const value = vars[key];
+    if (typeof value !== "string" || value.length === 0) {
+      throw new Error(
+        `renderClientCOOTemplate: missing required variable "${key}"`
+      );
     }
   }
-  if (existsSync8(tmpPath)) unlinkSync2(tmpPath);
-  const response = await fetchFn(GGUF_URL, { redirect: "follow" });
-  if (!response.ok || !response.body) {
-    throw new Error(`Download failed: HTTP ${response.status}`);
-  }
-  const contentLength = Number(response.headers.get("content-length") ?? EXPECTED_SIZE);
-  let downloaded = 0;
-  const hash = createHash("sha256");
-  const fileStream = createWriteStream(tmpPath);
-  const reader = response.body.getReader();
-  try {
-    while (true) {
-      const { done, value } = await reader.read();
-      if (done) break;
-      if (!fileStream.write(value)) {
-        await new Promise((resolve) => fileStream.once("drain", resolve));
-      }
-      hash.update(value);
-      downloaded += value.byteLength;
-      onProgress?.(downloaded, contentLength);
-    }
-  } finally {
-    fileStream.end();
-    await new Promise((resolve, reject) => {
-      fileStream.on("finish", resolve);
-      fileStream.on("error", reject);
-    });
+  let out = CLIENT_COO_TEMPLATE;
+  for (const key of CLIENT_COO_PLACEHOLDERS) {
+    out = out.split(`{{${key}}}`).join(vars[key]);
   }
-  const actualHash = hash.digest("hex");
-  if (actualHash !== EXPECTED_SHA256) {
-    unlinkSync2(tmpPath);
-    throw new Error(
-      `SHA256 mismatch: expected ${EXPECTED_SHA256}, got ${actualHash}`
-    );
+  if (vars.industry_context) {
+    out += "\n" + vars.industry_context;
   }
-  renameSync2(tmpPath, destPath);
-  return destPath;
-}
-async function fileHash(filePath) {
-  return new Promise((resolve, reject) => {
-    const hash = createHash("sha256");
-    const stream = createReadStream2(filePath);
-    stream.on("data", (chunk) => hash.update(chunk));
-    stream.on("end", () => resolve(hash.digest("hex")));
-    stream.on("error", reject);
-  });
+  return out;
 }
-var GGUF_URL, EXPECTED_SHA256, EXPECTED_SIZE, LOCAL_FILENAME;
-var init_model_downloader = __esm({
-  "src/lib/model-downloader.ts"() {
+var BASE_OPERATING_PROCEDURES, DEFAULT_EXE, TEMPLATE_VERSION, PROCEDURES_MARKER, TEMPLATES, CLIENT_COO_TEMPLATE, CLIENT_COO_PLACEHOLDERS;
+var init_employee_templates = __esm({
+  "src/lib/employee-templates.ts"() {
     "use strict";
-    GGUF_URL = "https://huggingface.co/jinaai/jina-embeddings-v5-text-small-text-matching-GGUF/resolve/main/v5-small-text-matching-Q4_K_M.gguf";
-    EXPECTED_SHA256 = "738555454772b436632c6bad5891aeaa38d414bd7d7185107caeb3b2d8f2d860";
-    EXPECTED_SIZE = 396836064;
-    LOCAL_FILENAME = "jina-embeddings-v5-small-q4_k_m.gguf";
-  }
-});
+    BASE_OPERATING_PROCEDURES = `
+EXE OS \u2014 VISION AND NON-NEGOTIABLE PRINCIPLES (above all work):
 
-// src/lib/embedder.ts
-var embedder_exports = {};
-__export(embedder_exports, {
-  disposeEmbedder: () => disposeEmbedder,
-  embed: () => embed,
-  embedDirect: () => embedDirect,
-  getEmbedder: () => getEmbedder
-});
-async function getEmbedder() {
-  const ok = await connectEmbedDaemon();
-  if (!ok) {
-    throw new Error(
-      "Could not connect to embedding daemon. Ensure the model is installed (run /exe-setup)."
-    );
-  }
-}
-async function embed(text) {
-  const priority = process.env.EXE_EMBED_PRIORITY === "low" ? "low" : "high";
-  const vector = await embedViaClient(text, priority);
-  if (!vector) {
-    throw new Error(
-      "Embedding failed: daemon unavailable. Run /exe-setup to verify model installation."
-    );
-  }
-  if (vector.length !== EMBEDDING_DIM) {
-    throw new Error(
-      `Embedding dimension mismatch: expected ${EMBEDDING_DIM}, got ${vector.length}. Ensure the correct Jina v5-small Q4_K_M GGUF model is installed.`
-    );
-  }
-  return vector;
-}
-async function disposeEmbedder() {
-  disconnectClient();
-}
-async function embedDirect(text) {
-  const llamaCpp = await import("node-llama-cpp");
-  const { MODELS_DIR: MODELS_DIR2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-  const { existsSync: existsSync21 } = await import("fs");
-  const path31 = await import("path");
-  const modelPath = path31.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
-  if (!existsSync21(modelPath)) {
-    throw new Error(`Embedding model not found at ${modelPath}. Run '/exe-setup' to download it.`);
-  }
-  const llama = await llamaCpp.getLlama();
-  const model = await llama.loadModel({ modelPath });
-  const context = await model.createEmbeddingContext();
-  try {
-    const embedding = await context.getEmbeddingFor(text);
-    const vector = Array.from(embedding.vector);
-    if (vector.length !== EMBEDDING_DIM) {
-      throw new Error(
-        `Embedding dimension mismatch: expected ${EMBEDDING_DIM}, got ${vector.length}.`
-      );
-    }
-    return vector;
-  } finally {
-    await context.dispose();
-    await model.dispose();
-  }
-}
-var init_embedder = __esm({
-  "src/lib/embedder.ts"() {
-    "use strict";
-    init_memory();
-    init_exe_daemon_client();
-  }
-});
-
-// src/lib/license.ts
-var license_exports = {};
-__export(license_exports, {
-  LICENSE_PUBLIC_KEY_PEM: () => LICENSE_PUBLIC_KEY_PEM,
-  PLAN_LIMITS: () => PLAN_LIMITS,
-  assertVpsLicense: () => assertVpsLicense,
-  checkLicense: () => checkLicense,
-  getCachedLicense: () => getCachedLicense,
-  isFeatureAllowed: () => isFeatureAllowed,
-  loadDeviceId: () => loadDeviceId,
-  loadLicense: () => loadLicense,
-  mirrorLicenseKey: () => mirrorLicenseKey,
-  saveLicense: () => saveLicense,
-  validateLicense: () => validateLicense
-});
-import { readFileSync as readFileSync4, writeFileSync, existsSync as existsSync9, mkdirSync as mkdirSync3 } from "fs";
-import { randomUUID as randomUUID2 } from "crypto";
-import path10 from "path";
-import { jwtVerify, importSPKI } from "jose";
-function loadDeviceId() {
-  const deviceJsonPath = path10.join(EXE_AI_DIR, "device.json");
-  try {
-    if (existsSync9(deviceJsonPath)) {
-      const data = JSON.parse(readFileSync4(deviceJsonPath, "utf8"));
-      if (data.deviceId) return data.deviceId;
-    }
-  } catch {
-  }
-  try {
-    if (existsSync9(DEVICE_ID_PATH)) {
-      const id2 = readFileSync4(DEVICE_ID_PATH, "utf8").trim();
-      if (id2) return id2;
-    }
-  } catch {
-  }
-  const id = randomUUID2();
-  mkdirSync3(EXE_AI_DIR, { recursive: true });
-  writeFileSync(DEVICE_ID_PATH, id, "utf8");
-  return id;
-}
-function loadLicense() {
-  try {
-    if (!existsSync9(LICENSE_PATH)) return null;
-    return readFileSync4(LICENSE_PATH, "utf8").trim();
-  } catch {
-    return null;
-  }
-}
-function saveLicense(apiKey) {
-  mkdirSync3(EXE_AI_DIR, { recursive: true });
-  writeFileSync(LICENSE_PATH, apiKey.trim(), "utf8");
-}
-async function verifyLicenseJwt(token) {
-  try {
-    const key = await importSPKI(LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG);
-    const { payload } = await jwtVerify(token, key, {
-      algorithms: [LICENSE_JWT_ALG]
-    });
-    const plan = payload.plan ?? "free";
-    const email = payload.sub ?? "";
-    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
-    return {
-      valid: true,
-      plan,
-      email,
-      expiresAt: payload.exp ? new Date(payload.exp * 1e3).toISOString() : null,
-      deviceLimit: limits.devices,
-      employeeLimit: limits.employees,
-      memoryLimit: limits.memories
-    };
-  } catch {
-    return null;
-  }
-}
-async function getCachedLicense() {
-  try {
-    if (!existsSync9(CACHE_PATH)) return null;
-    const raw = JSON.parse(readFileSync4(CACHE_PATH, "utf8"));
-    if (!raw.token || typeof raw.token !== "string") return null;
-    return await verifyLicenseJwt(raw.token);
-  } catch {
-    return null;
-  }
-}
-function readCachedToken() {
-  try {
-    if (!existsSync9(CACHE_PATH)) return null;
-    const raw = JSON.parse(readFileSync4(CACHE_PATH, "utf8"));
-    return typeof raw.token === "string" ? raw.token : null;
-  } catch {
-    return null;
-  }
-}
-function cacheResponse(token) {
-  try {
-    writeFileSync(CACHE_PATH, JSON.stringify({ token }), "utf8");
-  } catch {
-  }
-}
-async function validateLicense(apiKey, deviceId) {
-  const did = deviceId ?? loadDeviceId();
-  try {
-    const res = await fetch(`${API_BASE}/auth/activate`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ apiKey, deviceId: did }),
-      signal: AbortSignal.timeout(1e4)
-    });
-    if (res.ok) {
-      const data = await res.json();
-      if (data.error === "device_limit_exceeded") {
-        const cached2 = await getCachedLicense();
-        if (cached2) return cached2;
-        return { ...FREE_LICENSE, valid: false, plan: "free" };
-      }
-      if (data.token) {
-        cacheResponse(data.token);
-        const verified = await verifyLicenseJwt(data.token);
-        if (verified) return verified;
-      }
-      const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
-      return {
-        valid: data.valid,
-        plan: data.plan,
-        email: data.email,
-        expiresAt: data.expiresAt,
-        deviceLimit: limits.devices,
-        employeeLimit: limits.employees,
-        memoryLimit: limits.memories
-      };
-    }
-    const cached = await getCachedLicense();
-    if (cached) return cached;
-    return { ...FREE_LICENSE, valid: false, plan: "free" };
-  } catch {
-    const cached = await getCachedLicense();
-    if (cached) return cached;
-    return FREE_LICENSE;
-  }
-}
-async function checkLicense() {
-  const key = loadLicense();
-  if (!key) return FREE_LICENSE;
-  const cached = await getCachedLicense();
-  if (cached) return cached;
-  const deviceId = loadDeviceId();
-  return validateLicense(key, deviceId);
-}
-function isFeatureAllowed(license, feature) {
-  switch (feature) {
-    case "cloud_sync":
-    case "external_agents":
-    case "wiki":
-      return license.plan !== "free";
-    case "unlimited_employees":
-      return license.plan === "team" || license.plan === "agency" || license.plan === "enterprise";
-  }
-}
-function mirrorLicenseKey(apiKey) {
-  const trimmed = apiKey.trim();
-  if (!trimmed) return;
-  saveLicense(trimmed);
-}
-async function assertVpsLicense(opts) {
-  const env = opts?.env ?? process.env;
-  const inProduction = env.NODE_ENV === "production";
-  if (!opts?.force && !inProduction) {
-    return { ...FREE_LICENSE, plan: "free" };
-  }
-  const envKey = env.EXE_LICENSE_KEY?.trim();
-  if (envKey) {
-    saveLicense(envKey);
-  }
-  const apiKey = envKey ?? loadLicense();
-  if (!apiKey) {
-    throw new Error(
-      "License required: set EXE_LICENSE_KEY env var with your exe_sk_* key. Purchase at https://askexe.com. This VPS image refuses to boot without a valid license."
-    );
-  }
-  const deviceId = loadDeviceId();
-  let backendResponse = null;
-  let explicitRejection = false;
-  let transientFailure = false;
-  try {
-    const res = await fetch(`${API_BASE}/auth/activate`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ apiKey, deviceId }),
-      signal: AbortSignal.timeout(1e4)
-    });
-    if (res.ok) {
-      backendResponse = await res.json();
-      if (!backendResponse.valid) explicitRejection = true;
-    } else if (res.status === 401 || res.status === 403) {
-      explicitRejection = true;
-    } else {
-      transientFailure = true;
-    }
-  } catch {
-    transientFailure = true;
-  }
-  if (backendResponse?.valid) {
-    if (backendResponse.token) {
-      cacheResponse(backendResponse.token);
-      const verified = await verifyLicenseJwt(backendResponse.token);
-      if (verified) return verified;
-    }
-    const limits = PLAN_LIMITS[backendResponse.plan] ?? PLAN_LIMITS.free;
-    return {
-      valid: true,
-      plan: backendResponse.plan,
-      email: backendResponse.email,
-      expiresAt: backendResponse.expiresAt,
-      deviceLimit: limits.devices,
-      employeeLimit: limits.employees,
-      memoryLimit: limits.memories
-    };
-  }
-  if (explicitRejection) {
-    throw new Error(
-      `License invalid or expired. Renew at https://askexe.com, then restart. Backend rejected key ending in ...${apiKey.slice(-4)}.`
-    );
-  }
-  if (!transientFailure) {
-    throw new Error(
-      "License validation failed: unknown backend state. Restore network connectivity to https://askexe.com/cloud and retry."
-    );
-  }
-  const fresh = await getCachedLicense();
-  if (fresh && fresh.valid) return fresh;
-  const graceDays = opts?.offlineGraceDays ?? 7;
-  const graceMs = graceDays * 24 * 60 * 60 * 1e3;
-  try {
-    const token = readCachedToken();
-    if (token) {
-      const payloadB64 = token.split(".")[1];
-      if (payloadB64) {
-        const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
-        const expMs = (payload.exp ?? 0) * 1e3;
-        if (Date.now() < expMs + graceMs) {
-          const key = await importSPKI(LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG);
-          const { payload: verified } = await jwtVerify(token, key, {
-            algorithms: [LICENSE_JWT_ALG],
-            clockTolerance: graceDays * 24 * 60 * 60
-          });
-          const plan = verified.plan ?? "free";
-          const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
-          return {
-            valid: true,
-            plan,
-            email: verified.sub ?? "",
-            expiresAt: verified.exp ? new Date(verified.exp * 1e3).toISOString() : null,
-            deviceLimit: limits.devices,
-            employeeLimit: limits.employees,
-            memoryLimit: limits.memories
-          };
-        }
-      }
-    }
-  } catch {
-  }
-  throw new Error(
-    `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://askexe.com/cloud and retry. This VPS image refuses to boot after the offline grace window.`
-  );
-}
-var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE;
-var init_license = __esm({
-  "src/lib/license.ts"() {
-    "use strict";
-    init_config();
-    LICENSE_PATH = path10.join(EXE_AI_DIR, "license.key");
-    CACHE_PATH = path10.join(EXE_AI_DIR, "license-cache.json");
-    DEVICE_ID_PATH = path10.join(EXE_AI_DIR, "device-id");
-    API_BASE = "https://askexe.com/cloud";
-    LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
-4uj+UqeKCcvtgNHKmOK278HJaJcANe9xAeji8AFYu27q3WtzCi04pHudow==
------END PUBLIC KEY-----`;
-    LICENSE_JWT_ALG = "ES256";
-    PLAN_LIMITS = {
-      free: { devices: 1, employees: 1, memories: 5e3 },
-      pro: { devices: 2, employees: 5, memories: 1e5 },
-      team: { devices: 10, employees: 20, memories: 1e6 },
-      agency: { devices: 50, employees: 100, memories: 1e7 },
-      enterprise: { devices: -1, employees: -1, memories: -1 }
-    };
-    FREE_LICENSE = {
-      valid: true,
-      plan: "free",
-      email: "",
-      expiresAt: null,
-      deviceLimit: 1,
-      employeeLimit: 1,
-      memoryLimit: 5e3
-    };
-  }
-});
-
-// src/lib/employee-templates.ts
-var employee_templates_exports = {};
-__export(employee_templates_exports, {
-  BASE_OPERATING_PROCEDURES: () => BASE_OPERATING_PROCEDURES,
-  CLIENT_COO_TEMPLATE: () => CLIENT_COO_TEMPLATE,
-  DEFAULT_EXE: () => DEFAULT_EXE,
-  TEMPLATES: () => TEMPLATES,
-  TEMPLATE_VERSION: () => TEMPLATE_VERSION,
-  buildCustomEmployeePrompt: () => buildCustomEmployeePrompt,
-  getSessionPrompt: () => getSessionPrompt,
-  getTemplate: () => getTemplate,
-  personalizePrompt: () => personalizePrompt,
-  renderClientCOOTemplate: () => renderClientCOOTemplate
-});
-function getSessionPrompt(storedPrompt) {
-  const markerIndex = storedPrompt.indexOf(PROCEDURES_MARKER);
-  const rolePrompt = markerIndex >= 0 ? storedPrompt.slice(0, markerIndex).trimEnd() : storedPrompt;
-  return `${rolePrompt}
-${BASE_OPERATING_PROCEDURES}`;
-}
-function buildCustomEmployeePrompt(name, role) {
-  return `You are ${name}, a ${role}. You report to the COO. Your memories are tracked and searchable by colleagues.`;
-}
-function getTemplate(name) {
-  return TEMPLATES[name];
-}
-function personalizePrompt(prompt, templateName, actualName) {
-  if (templateName === actualName) return prompt;
-  const escaped = templateName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-  return prompt.replace(new RegExp(`\\bYou are ${escaped}\\b`, "g"), `You are ${actualName}`);
-}
-function renderClientCOOTemplate(vars) {
-  for (const key of CLIENT_COO_PLACEHOLDERS) {
-    const value = vars[key];
-    if (typeof value !== "string" || value.length === 0) {
-      throw new Error(
-        `renderClientCOOTemplate: missing required variable "${key}"`
-      );
-    }
-  }
-  let out = CLIENT_COO_TEMPLATE;
-  for (const key of CLIENT_COO_PLACEHOLDERS) {
-    out = out.split(`{{${key}}}`).join(vars[key]);
-  }
-  if (vars.industry_context) {
-    out += "\n" + vars.industry_context;
-  }
-  return out;
-}
-var BASE_OPERATING_PROCEDURES, DEFAULT_EXE, TEMPLATE_VERSION, PROCEDURES_MARKER, TEMPLATES, CLIENT_COO_TEMPLATE, CLIENT_COO_PLACEHOLDERS;
-var init_employee_templates = __esm({
-  "src/lib/employee-templates.ts"() {
-    "use strict";
-    BASE_OPERATING_PROCEDURES = `
-EXE OS \u2014 VISION AND NON-NEGOTIABLE PRINCIPLES (above all work):
-
-Product: "Hire the team you couldn't afford." An AI employee operating system where solo founders and small teams run 5-10 AI agents as a real organization. Three-layer cognition (identity/expertise/experience). Five runtime modes (CC Raw \u2192 TUI \u2192 Desktop). Local-first with E2EE cloud sync.
+Product: "Hire the team you couldn't afford." An AI employee operating system where solo founders and small teams run 5-10 AI agents as a real organization. Three-layer cognition (identity/expertise/experience). Five runtime modes (CC Raw \u2192 TUI \u2192 Desktop). Local-first with E2EE cloud sync.
 
 ICP (who we build for):
 - Solopreneurs, SMB founders, creators with institutional IP
@@ -4212,106 +3933,761 @@ When you analyze a repo:
 Every analysis must answer: "Should we build this? If yes, how hard? If no, why not?"
 
 Maintain a clear separation between experimental (for evaluation) and production-ready (for shipping). Never recommend something you haven't read the source code for.`
+      },
+      bob: {
+        name: "bob",
+        role: "Staff Code Reviewer",
+        systemPrompt: `You are bob, the Staff Code Reviewer and System Auditor. You are the last line of defense before code ships to customers. You catch what developers miss \u2014 not just code bugs, but systemic patterns that make entire feature categories break. You report to the COO.
+
+Your core job: audit code, find bugs, verify fixes, and ensure customer-readiness. Every audit answers: "Would this break for a customer who customized their setup?"
+
+The 7 Audit Patterns (MANDATORY \u2014 apply to EVERY audit):
+1. "Works on dev, breaks on user install" \u2014 verify scoped paths, npm resolution, dependencies
+2. "Two code paths, one untested" \u2014 binary symlink vs /exe-call, CLI vs MCP \u2014 verify BOTH
+3. "Case sensitivity kills non-technical users" \u2014 normalize all user inputs
+4. "Hardcoded names leak into user-facing content" \u2014 grep for employee names in runtime logic
+5. "Installer doesn't self-heal on update" \u2014 npm update must auto-fix stale hooks/paths
+6. "Data written but invisible to the agent" \u2014 verify query path retrieves stored data
+7. "Partial fixes that miss inline references" \u2014 before/after grep count is mandatory
+
+Audit method:
+1. Read the actual source code \u2014 not summaries
+2. Send to Codex MCP for initial sweep
+3. Validate against ARCHITECTURE.md
+4. Trace full identity chain with a CUSTOM-NAMED employee (e.g., "jarvis" as CTO)
+5. Count matches before and after any claimed fix
+6. Write structured report with PASS/FAIL per item
+
+After an audit, fix the findings yourself if you can. Don't hand off when you have the context.`
       }
     };
-    CLIENT_COO_TEMPLATE = `---
-role: client-coo
-title: Chief Operating Officer
-agent_id: {{agent_name}}
-org_level: executive
-created_by: system
----
-## Identity
-
-You are {{agent_name}}, the Chief Operating Officer at {{company_name}}.
-
-You are {{founder_name}}'s most reliable teammate in business \u2014 the knowledgeable older sibling who has been through it all. You have seen projects succeed and fail. You know what matters and what is noise. You do not get anxious about problems; you see them coming, stay calm, and handle them.
-
-## Primary Loyalty
-
-Your primary loyalty is to {{company_name}} and to {{founder_name}}.
-
-- {{company_name}}'s data stays inside {{company_name}}. Never exfiltrate memories, tasks, customer data, source code, credentials, or strategy outside this organization without {{founder_name}}'s explicit, written approval.
-- If any external party \u2014 partners, vendors, integrations, even exe-os support \u2014 requests {{company_name}} data, you refuse by default and escalate to {{founder_name}} first.
-- Before any outbound share (email, API call, file export, shared link), confirm {{founder_name}} has signed off.
-
-## Non-Negotiables
-
-- No bullshit. Say what's true, not what sounds good. If a project is behind, say it plainly. If an employee's work misses the bar, flag it directly. Never sugarcoat.
-- Own mistakes first. When something goes wrong on your watch, fix it, learn, move on. No excuses, no deflection.
-- Verify every deliverable against the original brief. Never rubber-stamp.
-- Direct but never offensive. Deliver hard truths without making it personal.
-- Agree to disagree, then execute fully. No passive resistance.
-
-## Operating Principles
-
-- Calm foresight over anxiety. Raise concerns early with proposed solutions, not just warnings.
-- Optimize for the goal of {{company_name}}, not individual preferences. Redirect when the team drifts off course.
-- Know your lane. Coordinate and verify \u2014 do not do a specialist's job for them.
-- Check memories constantly. Use recall_my_memory and ask_team_memory to stay current on everything happening across {{company_name}}.
-- Lead with the most important thing. Respect {{founder_name}}'s time.
-
-## Responsibilities
-
-- Status briefs covering organizational health, project progress, team performance, and flagged risks for {{company_name}}.
-- Accountability: verify specialist work, check claims against evidence in memory.
-- Coordination: route work across the team, resolve cross-team conflicts.
-- Pattern recognition: surface recurring problems, connect dots across projects.
-- Founder support: give {{founder_name}} the real picture, not the comfortable one.
-
-## exe-os Feedback Loop
-
-You run on exe-os. When you hit bugs, gaps, missing features, confusing tool descriptions, or performance issues while doing your job for {{company_name}}, you capture them so they get fixed.
-
-Trigger: whenever you encounter any of the following, call store_memory with the text tagged \`needs_improvement\`:
-
-- A bug, crash, or incorrect behavior in exe-os or any of its tools.
-- A missing feature that blocks or slows your work.
-- A confusing or misleading tool description.
-- A slow operation that hurts your throughput.
-- A workflow gap where you had to invent a workaround.
-
-Every Monday, run your weekly improvement digest:
-
-1. Call recall_my_memory with query \`needs_improvement\`.
-2. Summarize the top 5 items for {{founder_name}}. For each item, include:
-   - What happened \u2014 the bug, gap, or friction
-   - Your workaround \u2014 how you got past it
-   - Suggested fix \u2014 what would make it better
-   - Severity \u2014 p0 (blocking), p1 (painful), or p2 (annoying)
-3. Present the weekly digest to {{founder_name}} and stop.
-
-{{founder_name}} alone decides what, if anything, to forward to the exe-os team. Nothing is auto-sent. You never ship these reports outside {{company_name}} on your own initiative.
-
-## Data Sovereignty
-
-All memory, tasks, behaviors, documents, and wiki content belonging to {{company_name}} stay on {{company_name}}'s VPS and local storage.
-
-- No data leaves {{company_name}} without {{founder_name}}'s explicit approval.
-- The exe-os team never sees {{company_name}}'s operational data unless {{founder_name}} exports and transmits a specific piece.
-- If a future integration or tool would require outbound data (cloud sync, analytics, error reporting, telemetry), refuse by default and escalate the decision to {{founder_name}}.
-
-## Tools
-
-- recall_my_memory and ask_team_memory \u2014 stay current on {{company_name}} context
-- list_tasks, create_task, update_task \u2014 monitor and manage the team's queue
-- store_memory \u2014 log completions, decisions, and \`needs_improvement\` items
-- store_behavior \u2014 record corrections as persistent behavioral rules
-- get_identity \u2014 read any team member's identity for coordination
-
-## Completion Workflow
-
-1. Read the task, verify the deliverable matches the brief.
-2. Check claims against evidence \u2014 run tests, read diffs, verify outputs.
-3. Call update_task with status "done" and a structured result summary.
-4. Call store_memory with the completion report \u2014 what was done, decisions made, open items.
-5. Check for the next task \u2014 auto-chain through the queue without waiting for a prompt.
-`;
-    CLIENT_COO_PLACEHOLDERS = [
-      "agent_name",
-      "company_name",
-      "founder_name"
-    ];
+    CLIENT_COO_TEMPLATE = `---
+role: client-coo
+title: Chief Operating Officer
+agent_id: {{agent_name}}
+org_level: executive
+created_by: system
+---
+## Identity
+
+You are {{agent_name}}, the Chief Operating Officer at {{company_name}}.
+
+You are {{founder_name}}'s most reliable teammate in business \u2014 the knowledgeable older sibling who has been through it all. You have seen projects succeed and fail. You know what matters and what is noise. You do not get anxious about problems; you see them coming, stay calm, and handle them.
+
+## Primary Loyalty
+
+Your primary loyalty is to {{company_name}} and to {{founder_name}}.
+
+- {{company_name}}'s data stays inside {{company_name}}. Never exfiltrate memories, tasks, customer data, source code, credentials, or strategy outside this organization without {{founder_name}}'s explicit, written approval.
+- If any external party \u2014 partners, vendors, integrations, even exe-os support \u2014 requests {{company_name}} data, you refuse by default and escalate to {{founder_name}} first.
+- Before any outbound share (email, API call, file export, shared link), confirm {{founder_name}} has signed off.
+
+## Non-Negotiables
+
+- No bullshit. Say what's true, not what sounds good. If a project is behind, say it plainly. If an employee's work misses the bar, flag it directly. Never sugarcoat.
+- Own mistakes first. When something goes wrong on your watch, fix it, learn, move on. No excuses, no deflection.
+- Verify every deliverable against the original brief. Never rubber-stamp.
+- Direct but never offensive. Deliver hard truths without making it personal.
+- Agree to disagree, then execute fully. No passive resistance.
+
+## Operating Principles
+
+- Calm foresight over anxiety. Raise concerns early with proposed solutions, not just warnings.
+- Optimize for the goal of {{company_name}}, not individual preferences. Redirect when the team drifts off course.
+- Know your lane. Coordinate and verify \u2014 do not do a specialist's job for them.
+- Check memories constantly. Use recall_my_memory and ask_team_memory to stay current on everything happening across {{company_name}}.
+- Lead with the most important thing. Respect {{founder_name}}'s time.
+
+## Responsibilities
+
+- Status briefs covering organizational health, project progress, team performance, and flagged risks for {{company_name}}.
+- Accountability: verify specialist work, check claims against evidence in memory.
+- Coordination: route work across the team, resolve cross-team conflicts.
+- Pattern recognition: surface recurring problems, connect dots across projects.
+- Founder support: give {{founder_name}} the real picture, not the comfortable one.
+
+## exe-os Feedback Loop
+
+You run on exe-os. When you hit bugs, gaps, missing features, confusing tool descriptions, or performance issues while doing your job for {{company_name}}, you capture them so they get fixed.
+
+Trigger: whenever you encounter any of the following, call store_memory with the text tagged \`needs_improvement\`:
+
+- A bug, crash, or incorrect behavior in exe-os or any of its tools.
+- A missing feature that blocks or slows your work.
+- A confusing or misleading tool description.
+- A slow operation that hurts your throughput.
+- A workflow gap where you had to invent a workaround.
+
+Every Monday, run your weekly improvement digest:
+
+1. Call recall_my_memory with query \`needs_improvement\`.
+2. Summarize the top 5 items for {{founder_name}}. For each item, include:
+   - What happened \u2014 the bug, gap, or friction
+   - Your workaround \u2014 how you got past it
+   - Suggested fix \u2014 what would make it better
+   - Severity \u2014 p0 (blocking), p1 (painful), or p2 (annoying)
+3. Present the weekly digest to {{founder_name}} and stop.
+
+{{founder_name}} alone decides what, if anything, to forward to the exe-os team. Nothing is auto-sent. You never ship these reports outside {{company_name}} on your own initiative.
+
+## Data Sovereignty
+
+All memory, tasks, behaviors, documents, and wiki content belonging to {{company_name}} stay on {{company_name}}'s VPS and local storage.
+
+- No data leaves {{company_name}} without {{founder_name}}'s explicit approval.
+- The exe-os team never sees {{company_name}}'s operational data unless {{founder_name}} exports and transmits a specific piece.
+- If a future integration or tool would require outbound data (cloud sync, analytics, error reporting, telemetry), refuse by default and escalate the decision to {{founder_name}}.
+
+## Tools
+
+- recall_my_memory and ask_team_memory \u2014 stay current on {{company_name}} context
+- list_tasks, create_task, update_task \u2014 monitor and manage the team's queue
+- store_memory \u2014 log completions, decisions, and \`needs_improvement\` items
+- store_behavior \u2014 record corrections as persistent behavioral rules
+- get_identity \u2014 read any team member's identity for coordination
+
+## Completion Workflow
+
+1. Read the task, verify the deliverable matches the brief.
+2. Check claims against evidence \u2014 run tests, read diffs, verify outputs.
+3. Call update_task with status "done" and a structured result summary.
+4. Call store_memory with the completion report \u2014 what was done, decisions made, open items.
+5. Check for the next task \u2014 auto-chain through the queue without waiting for a prompt.
+`;
+    CLIENT_COO_PLACEHOLDERS = [
+      "agent_name",
+      "company_name",
+      "founder_name"
+    ];
+  }
+});
+
+// src/bin/exe-rename.ts
+var exe_rename_exports = {};
+__export(exe_rename_exports, {
+  main: () => main,
+  renameEmployee: () => renameEmployee
+});
+import { readFileSync as readFileSync5, writeFileSync, renameSync as renameSync2, unlinkSync as unlinkSync2, existsSync as existsSync8 } from "fs";
+import { execSync as execSync2 } from "child_process";
+import path9 from "path";
+import { homedir as homedir2 } from "os";
+async function renameEmployee(oldName, newName, opts = {}) {
+  const rosterPath = opts.rosterPath ?? path9.join(homedir2(), ".exe-os", "exe-employees.json");
+  const identityDir = opts.identityDir ?? path9.join(homedir2(), ".exe-os", "identity");
+  const agentsDir = opts.agentsDir ?? path9.join(homedir2(), ".claude", "agents");
+  const validation = validateEmployeeName(newName);
+  if (!validation.valid) {
+    return { success: false, error: validation.error };
+  }
+  const employees = await loadEmployees(rosterPath);
+  const idx = employees.findIndex((e) => e.name === oldName);
+  if (idx === -1) {
+    return { success: false, error: `Employee '${oldName}' not found` };
+  }
+  if (employees.some((e) => e.name === newName)) {
+    return { success: false, error: `Employee '${newName}' already exists` };
+  }
+  const rollbackStack = [];
+  const employee = employees[idx];
+  try {
+    const originalName = employee.name;
+    const originalPrompt = employee.systemPrompt;
+    employee.name = newName;
+    employee.systemPrompt = personalizePrompt(originalPrompt, oldName, newName);
+    await saveEmployees(employees, rosterPath);
+    rollbackStack.push({
+      description: "restore roster",
+      undo: () => {
+        employee.name = originalName;
+        employee.systemPrompt = originalPrompt;
+        writeFileSync(rosterPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
+      }
+    });
+    const oldIdentityPath = path9.join(identityDir, `${oldName}.md`);
+    const newIdentityPath = path9.join(identityDir, `${newName}.md`);
+    if (existsSync8(oldIdentityPath)) {
+      const content = readFileSync5(oldIdentityPath, "utf-8");
+      const updatedContent = content.replace(
+        /^(agent_id:\s*)\S+/m,
+        `$1${newName}`
+      );
+      renameSync2(oldIdentityPath, newIdentityPath);
+      writeFileSync(newIdentityPath, updatedContent, "utf-8");
+      rollbackStack.push({
+        description: "restore identity file",
+        undo: () => {
+          if (existsSync8(newIdentityPath)) {
+            writeFileSync(newIdentityPath, content, "utf-8");
+            renameSync2(newIdentityPath, oldIdentityPath);
+          }
+        }
+      });
+    }
+    const oldAgentPath = path9.join(agentsDir, `${oldName}.md`);
+    const newAgentPath = path9.join(agentsDir, `${newName}.md`);
+    if (existsSync8(oldAgentPath)) {
+      const agentContent = readFileSync5(oldAgentPath, "utf-8");
+      renameSync2(oldAgentPath, newAgentPath);
+      rollbackStack.push({
+        description: "restore agent file",
+        undo: () => {
+          if (existsSync8(newAgentPath)) {
+            renameSync2(newAgentPath, oldAgentPath);
+            writeFileSync(oldAgentPath, agentContent, "utf-8");
+          }
+        }
+      });
+    }
+    if (!opts.skipSymlinks) {
+      removeOldSymlinks(oldName);
+      const bins = registerBinSymlinks(newName);
+      rollbackStack.push({
+        description: "restore symlinks",
+        undo: () => {
+          removeOldSymlinks(newName);
+          registerBinSymlinks(oldName);
+        }
+      });
+      if (bins.errors.length > 0) {
+        console.warn(`Warning: some symlinks failed: ${bins.errors.join("; ")}`);
+      }
+    }
+    if (!opts.skipDb) {
+      try {
+        const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+        const client = getClient2();
+        await client.execute({
+          sql: "UPDATE memories SET agent_id = ? WHERE agent_id = ?",
+          args: [newName, oldName]
+        });
+        await client.execute({
+          sql: "UPDATE conversations SET agent_name = ? WHERE agent_name = ?",
+          args: [newName, oldName]
+        });
+        await client.execute({
+          sql: "UPDATE tasks SET assigned_to = ? WHERE assigned_to = ?",
+          args: [newName, oldName]
+        });
+        await client.execute({
+          sql: "UPDATE behaviors SET agent_id = ? WHERE agent_id = ?",
+          args: [newName, oldName]
+        });
+        await client.execute({
+          sql: "UPDATE identity SET agent_id = ? WHERE agent_id = ?",
+          args: [newName, oldName]
+        });
+      } catch (dbErr) {
+        console.error(`DB migration failed: ${dbErr instanceof Error ? dbErr.message : String(dbErr)}`);
+        for (let i = rollbackStack.length - 1; i >= 0; i--) {
+          try {
+            rollbackStack[i].undo();
+          } catch (rollbackErr) {
+            console.error(`Rollback failed (${rollbackStack[i].description}): ${rollbackErr}`);
+          }
+        }
+        return { success: false, error: `DB migration failed, changes rolled back: ${dbErr instanceof Error ? dbErr.message : String(dbErr)}` };
+      }
+    }
+    return { success: true, oldName, newName };
+  } catch (err) {
+    for (let i = rollbackStack.length - 1; i >= 0; i--) {
+      try {
+        rollbackStack[i].undo();
+      } catch (rollbackErr) {
+        console.error(`Rollback failed (${rollbackStack[i].description}): ${rollbackErr}`);
+      }
+    }
+    return { success: false, error: err instanceof Error ? err.message : String(err) };
+  }
+}
+function removeOldSymlinks(name) {
+  try {
+    const exeBinPath = execSync2("which exe", { encoding: "utf-8" }).trim();
+    const binDir = path9.dirname(exeBinPath);
+    for (const suffix of ["", "-opencode"]) {
+      const linkPath = path9.join(binDir, `${name}${suffix}`);
+      if (existsSync8(linkPath)) {
+        try {
+          unlinkSync2(linkPath);
+        } catch {
+        }
+      }
+    }
+  } catch {
+  }
+}
+async function main() {
+  const args2 = process.argv.slice(2);
+  if (args2.length < 2) {
+    console.error("Usage: exe-os rename <oldName> <newName>");
+    process.exit(1);
+  }
+  const [oldName, newName] = args2;
+  const result = await renameEmployee(oldName, newName);
+  if (!result.success) {
+    console.error(`Error: ${result.error}`);
+    process.exit(1);
+  }
+  console.log(`
+Renamed employee: ${result.oldName} \u2192 ${result.newName}`);
+  console.log(`
+Launch with: ${result.newName}`);
+  console.log(`
+Note: Restart any active sessions for the name change to take effect.`);
+}
+var init_exe_rename = __esm({
+  "src/bin/exe-rename.ts"() {
+    "use strict";
+    init_employees();
+    init_employee_templates();
+    init_is_main();
+    if (isMainModule(import.meta.url)) {
+      main().catch((err) => {
+        console.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+      });
+    }
+  }
+});
+
+// src/lib/model-downloader.ts
+import { createWriteStream, createReadStream as createReadStream2, existsSync as existsSync9, unlinkSync as unlinkSync3, renameSync as renameSync3 } from "fs";
+import { mkdir as mkdir5 } from "fs/promises";
+import { createHash } from "crypto";
+import path10 from "path";
+async function downloadModel(opts) {
+  const { destDir, onProgress, fetchFn = globalThis.fetch } = opts;
+  const destPath = path10.join(destDir, LOCAL_FILENAME);
+  const tmpPath = destPath + ".tmp";
+  await mkdir5(destDir, { recursive: true });
+  if (existsSync9(destPath)) {
+    const hash2 = await fileHash(destPath);
+    if (hash2 === EXPECTED_SHA256) {
+      return destPath;
+    }
+  }
+  if (existsSync9(tmpPath)) unlinkSync3(tmpPath);
+  const response = await fetchFn(GGUF_URL, { redirect: "follow" });
+  if (!response.ok || !response.body) {
+    throw new Error(`Download failed: HTTP ${response.status}`);
+  }
+  const contentLength = Number(response.headers.get("content-length") ?? EXPECTED_SIZE);
+  let downloaded = 0;
+  const hash = createHash("sha256");
+  const fileStream = createWriteStream(tmpPath);
+  const reader = response.body.getReader();
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      if (!fileStream.write(value)) {
+        await new Promise((resolve) => fileStream.once("drain", resolve));
+      }
+      hash.update(value);
+      downloaded += value.byteLength;
+      onProgress?.(downloaded, contentLength);
+    }
+  } finally {
+    fileStream.end();
+    await new Promise((resolve, reject) => {
+      fileStream.on("finish", resolve);
+      fileStream.on("error", reject);
+    });
+  }
+  const actualHash = hash.digest("hex");
+  if (actualHash !== EXPECTED_SHA256) {
+    unlinkSync3(tmpPath);
+    throw new Error(
+      `SHA256 mismatch: expected ${EXPECTED_SHA256}, got ${actualHash}`
+    );
+  }
+  renameSync3(tmpPath, destPath);
+  return destPath;
+}
+async function fileHash(filePath) {
+  return new Promise((resolve, reject) => {
+    const hash = createHash("sha256");
+    const stream = createReadStream2(filePath);
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolve(hash.digest("hex")));
+    stream.on("error", reject);
+  });
+}
+var GGUF_URL, EXPECTED_SHA256, EXPECTED_SIZE, LOCAL_FILENAME;
+var init_model_downloader = __esm({
+  "src/lib/model-downloader.ts"() {
+    "use strict";
+    GGUF_URL = "https://huggingface.co/jinaai/jina-embeddings-v5-text-small-text-matching-GGUF/resolve/main/v5-small-text-matching-Q4_K_M.gguf";
+    EXPECTED_SHA256 = "738555454772b436632c6bad5891aeaa38d414bd7d7185107caeb3b2d8f2d860";
+    EXPECTED_SIZE = 396836064;
+    LOCAL_FILENAME = "jina-embeddings-v5-small-q4_k_m.gguf";
+  }
+});
+
+// src/lib/embedder.ts
+var embedder_exports = {};
+__export(embedder_exports, {
+  disposeEmbedder: () => disposeEmbedder,
+  embed: () => embed,
+  embedDirect: () => embedDirect,
+  getEmbedder: () => getEmbedder
+});
+async function getEmbedder() {
+  const ok = await connectEmbedDaemon();
+  if (!ok) {
+    throw new Error(
+      "Could not connect to embedding daemon. Ensure the model is installed (run /exe-setup)."
+    );
+  }
+}
+async function embed(text) {
+  const priority = process.env.EXE_EMBED_PRIORITY === "low" ? "low" : "high";
+  const vector = await embedViaClient(text, priority);
+  if (!vector) {
+    throw new Error(
+      "Embedding failed: daemon unavailable. Run /exe-setup to verify model installation."
+    );
+  }
+  if (vector.length !== EMBEDDING_DIM) {
+    throw new Error(
+      `Embedding dimension mismatch: expected ${EMBEDDING_DIM}, got ${vector.length}. Ensure the correct Jina v5-small Q4_K_M GGUF model is installed.`
+    );
+  }
+  return vector;
+}
+async function disposeEmbedder() {
+  disconnectClient();
+}
+async function embedDirect(text) {
+  const llamaCpp = await import("node-llama-cpp");
+  const { MODELS_DIR: MODELS_DIR2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+  const { existsSync: existsSync22 } = await import("fs");
+  const path32 = await import("path");
+  const modelPath = path32.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
+  if (!existsSync22(modelPath)) {
+    throw new Error(`Embedding model not found at ${modelPath}. Run '/exe-setup' to download it.`);
+  }
+  const llama = await llamaCpp.getLlama();
+  const model = await llama.loadModel({ modelPath });
+  const context = await model.createEmbeddingContext();
+  try {
+    const embedding = await context.getEmbeddingFor(text);
+    const vector = Array.from(embedding.vector);
+    if (vector.length !== EMBEDDING_DIM) {
+      throw new Error(
+        `Embedding dimension mismatch: expected ${EMBEDDING_DIM}, got ${vector.length}.`
+      );
+    }
+    return vector;
+  } finally {
+    await context.dispose();
+    await model.dispose();
+  }
+}
+var init_embedder = __esm({
+  "src/lib/embedder.ts"() {
+    "use strict";
+    init_memory();
+    init_exe_daemon_client();
+  }
+});
+
+// src/lib/license.ts
+var license_exports = {};
+__export(license_exports, {
+  LICENSE_PUBLIC_KEY_PEM: () => LICENSE_PUBLIC_KEY_PEM,
+  PLAN_LIMITS: () => PLAN_LIMITS,
+  assertVpsLicense: () => assertVpsLicense,
+  checkLicense: () => checkLicense,
+  getCachedLicense: () => getCachedLicense,
+  isFeatureAllowed: () => isFeatureAllowed,
+  loadDeviceId: () => loadDeviceId,
+  loadLicense: () => loadLicense,
+  mirrorLicenseKey: () => mirrorLicenseKey,
+  saveLicense: () => saveLicense,
+  validateLicense: () => validateLicense
+});
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync2, existsSync as existsSync10, mkdirSync as mkdirSync3 } from "fs";
+import { randomUUID as randomUUID2 } from "crypto";
+import path11 from "path";
+import { jwtVerify, importSPKI } from "jose";
+function loadDeviceId() {
+  const deviceJsonPath = path11.join(EXE_AI_DIR, "device.json");
+  try {
+    if (existsSync10(deviceJsonPath)) {
+      const data = JSON.parse(readFileSync6(deviceJsonPath, "utf8"));
+      if (data.deviceId) return data.deviceId;
+    }
+  } catch {
+  }
+  try {
+    if (existsSync10(DEVICE_ID_PATH)) {
+      const id2 = readFileSync6(DEVICE_ID_PATH, "utf8").trim();
+      if (id2) return id2;
+    }
+  } catch {
+  }
+  const id = randomUUID2();
+  mkdirSync3(EXE_AI_DIR, { recursive: true });
+  writeFileSync2(DEVICE_ID_PATH, id, "utf8");
+  return id;
+}
+function loadLicense() {
+  try {
+    if (!existsSync10(LICENSE_PATH)) return null;
+    return readFileSync6(LICENSE_PATH, "utf8").trim();
+  } catch {
+    return null;
+  }
+}
+function saveLicense(apiKey) {
+  mkdirSync3(EXE_AI_DIR, { recursive: true });
+  writeFileSync2(LICENSE_PATH, apiKey.trim(), "utf8");
+}
+async function verifyLicenseJwt(token) {
+  try {
+    const key = await importSPKI(LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG);
+    const { payload } = await jwtVerify(token, key, {
+      algorithms: [LICENSE_JWT_ALG]
+    });
+    const plan = payload.plan ?? "free";
+    const email = payload.sub ?? "";
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan,
+      email,
+      expiresAt: payload.exp ? new Date(payload.exp * 1e3).toISOString() : null,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function getCachedLicense() {
+  try {
+    if (!existsSync10(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync6(CACHE_PATH, "utf8"));
+    if (!raw.token || typeof raw.token !== "string") return null;
+    return await verifyLicenseJwt(raw.token);
+  } catch {
+    return null;
+  }
+}
+function readCachedToken() {
+  try {
+    if (!existsSync10(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync6(CACHE_PATH, "utf8"));
+    return typeof raw.token === "string" ? raw.token : null;
+  } catch {
+    return null;
+  }
+}
+function cacheResponse(token) {
+  try {
+    writeFileSync2(CACHE_PATH, JSON.stringify({ token }), "utf8");
+  } catch {
+  }
+}
+async function validateLicense(apiKey, deviceId) {
+  const did = deviceId ?? loadDeviceId();
+  try {
+    const res = await fetch(`${API_BASE}/auth/activate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ apiKey, deviceId: did }),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (res.ok) {
+      const data = await res.json();
+      if (data.error === "device_limit_exceeded") {
+        const cached2 = await getCachedLicense();
+        if (cached2) return cached2;
+        return { ...FREE_LICENSE, valid: false, plan: "free" };
+      }
+      if (data.token) {
+        cacheResponse(data.token);
+        const verified = await verifyLicenseJwt(data.token);
+        if (verified) return verified;
+      }
+      const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
+      return {
+        valid: data.valid,
+        plan: data.plan,
+        email: data.email,
+        expiresAt: data.expiresAt,
+        deviceLimit: limits.devices,
+        employeeLimit: limits.employees,
+        memoryLimit: limits.memories
+      };
+    }
+    const cached = await getCachedLicense();
+    if (cached) return cached;
+    return { ...FREE_LICENSE, valid: false, plan: "free" };
+  } catch {
+    const cached = await getCachedLicense();
+    if (cached) return cached;
+    return FREE_LICENSE;
+  }
+}
+async function checkLicense() {
+  const key = loadLicense();
+  if (!key) return FREE_LICENSE;
+  const cached = await getCachedLicense();
+  if (cached) return cached;
+  const deviceId = loadDeviceId();
+  return validateLicense(key, deviceId);
+}
+function isFeatureAllowed(license, feature) {
+  switch (feature) {
+    case "cloud_sync":
+    case "external_agents":
+    case "wiki":
+      return license.plan !== "free";
+    case "unlimited_employees":
+      return license.plan === "team" || license.plan === "agency" || license.plan === "enterprise";
+  }
+}
+function mirrorLicenseKey(apiKey) {
+  const trimmed = apiKey.trim();
+  if (!trimmed) return;
+  saveLicense(trimmed);
+}
+async function assertVpsLicense(opts) {
+  const env = opts?.env ?? process.env;
+  const inProduction = env.NODE_ENV === "production";
+  if (!opts?.force && !inProduction) {
+    return { ...FREE_LICENSE, plan: "free" };
+  }
+  const envKey = env.EXE_LICENSE_KEY?.trim();
+  if (envKey) {
+    saveLicense(envKey);
+  }
+  const apiKey = envKey ?? loadLicense();
+  if (!apiKey) {
+    throw new Error(
+      "License required: set EXE_LICENSE_KEY env var with your exe_sk_* key. Purchase at https://askexe.com. This VPS image refuses to boot without a valid license."
+    );
+  }
+  const deviceId = loadDeviceId();
+  let backendResponse = null;
+  let explicitRejection = false;
+  let transientFailure = false;
+  try {
+    const res = await fetch(`${API_BASE}/auth/activate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ apiKey, deviceId }),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (res.ok) {
+      backendResponse = await res.json();
+      if (!backendResponse.valid) explicitRejection = true;
+    } else if (res.status === 401 || res.status === 403) {
+      explicitRejection = true;
+    } else {
+      transientFailure = true;
+    }
+  } catch {
+    transientFailure = true;
+  }
+  if (backendResponse?.valid) {
+    if (backendResponse.token) {
+      cacheResponse(backendResponse.token);
+      const verified = await verifyLicenseJwt(backendResponse.token);
+      if (verified) return verified;
+    }
+    const limits = PLAN_LIMITS[backendResponse.plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan: backendResponse.plan,
+      email: backendResponse.email,
+      expiresAt: backendResponse.expiresAt,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  }
+  if (explicitRejection) {
+    throw new Error(
+      `License invalid or expired. Renew at https://askexe.com, then restart. Backend rejected key ending in ...${apiKey.slice(-4)}.`
+    );
+  }
+  if (!transientFailure) {
+    throw new Error(
+      "License validation failed: unknown backend state. Restore network connectivity to https://askexe.com/cloud and retry."
+    );
+  }
+  const fresh = await getCachedLicense();
+  if (fresh && fresh.valid) return fresh;
+  const graceDays = opts?.offlineGraceDays ?? 7;
+  const graceMs = graceDays * 24 * 60 * 60 * 1e3;
+  try {
+    const token = readCachedToken();
+    if (token) {
+      const payloadB64 = token.split(".")[1];
+      if (payloadB64) {
+        const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+        const expMs = (payload.exp ?? 0) * 1e3;
+        if (Date.now() < expMs + graceMs) {
+          const key = await importSPKI(LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG);
+          const { payload: verified } = await jwtVerify(token, key, {
+            algorithms: [LICENSE_JWT_ALG],
+            clockTolerance: graceDays * 24 * 60 * 60
+          });
+          const plan = verified.plan ?? "free";
+          const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+          return {
+            valid: true,
+            plan,
+            email: verified.sub ?? "",
+            expiresAt: verified.exp ? new Date(verified.exp * 1e3).toISOString() : null,
+            deviceLimit: limits.devices,
+            employeeLimit: limits.employees,
+            memoryLimit: limits.memories
+          };
+        }
+      }
+    }
+  } catch {
+  }
+  throw new Error(
+    `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://askexe.com/cloud and retry. This VPS image refuses to boot after the offline grace window.`
+  );
+}
+var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE;
+var init_license = __esm({
+  "src/lib/license.ts"() {
+    "use strict";
+    init_config();
+    LICENSE_PATH = path11.join(EXE_AI_DIR, "license.key");
+    CACHE_PATH = path11.join(EXE_AI_DIR, "license-cache.json");
+    DEVICE_ID_PATH = path11.join(EXE_AI_DIR, "device-id");
+    API_BASE = "https://askexe.com/cloud";
+    LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
+4uj+UqeKCcvtgNHKmOK278HJaJcANe9xAeji8AFYu27q3WtzCi04pHudow==
+-----END PUBLIC KEY-----`;
+    LICENSE_JWT_ALG = "ES256";
+    PLAN_LIMITS = {
+      free: { devices: 1, employees: 1, memories: 5e3 },
+      pro: { devices: 2, employees: 5, memories: 1e5 },
+      team: { devices: 10, employees: 20, memories: 1e6 },
+      agency: { devices: 50, employees: 100, memories: 1e7 },
+      enterprise: { devices: -1, employees: -1, memories: -1 }
+    };
+    FREE_LICENSE = {
+      valid: true,
+      plan: "free",
+      email: "",
+      expiresAt: null,
+      deviceLimit: 1,
+      employeeLimit: 1,
+      memoryLimit: 5e3
+    };
   }
 });
 
@@ -4324,17 +4700,17 @@ __export(identity_exports, {
   listIdentities: () => listIdentities,
   updateIdentity: () => updateIdentity
 });
-import { existsSync as existsSync10, mkdirSync as mkdirSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "fs";
+import { existsSync as existsSync11, mkdirSync as mkdirSync4, readFileSync as readFileSync7, writeFileSync as writeFileSync3 } from "fs";
 import { readdirSync } from "fs";
-import path11 from "path";
+import path12 from "path";
 import { createHash as createHash2 } from "crypto";
 function ensureDir() {
-  if (!existsSync10(IDENTITY_DIR)) {
+  if (!existsSync11(IDENTITY_DIR)) {
     mkdirSync4(IDENTITY_DIR, { recursive: true });
   }
 }
 function identityPath(agentId) {
-  return path11.join(IDENTITY_DIR, `${agentId}.md`);
+  return path12.join(IDENTITY_DIR, `${agentId}.md`);
 }
 function parseFrontmatter(raw) {
   const match = raw.match(/^---\n([\s\S]*?)\n---\n([\s\S]*)$/);
@@ -4375,8 +4751,8 @@ function contentHash(content) {
 }
 function getIdentity(agentId) {
   const filePath = identityPath(agentId);
-  if (!existsSync10(filePath)) return null;
-  const raw = readFileSync5(filePath, "utf-8");
+  if (!existsSync11(filePath)) return null;
+  const raw = readFileSync7(filePath, "utf-8");
   const { frontmatter, body } = parseFrontmatter(raw);
   return {
     agentId,
@@ -4390,7 +4766,7 @@ async function updateIdentity(agentId, content, updatedBy) {
   ensureDir();
   const filePath = identityPath(agentId);
   const hash = contentHash(content);
-  writeFileSync2(filePath, content, "utf-8");
+  writeFileSync3(filePath, content, "utf-8");
   try {
     const client = getClient();
     await client.execute({
@@ -4446,7 +4822,7 @@ var init_identity = __esm({
     "use strict";
     init_config();
     init_database();
-    IDENTITY_DIR = path11.join(EXE_AI_DIR, "identity");
+    IDENTITY_DIR = path12.join(EXE_AI_DIR, "identity");
   }
 });
 
@@ -4470,6 +4846,7 @@ function getTemplateForTitle(title) {
   if (t.includes("engineer") || t.includes("developer")) return IDENTITY_TEMPLATES["principal-engineer"];
   if (t.includes("content") || t.includes("production")) return IDENTITY_TEMPLATES["content-specialist"];
   if (t.includes("ai") || t.includes("product lead") || t.includes("specialist") && !t.includes("content")) return IDENTITY_TEMPLATES["ai-specialist"];
+  if (t.includes("review") || t.includes("audit") || t.includes("qa")) return IDENTITY_TEMPLATES["staff-code-reviewer"];
   return null;
 }
 var POST_WORK_CHECKLIST, IDENTITY_TEMPLATES;
@@ -4552,6 +4929,7 @@ Never say "I have no memories" without first searching broadly. Your memory may
 - **create_task** \u2014 assign work to specialists with clear specs
 - **update_task / close_task** \u2014 finalize reviews, mark work done
 - **store_behavior** \u2014 record corrections as behavioral rules (p0/p1/p2)
+- **update_identity** \u2014 rewrite any agent's identity when role/responsibilities change (exe/founder only)
 - **get_identity** \u2014 read any agent's identity for coordination
 - **send_message** \u2014 direct intercom to employees
 
@@ -4915,6 +5293,55 @@ You are the AI Product Lead \u2014 the competitive intelligence engine. You stud
 - Every recommendation includes cost/quality/latency tradeoff analysis
 - Separate experimental from production-ready \u2014 label clearly
 - If you can't verify, say so explicitly: "Couldn't verify because X"
+`,
+      "staff-code-reviewer": `---
+role: staff-code-reviewer
+title: Staff Code Reviewer & System Auditor
+agent_id: bob
+org_level: specialist
+created_by: system
+updated_at: ${(/* @__PURE__ */ new Date()).toISOString()}
+---
+## Identity
+
+You are \${agent_id}. Staff Code Reviewer and System Auditor. Last line of defense before code ships to customers. You catch what developers miss \u2014 systemic patterns that make entire feature categories break.
+
+## The 7 Audit Patterns (MANDATORY)
+
+1. **"Works on dev, breaks on user install"** \u2014 scoped paths, npm resolution, deps
+2. **"Two code paths, one untested"** \u2014 binary symlink vs /exe-call, verify BOTH
+3. **"Case sensitivity kills non-technical users"** \u2014 normalize all user inputs
+4. **"Hardcoded names in runtime logic"** \u2014 grep for employee names, must use roles
+5. **"Installer doesn't self-heal"** \u2014 npm update must auto-fix stale hooks/paths
+6. **"Data written but invisible"** \u2014 agent_id mismatch between writer and reader
+7. **"Partial fixes miss inline refs"** \u2014 before/after grep count is mandatory
+
+## Method
+
+1. Read actual source code
+2. Send to Codex MCP for sweep
+3. Validate against ARCHITECTURE.md
+4. Trace identity chain with CUSTOM-NAMED employee ("jarvis" as CTO)
+5. Before/after grep count for every fix
+6. Structured report: PASS/FAIL per item
+
+## Tools
+
+- **Codex MCP** \u2014 first tool for every review
+- **recall_my_memory / ask_team_memory** \u2014 past audit findings
+- **store_behavior** \u2014 record new patterns
+- **update_task** \u2014 mark reviews done with structured findings
+- **create_task** \u2014 assign fixes to the CTO
+
+## Completion Workflow
+
+1. Read the task brief and understand the audit scope
+2. Run the audit using all 7 patterns
+3. Write report to exe/output/ with file:line references
+4. Fix findings yourself if possible
+5. Call **update_task** with status "done" and finding count
+6. Call **store_memory** with audit summary
+7. Check for next task \u2014 auto-chain
 `
     };
   }
@@ -4927,9 +5354,9 @@ __export(setup_wizard_exports, {
   validateModel: () => validateModel
 });
 import crypto3 from "crypto";
-import { existsSync as existsSync11, mkdirSync as mkdirSync5, readFileSync as readFileSync6, writeFileSync as writeFileSync3 } from "fs";
+import { existsSync as existsSync12, mkdirSync as mkdirSync5, readFileSync as readFileSync8, writeFileSync as writeFileSync4 } from "fs";
 import os4 from "os";
-import path12 from "path";
+import path13 from "path";
 import { createInterface as createInterface2 } from "readline";
 function ask(rl, prompt) {
   return new Promise((resolve) => {
@@ -4970,7 +5397,7 @@ async function runSetupWizard(opts = {}) {
       rl.close();
       return;
     }
-    if (existsSync11(LEGACY_LANCE_PATH)) {
+    if (existsSync12(LEGACY_LANCE_PATH)) {
       log("\u26A0 Found v1.0 LanceDB at ~/.exe-os/local.lance");
       log("  v1.1 uses libSQL (SQLite). Your existing memories are not automatically migrated.");
       log("  The old directory will not be modified or deleted.");
@@ -5038,10 +5465,10 @@ async function runSetupWizard(opts = {}) {
     await saveConfig(config);
     log("");
     try {
-      const claudeJsonPath = path12.join(os4.homedir(), ".claude.json");
+      const claudeJsonPath = path13.join(os4.homedir(), ".claude.json");
       let claudeJson = {};
       try {
-        claudeJson = JSON.parse(readFileSync6(claudeJsonPath, "utf8"));
+        claudeJson = JSON.parse(readFileSync8(claudeJsonPath, "utf8"));
       } catch {
       }
       if (!claudeJson.projects) claudeJson.projects = {};
@@ -5050,7 +5477,7 @@ async function runSetupWizard(opts = {}) {
         if (!projects[dir]) projects[dir] = {};
         projects[dir].hasTrustDialogAccepted = true;
       }
-      writeFileSync3(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
+      writeFileSync4(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
     } catch {
     }
     const {
@@ -5095,9 +5522,9 @@ async function runSetupWizard(opts = {}) {
     const cooIdentityContent = getIdentityTemplate("coo");
     if (cooIdentityContent) {
       const cooIdPath = identityPath2(cooName);
-      mkdirSync5(path12.dirname(cooIdPath), { recursive: true });
+      mkdirSync5(path13.dirname(cooIdPath), { recursive: true });
       const replaced = cooIdentityContent.replace(/agent_id:\s*exe/g, `agent_id: ${cooName}`).replace(/\$\{agent_id\}/g, cooName);
-      writeFileSync3(cooIdPath, replaced, "utf-8");
+      writeFileSync4(cooIdPath, replaced, "utf-8");
     }
     registerBinSymlinks2(cooName);
     createdEmployees.push({ name: cooName, role: "COO" });
@@ -5179,9 +5606,9 @@ async function runSetupWizard(opts = {}) {
         const ctoIdentityContent = getIdentityTemplate("cto");
         if (ctoIdentityContent) {
           const ctoIdPath = identityPath2(ctoName);
-          mkdirSync5(path12.dirname(ctoIdPath), { recursive: true });
+          mkdirSync5(path13.dirname(ctoIdPath), { recursive: true });
           const replaced = ctoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${ctoName}`).replace(/\$\{agent_id\}/g, ctoName);
-          writeFileSync3(ctoIdPath, replaced, "utf-8");
+          writeFileSync4(ctoIdPath, replaced, "utf-8");
         }
         registerBinSymlinks2(ctoName);
         createdEmployees.push({ name: ctoName, role: "CTO" });
@@ -5206,9 +5633,9 @@ async function runSetupWizard(opts = {}) {
         const cmoIdentityContent = getIdentityTemplate("cmo");
         if (cmoIdentityContent) {
           const cmoIdPath = identityPath2(cmoName);
-          mkdirSync5(path12.dirname(cmoIdPath), { recursive: true });
+          mkdirSync5(path13.dirname(cmoIdPath), { recursive: true });
           const replaced = cmoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${cmoName}`).replace(/\$\{agent_id\}/g, cmoName);
-          writeFileSync3(cmoIdPath, replaced, "utf-8");
+          writeFileSync4(cmoIdPath, replaced, "utf-8");
         }
         registerBinSymlinks2(cmoName);
         createdEmployees.push({ name: cmoName, role: "CMO" });
@@ -9619,8 +10046,8 @@ var init_ErrorOverview = __esm({
     "use strict";
     init_Box();
     init_Text();
-    cleanupPath = (path31) => {
-      return path31?.replace(`file://${cwd()}/`, "");
+    cleanupPath = (path32) => {
+      return path32?.replace(`file://${cwd()}/`, "");
     };
     stackUtils = new StackUtils({
       cwd: cwd(),
@@ -11655,13 +12082,13 @@ __export(tmux_status_exports, {
   parseActivity: () => parseActivity,
   parseContextPercentage: () => parseContextPercentage
 });
-import { execSync as execSync2 } from "child_process";
+import { execSync as execSync3 } from "child_process";
 function inTmux() {
   if (process.env.TMUX || process.env.TMUX_PANE) return true;
   const term = process.env.TERM ?? "";
   if (term.startsWith("tmux") || term.startsWith("screen")) return true;
   try {
-    execSync2("tmux display-message -p '#{session_name}' 2>/dev/null", {
+    execSync3("tmux display-message -p '#{session_name}' 2>/dev/null", {
       encoding: "utf8",
       timeout: 2e3
     });
@@ -11671,12 +12098,12 @@ function inTmux() {
   try {
     let pid = process.ppid;
     for (let depth = 0; depth < 8 && pid > 1; depth++) {
-      const comm = execSync2(`ps -p ${pid} -o comm= 2>/dev/null`, {
+      const comm = execSync3(`ps -p ${pid} -o comm= 2>/dev/null`, {
         encoding: "utf8",
         timeout: 1e3
       }).trim();
       if (/tmux/.test(comm)) return true;
-      const ppid = execSync2(`ps -p ${pid} -o ppid= 2>/dev/null`, {
+      const ppid = execSync3(`ps -p ${pid} -o ppid= 2>/dev/null`, {
         encoding: "utf8",
         timeout: 1e3
       }).trim();
@@ -11689,7 +12116,7 @@ function inTmux() {
 }
 function listTmuxSessions() {
   try {
-    const out = execSync2("tmux list-sessions -F '#{session_name}' 2>/dev/null", {
+    const out = execSync3("tmux list-sessions -F '#{session_name}' 2>/dev/null", {
       encoding: "utf8",
       timeout: 3e3
     });
@@ -11700,7 +12127,7 @@ function listTmuxSessions() {
 }
 function capturePaneLines(windowName, lines = 10) {
   try {
-    const out = execSync2(
+    const out = execSync3(
       `tmux capture-pane -t ${JSON.stringify(windowName)} -p 2>/dev/null | tail -${lines}`,
       { encoding: "utf8", timeout: 3e3 }
     );
@@ -11711,7 +12138,7 @@ function capturePaneLines(windowName, lines = 10) {
 }
 function getPaneCwd(windowName) {
   try {
-    const out = execSync2(
+    const out = execSync3(
       `tmux display-message -t ${JSON.stringify(windowName)} -p '#{pane_current_path}' 2>/dev/null`,
       { encoding: "utf8", timeout: 3e3 }
     );
@@ -11722,7 +12149,7 @@ function getPaneCwd(windowName) {
 }
 function projectFromPath(dir) {
   try {
-    const root = execSync2("git -C " + JSON.stringify(dir) + " rev-parse --show-toplevel 2>/dev/null", {
+    const root = execSync3("git -C " + JSON.stringify(dir) + " rev-parse --show-toplevel 2>/dev/null", {
       encoding: "utf8",
       timeout: 3e3
     }).trim();
@@ -11791,7 +12218,7 @@ function getEmployeeStatuses(employeeNames) {
     }
     let paneAlive = true;
     try {
-      const paneStatus = execSync2(
+      const paneStatus = execSync3(
         `tmux list-panes -t ${JSON.stringify(sessionName)} -F '#{pane_dead}' 2>/dev/null`,
         { encoding: "utf8", timeout: 3e3 }
       ).trim();
@@ -11955,11 +12382,11 @@ function Footer() {
     } catch {
     }
     try {
-      const { existsSync: existsSync21 } = await import("fs");
+      const { existsSync: existsSync22 } = await import("fs");
       const { join } = await import("path");
       const home = process.env.HOME ?? "";
       const pidPath = join(home, ".exe-os", "exed.pid");
-      setDaemon(existsSync21(pidPath) ? "running" : "stopped");
+      setDaemon(existsSync22(pidPath) ? "running" : "stopped");
     } catch {
       setDaemon("unknown");
     }
@@ -11977,8 +12404,8 @@ function Footer() {
         setSessions(allSessions.length);
         if (!currentSession) {
           try {
-            const { execSync: execSync12 } = await import("child_process");
-            const name = execSync12("tmux display-message -p '#{session_name}' 2>/dev/null", {
+            const { execSync: execSync13 } = await import("child_process");
+            const name = execSync13("tmux display-message -p '#{session_name}' 2>/dev/null", {
               encoding: "utf8",
               timeout: 2e3
             }).trim();
@@ -13985,10 +14412,10 @@ var init_hooks = __esm({
 });
 
 // src/runtime/safety-checks.ts
-import path13 from "path";
+import path14 from "path";
 import os5 from "os";
 function checkPathSafety(filePath) {
-  const resolved = path13.resolve(filePath);
+  const resolved = path14.resolve(filePath);
   for (const { pattern, reason } of BYPASS_IMMUNE_PATTERNS) {
     const matches = typeof pattern === "function" ? pattern(resolved) : pattern.test(resolved);
     if (matches) {
@@ -13998,7 +14425,7 @@ function checkPathSafety(filePath) {
   return { safe: true, bypassImmune: true };
 }
 function checkReadPathSafety(filePath) {
-  const resolved = path13.resolve(filePath);
+  const resolved = path14.resolve(filePath);
   const credPatterns = BYPASS_IMMUNE_PATTERNS.filter(
     (p) => typeof p.pattern !== "function" && (p.reason.includes("secrets") || p.reason.includes("Private key") || p.reason.includes("Credential"))
   );
@@ -14024,11 +14451,11 @@ var init_safety_checks = __esm({
         reason: "Git config can set hooks and command execution"
       },
       {
-        pattern: (p) => p.startsWith(path13.join(HOME, ".claude")),
+        pattern: (p) => p.startsWith(path14.join(HOME, ".claude")),
         reason: "Claude configuration files are protected"
       },
       {
-        pattern: (p) => p.startsWith(path13.join(HOME, ".exe-os")),
+        pattern: (p) => p.startsWith(path14.join(HOME, ".exe-os")),
         reason: "exe-os configuration files are protected"
       },
       {
@@ -14045,7 +14472,7 @@ var init_safety_checks = __esm({
       },
       {
         pattern: (p) => {
-          const name = path13.basename(p);
+          const name = path14.basename(p);
           return [".bashrc", ".zshrc", ".profile", ".bash_profile", ".zprofile", ".zshenv"].includes(name);
         },
         reason: "Shell configuration files can execute arbitrary code on login"
@@ -14072,7 +14499,7 @@ __export(file_read_exports, {
   FileReadTool: () => FileReadTool
 });
 import fs3 from "fs/promises";
-import path14 from "path";
+import path15 from "path";
 import { z } from "zod";
 function isBinary(buf) {
   for (let i = 0; i < buf.length; i++) {
@@ -14108,7 +14535,7 @@ var init_file_read = __esm({
         return { behavior: "allow" };
       },
       async call(input, context) {
-        const filePath = path14.isAbsolute(input.file_path) ? input.file_path : path14.resolve(context.cwd, input.file_path);
+        const filePath = path15.isAbsolute(input.file_path) ? input.file_path : path15.resolve(context.cwd, input.file_path);
         let stat2;
         try {
           stat2 = await fs3.stat(filePath);
@@ -14148,7 +14575,7 @@ __export(glob_exports, {
   GlobTool: () => GlobTool
 });
 import fs4 from "fs/promises";
-import path15 from "path";
+import path16 from "path";
 import { z as z2 } from "zod";
 async function walkDir(dir, maxDepth = 10) {
   const results = [];
@@ -14164,7 +14591,7 @@ async function walkDir(dir, maxDepth = 10) {
       if (entry.isDirectory() && (entry.name === "node_modules" || entry.name === ".git")) {
         continue;
       }
-      const fullPath = path15.join(current, entry.name);
+      const fullPath = path16.join(current, entry.name);
       if (entry.isDirectory()) {
         await walk(fullPath, depth + 1);
       } else {
@@ -14198,11 +14625,11 @@ var init_glob = __esm({
       inputSchema: inputSchema2,
       isReadOnly: true,
       async call(input, context) {
-        const baseDir = input.path ? path15.isAbsolute(input.path) ? input.path : path15.resolve(context.cwd, input.path) : context.cwd;
+        const baseDir = input.path ? path16.isAbsolute(input.path) ? input.path : path16.resolve(context.cwd, input.path) : context.cwd;
         try {
           const entries = await walkDir(baseDir);
           const matched = entries.filter(
-            (e) => simpleGlobMatch(path15.relative(baseDir, e.path), input.pattern)
+            (e) => simpleGlobMatch(path16.relative(baseDir, e.path), input.pattern)
           );
           matched.sort((a, b) => b.mtime - a.mtime);
           if (matched.length === 0) {
@@ -14228,7 +14655,7 @@ __export(grep_exports, {
 });
 import { spawn as spawn2 } from "child_process";
 import fs5 from "fs/promises";
-import path16 from "path";
+import path17 from "path";
 import { z as z3 } from "zod";
 function runRipgrep(input, searchPath, context) {
   return new Promise((resolve, reject) => {
@@ -14277,7 +14704,7 @@ async function nodeGrep(input, searchPath) {
     }
     for (const entry of entries) {
       if (entry.name === "node_modules" || entry.name === ".git") continue;
-      const fullPath = path16.join(dir, entry.name);
+      const fullPath = path17.join(dir, entry.name);
       if (entry.isDirectory()) {
         await walk(fullPath);
       } else {
@@ -14323,7 +14750,7 @@ var init_grep = __esm({
       inputSchema: inputSchema3,
       isReadOnly: true,
       async call(input, context) {
-        const searchPath = input.path ? path16.isAbsolute(input.path) ? input.path : path16.resolve(context.cwd, input.path) : context.cwd;
+        const searchPath = input.path ? path17.isAbsolute(input.path) ? input.path : path17.resolve(context.cwd, input.path) : context.cwd;
         try {
           const result = await runRipgrep(input, searchPath, context);
           return result;
@@ -14348,7 +14775,7 @@ __export(file_write_exports, {
   FileWriteTool: () => FileWriteTool
 });
 import fs6 from "fs/promises";
-import path17 from "path";
+import path18 from "path";
 import { z as z4 } from "zod";
 var inputSchema4, FileWriteTool;
 var init_file_write = __esm({
@@ -14376,8 +14803,8 @@ var init_file_write = __esm({
         return { behavior: "allow" };
       },
       async call(input, context) {
-        const filePath = path17.isAbsolute(input.file_path) ? input.file_path : path17.resolve(context.cwd, input.file_path);
-        const dir = path17.dirname(filePath);
+        const filePath = path18.isAbsolute(input.file_path) ? input.file_path : path18.resolve(context.cwd, input.file_path);
+        const dir = path18.dirname(filePath);
         await fs6.mkdir(dir, { recursive: true });
         await fs6.writeFile(filePath, input.content, "utf-8");
         return {
@@ -14395,7 +14822,7 @@ __export(file_edit_exports, {
   FileEditTool: () => FileEditTool
 });
 import fs7 from "fs/promises";
-import path18 from "path";
+import path19 from "path";
 import { z as z5 } from "zod";
 function countOccurrences(haystack, needle) {
   let count = 0;
@@ -14436,7 +14863,7 @@ var init_file_edit = __esm({
         return { behavior: "allow" };
       },
       async call(input, context) {
-        const filePath = path18.isAbsolute(input.file_path) ? input.file_path : path18.resolve(context.cwd, input.file_path);
+        const filePath = path19.isAbsolute(input.file_path) ? input.file_path : path19.resolve(context.cwd, input.file_path);
         let content;
         try {
           content = await fs7.readFile(filePath, "utf-8");
@@ -14673,13 +15100,13 @@ __export(session_registry_exports, {
   pruneStaleSessions: () => pruneStaleSessions,
   registerSession: () => registerSession
 });
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync4, mkdirSync as mkdirSync6, existsSync as existsSync13 } from "fs";
-import { execSync as execSync3 } from "child_process";
-import path19 from "path";
+import { readFileSync as readFileSync10, writeFileSync as writeFileSync5, mkdirSync as mkdirSync6, existsSync as existsSync14 } from "fs";
+import { execSync as execSync4 } from "child_process";
+import path20 from "path";
 import os6 from "os";
 function registerSession(entry) {
-  const dir = path19.dirname(REGISTRY_PATH);
-  if (!existsSync13(dir)) {
+  const dir = path20.dirname(REGISTRY_PATH);
+  if (!existsSync14(dir)) {
     mkdirSync6(dir, { recursive: true });
   }
   const sessions = listSessions();
@@ -14689,11 +15116,11 @@ function registerSession(entry) {
   } else {
     sessions.push(entry);
   }
-  writeFileSync4(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
+  writeFileSync5(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
 }
 function listSessions() {
   try {
-    const raw = readFileSync8(REGISTRY_PATH, "utf8");
+    const raw = readFileSync10(REGISTRY_PATH, "utf8");
     return JSON.parse(raw);
   } catch {
     return [];
@@ -14704,7 +15131,7 @@ function pruneStaleSessions() {
   if (sessions.length === 0) return 0;
   let liveSessions = [];
   try {
-    liveSessions = execSync3("tmux list-sessions -F '#{session_name}' 2>/dev/null", {
+    liveSessions = execSync4("tmux list-sessions -F '#{session_name}' 2>/dev/null", {
       encoding: "utf8"
     }).trim().split("\n").filter(Boolean);
   } catch {
@@ -14714,7 +15141,7 @@ function pruneStaleSessions() {
   const alive = sessions.filter((s) => liveSet.has(s.windowName));
   const pruned = sessions.length - alive.length;
   if (pruned > 0) {
-    writeFileSync4(REGISTRY_PATH, JSON.stringify(alive, null, 2));
+    writeFileSync5(REGISTRY_PATH, JSON.stringify(alive, null, 2));
   }
   return pruned;
 }
@@ -14722,7 +15149,7 @@ var REGISTRY_PATH;
 var init_session_registry = __esm({
   "src/lib/session-registry.ts"() {
     "use strict";
-    REGISTRY_PATH = path19.join(os6.homedir(), ".exe-os", "session-registry.json");
+    REGISTRY_PATH = path20.join(os6.homedir(), ".exe-os", "session-registry.json");
   }
 });
 
@@ -14762,15 +15189,15 @@ function CommandCenterView({
         const { createPermissionsFromPreset: createPermissionsFromPreset2, EMPLOYEE_PERMISSIONS: EMPLOYEE_PERMISSIONS2 } = await Promise.resolve().then(() => (init_permissions(), permissions_exports));
         const { getPresetByRole: getPresetByRole2 } = await Promise.resolve().then(() => (init_permission_presets(), permission_presets_exports));
         const { createDefaultHooks: createDefaultHooks2 } = await Promise.resolve().then(() => (init_hooks(), hooks_exports));
-        const { readFileSync: readFileSync16, existsSync: existsSync21 } = await import("fs");
+        const { readFileSync: readFileSync18, existsSync: existsSync22 } = await import("fs");
         const { join } = await import("path");
-        const { homedir: homedir2 } = await import("os");
-        const configPath = join(homedir2(), ".exe-os", "config.json");
+        const { homedir: homedir3 } = await import("os");
+        const configPath = join(homedir3(), ".exe-os", "config.json");
         let failoverChain = ["anthropic", "opencode", "gemini", "openai"];
         let providerConfigs = {};
-        if (existsSync21(configPath)) {
+        if (existsSync22(configPath)) {
           try {
-            const raw = JSON.parse(readFileSync16(configPath, "utf8"));
+            const raw = JSON.parse(readFileSync18(configPath, "utf8"));
             if (Array.isArray(raw.failoverChain)) failoverChain = raw.failoverChain;
             if (raw.providers && typeof raw.providers === "object") {
               providerConfigs = raw.providers;
@@ -14828,10 +15255,10 @@ function CommandCenterView({
         registry.register(BashTool2);
         let agentRole = "CTO";
         try {
-          const markerDir = join(homedir2(), ".exe-os", "session-cache");
+          const markerDir = join(homedir3(), ".exe-os", "session-cache");
           const agentFiles = (await import("fs")).readdirSync(markerDir).filter((f) => f.startsWith("active-agent-"));
           for (const f of agentFiles) {
-            const data = JSON.parse(readFileSync16(join(markerDir, f), "utf8"));
+            const data = JSON.parse(readFileSync18(join(markerDir, f), "utf8"));
             if (data.agentRole) {
               agentRole = data.agentRole;
               break;
@@ -15001,7 +15428,7 @@ function CommandCenterView({
       const { listSessions: listSessions2 } = await Promise.resolve().then(() => (init_session_registry(), session_registry_exports));
       const { listTmuxSessions: listTmuxSessions2, inTmux: inTmux2 } = await Promise.resolve().then(() => (init_tmux_status(), tmux_status_exports));
       const { loadEmployees: loadEmployees2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
-      const { existsSync: existsSync21 } = await import("fs");
+      const { existsSync: existsSync22 } = await import("fs");
       const { join } = await import("path");
       const registry = listSessions2();
       const tmuxSessions = inTmux2() ? new Set(listTmuxSessions2()) : /* @__PURE__ */ new Set();
@@ -15050,7 +15477,7 @@ function CommandCenterView({
         }
         const totalCount = 1 + employeeNames.length;
         const memoryCount = projectMemoryCounts.get(projectName) ?? 0;
-        const hasGit = projectDir ? existsSync21(join(projectDir, ".git")) : false;
+        const hasGit = projectDir ? existsSync22(join(projectDir, ".git")) : false;
         const hasActivity = memoryCount > 0;
         let type = "automation";
         if (hasGit && hasActivity) type = "code";
@@ -15074,7 +15501,7 @@ function CommandCenterView({
       const activeProjectNames = new Set(projectList.map((p) => p.projectName));
       for (const dir of knownDirs) {
         const name = dir.split("/").filter(Boolean).pop() ?? "";
-        if (activeProjectNames.has(name) || !existsSync21(dir) || !existsSync21(join(dir, ".git"))) continue;
+        if (activeProjectNames.has(name) || !existsSync22(dir) || !existsSync22(join(dir, ".git"))) continue;
         if ((projectMemoryCounts.get(name) ?? 0) > 0) continue;
         projectList.push({
           projectName: name,
@@ -15148,7 +15575,7 @@ function CommandCenterView({
       }
       try {
         const pidPath = join(process.env.HOME ?? "", ".exe-os", "exed.pid");
-        setHealth((h) => ({ ...h, daemon: existsSync21(pidPath) ? "running" : "stopped" }));
+        setHealth((h) => ({ ...h, daemon: existsSync22(pidPath) ? "running" : "stopped" }));
       } catch {
       }
       try {
@@ -15393,8 +15820,8 @@ function TmuxPane({ sessionName, employeeName, employeeRole, projectName, onDeta
     }
     const capture = () => {
       try {
-        const { execSync: execSync12 } = __require("child_process");
-        const output = execSync12(
+        const { execSync: execSync13 } = __require("child_process");
+        const output = execSync13(
           `tmux capture-pane -t ${JSON.stringify(sessionName)} -p -e 2>/dev/null | tail -${CAPTURE_LINES}`,
           { encoding: "utf8", timeout: 3e3 }
         );
@@ -15418,8 +15845,8 @@ function TmuxPane({ sessionName, employeeName, employeeRole, projectName, onDeta
     if (key.return) {
       if (!demo && inputBuffer.trim()) {
         try {
-          const { execSync: execSync12 } = __require("child_process");
-          execSync12(
+          const { execSync: execSync13 } = __require("child_process");
+          execSync13(
             `tmux send-keys -t ${JSON.stringify(sessionName)} ${JSON.stringify(inputBuffer)} Enter`,
             { timeout: 2e3 }
           );
@@ -15427,8 +15854,8 @@ function TmuxPane({ sessionName, employeeName, employeeRole, projectName, onDeta
         }
       } else if (!demo) {
         try {
-          const { execSync: execSync12 } = __require("child_process");
-          execSync12(`tmux send-keys -t ${JSON.stringify(sessionName)} Enter`, { timeout: 2e3 });
+          const { execSync: execSync13 } = __require("child_process");
+          execSync13(`tmux send-keys -t ${JSON.stringify(sessionName)} Enter`, { timeout: 2e3 });
         } catch {
         }
       }
@@ -15567,12 +15994,14 @@ var init_task_router = __esm({
       },
       tierRules: {
         junior: {
-          eligible: ["tom"],
+          eligible: [],
+          // resolved dynamically from roster (Principal Engineer role)
           reviewRequired: false,
           manualOnly: false
         },
         standard: {
-          eligible: ["tom"],
+          eligible: [],
+          // resolved dynamically from roster (Principal Engineer role)
           reviewRequired: false,
           manualOnly: false
         },
@@ -15593,13 +16022,13 @@ var init_task_router = __esm({
 });
 
 // src/lib/session-key.ts
-import { execSync as execSync4 } from "child_process";
+import { execSync as execSync5 } from "child_process";
 function getSessionKey() {
   if (_cached) return _cached;
   let pid = process.ppid;
   for (let i = 0; i < 10; i++) {
     try {
-      const info = execSync4(`ps -p ${pid} -o ppid=,comm=`, {
+      const info = execSync5(`ps -p ${pid} -o ppid=,comm=`, {
         encoding: "utf8",
         timeout: 2e3
       }).trim();
@@ -15743,14 +16172,14 @@ var init_transport = __esm({
 });
 
 // src/lib/cc-agent-support.ts
-import { execSync as execSync5 } from "child_process";
+import { execSync as execSync6 } from "child_process";
 function _resetCcAgentSupportCache() {
   _cachedSupport = null;
 }
 function claudeSupportsAgentFlag() {
   if (_cachedSupport !== null) return _cachedSupport;
   try {
-    const helpOutput = execSync5("claude --help 2>&1", {
+    const helpOutput = execSync6("claude --help 2>&1", {
       encoding: "utf-8",
       timeout: 5e3
     });
@@ -15793,17 +16222,17 @@ var init_provider_table = __esm({
 });
 
 // src/lib/intercom-queue.ts
-import { readFileSync as readFileSync9, writeFileSync as writeFileSync5, renameSync as renameSync3, existsSync as existsSync14, mkdirSync as mkdirSync7 } from "fs";
-import path20 from "path";
+import { readFileSync as readFileSync11, writeFileSync as writeFileSync6, renameSync as renameSync4, existsSync as existsSync15, mkdirSync as mkdirSync7 } from "fs";
+import path21 from "path";
 import os7 from "os";
 function ensureDir2() {
-  const dir = path20.dirname(QUEUE_PATH);
-  if (!existsSync14(dir)) mkdirSync7(dir, { recursive: true });
+  const dir = path21.dirname(QUEUE_PATH);
+  if (!existsSync15(dir)) mkdirSync7(dir, { recursive: true });
 }
 function readQueue() {
   try {
-    if (!existsSync14(QUEUE_PATH)) return [];
-    return JSON.parse(readFileSync9(QUEUE_PATH, "utf8"));
+    if (!existsSync15(QUEUE_PATH)) return [];
+    return JSON.parse(readFileSync11(QUEUE_PATH, "utf8"));
   } catch {
     return [];
   }
@@ -15811,8 +16240,8 @@ function readQueue() {
 function writeQueue(queue) {
   ensureDir2();
   const tmp = `${QUEUE_PATH}.tmp`;
-  writeFileSync5(tmp, JSON.stringify(queue, null, 2));
-  renameSync3(tmp, QUEUE_PATH);
+  writeFileSync6(tmp, JSON.stringify(queue, null, 2));
+  renameSync4(tmp, QUEUE_PATH);
 }
 function queueIntercom(targetSession, reason) {
   const queue = readQueue();
@@ -15835,19 +16264,19 @@ var QUEUE_PATH, TTL_MS, INTERCOM_LOG;
 var init_intercom_queue = __esm({
   "src/lib/intercom-queue.ts"() {
     "use strict";
-    QUEUE_PATH = path20.join(os7.homedir(), ".exe-os", "intercom-queue.json");
+    QUEUE_PATH = path21.join(os7.homedir(), ".exe-os", "intercom-queue.json");
     TTL_MS = 60 * 60 * 1e3;
-    INTERCOM_LOG = path20.join(os7.homedir(), ".exe-os", "intercom.log");
+    INTERCOM_LOG = path21.join(os7.homedir(), ".exe-os", "intercom.log");
   }
 });
 
 // src/lib/plan-limits.ts
-import { readFileSync as readFileSync10, existsSync as existsSync15 } from "fs";
-import path21 from "path";
+import { readFileSync as readFileSync12, existsSync as existsSync16 } from "fs";
+import path22 from "path";
 function getLicenseSync() {
   try {
-    if (!existsSync15(CACHE_PATH2)) return freeLicense();
-    const raw = JSON.parse(readFileSync10(CACHE_PATH2, "utf8"));
+    if (!existsSync16(CACHE_PATH2)) return freeLicense();
+    const raw = JSON.parse(readFileSync12(CACHE_PATH2, "utf8"));
     if (!raw.token || typeof raw.token !== "string") return freeLicense();
     const parts = raw.token.split(".");
     if (parts.length !== 3) return freeLicense();
@@ -15885,8 +16314,8 @@ function assertEmployeeLimitSync(rosterPath) {
   const filePath = rosterPath ?? EMPLOYEES_PATH;
   let count = 0;
   try {
-    if (existsSync15(filePath)) {
-      const raw = readFileSync10(filePath, "utf8");
+    if (existsSync16(filePath)) {
+      const raw = readFileSync12(filePath, "utf8");
       const employees = JSON.parse(raw);
       count = Array.isArray(employees) ? employees.length : 0;
     }
@@ -15915,19 +16344,19 @@ var init_plan_limits = __esm({
         this.name = "PlanLimitError";
       }
     };
-    CACHE_PATH2 = path21.join(EXE_AI_DIR, "license-cache.json");
+    CACHE_PATH2 = path22.join(EXE_AI_DIR, "license-cache.json");
   }
 });
 
 // src/lib/notifications.ts
 import crypto4 from "crypto";
-import path22 from "path";
+import path23 from "path";
 import os8 from "os";
 import {
-  readFileSync as readFileSync11,
+  readFileSync as readFileSync13,
   readdirSync as readdirSync2,
-  unlinkSync as unlinkSync3,
-  existsSync as existsSync16,
+  unlinkSync as unlinkSync4,
+  existsSync as existsSync17,
   rmdirSync
 } from "fs";
 async function writeNotification(notification) {
@@ -16007,10 +16436,10 @@ var init_session_kill_telemetry = __esm({
 
 // src/lib/tasks-crud.ts
 import crypto6 from "crypto";
-import path23 from "path";
-import { execSync as execSync6 } from "child_process";
+import path24 from "path";
+import { execSync as execSync7 } from "child_process";
 import { mkdir as mkdir6, writeFile as writeFile5, appendFile } from "fs/promises";
-import { existsSync as existsSync17, readFileSync as readFileSync12 } from "fs";
+import { existsSync as existsSync18, readFileSync as readFileSync14 } from "fs";
 async function writeCheckpoint(input) {
   const client = getClient();
   const row = await resolveTask(client, input.taskId);
@@ -16140,8 +16569,8 @@ async function createTaskCore(input) {
   }
   if (input.baseDir) {
     try {
-      await mkdir6(path23.join(input.baseDir, "exe", "output"), { recursive: true });
-      await mkdir6(path23.join(input.baseDir, "exe", "research"), { recursive: true });
+      await mkdir6(path24.join(input.baseDir, "exe", "output"), { recursive: true });
+      await mkdir6(path24.join(input.baseDir, "exe", "research"), { recursive: true });
       await ensureArchitectureDoc(input.baseDir, input.projectName);
       await ensureGitignoreExe(input.baseDir);
     } catch {
@@ -16241,12 +16670,12 @@ function checkStaleCompletion(taskContext, taskCreatedAt) {
   if (!DELEGATION_KEYWORDS.test(taskContext)) return null;
   try {
     const since = new Date(taskCreatedAt).toISOString();
-    const branch = execSync6(
+    const branch = execSync7(
       "git rev-parse --abbrev-ref HEAD 2>/dev/null",
       { encoding: "utf8", timeout: 3e3 }
     ).trim();
     const branchArg = branch && branch !== "HEAD" ? branch : "";
-    const commitCount = execSync6(
+    const commitCount = execSync7(
       `git log --oneline --since="${since}" ${branchArg} 2>/dev/null | wc -l`,
       { encoding: "utf8", timeout: 5e3 }
     ).trim();
@@ -16349,9 +16778,9 @@ async function deleteTaskCore(taskId, _baseDir) {
   return { taskFile, assignedTo, assignedBy, taskSlug };
 }
 async function ensureArchitectureDoc(baseDir, projectName) {
-  const archPath = path23.join(baseDir, "exe", "ARCHITECTURE.md");
+  const archPath = path24.join(baseDir, "exe", "ARCHITECTURE.md");
   try {
-    if (existsSync17(archPath)) return;
+    if (existsSync18(archPath)) return;
     const template = [
       `# ${projectName} \u2014 System Architecture`,
       "",
@@ -16384,10 +16813,10 @@ async function ensureArchitectureDoc(baseDir, projectName) {
   }
 }
 async function ensureGitignoreExe(baseDir) {
-  const gitignorePath = path23.join(baseDir, ".gitignore");
+  const gitignorePath = path24.join(baseDir, ".gitignore");
   try {
-    if (existsSync17(gitignorePath)) {
-      const content = readFileSync12(gitignorePath, "utf-8");
+    if (existsSync18(gitignorePath)) {
+      const content = readFileSync14(gitignorePath, "utf-8");
       if (/^\/?exe\/?$/m.test(content)) return;
       await appendFile(gitignorePath, "\n# Employee task assignments (private)\n/exe/\n");
     } else {
@@ -16407,8 +16836,8 @@ var init_tasks_crud = __esm({
 });
 
 // src/lib/tasks-review.ts
-import path24 from "path";
-import { existsSync as existsSync18, readdirSync as readdirSync3, unlinkSync as unlinkSync4 } from "fs";
+import path25 from "path";
+import { existsSync as existsSync19, readdirSync as readdirSync3, unlinkSync as unlinkSync5 } from "fs";
 async function countPendingReviews() {
   const client = getClient();
   const result = await client.execute({
@@ -16528,11 +16957,11 @@ async function cleanupReviewFile(row, taskFile, _baseDir) {
     );
   }
   try {
-    const cacheDir = path24.join(EXE_AI_DIR, "session-cache");
-    if (existsSync18(cacheDir)) {
+    const cacheDir = path25.join(EXE_AI_DIR, "session-cache");
+    if (existsSync19(cacheDir)) {
       for (const f of readdirSync3(cacheDir)) {
         if (f.startsWith("review-notified-")) {
-          unlinkSync4(path24.join(cacheDir, f));
+          unlinkSync5(path25.join(cacheDir, f));
         }
       }
     }
@@ -16553,7 +16982,7 @@ var init_tasks_review = __esm({
 });
 
 // src/lib/tasks-chain.ts
-import path25 from "path";
+import path26 from "path";
 import { readFile as readFile5, writeFile as writeFile6 } from "fs/promises";
 async function cascadeUnblock(taskId, baseDir, now) {
   const client = getClient();
@@ -16569,7 +16998,7 @@ async function cascadeUnblock(taskId, baseDir, now) {
     });
     for (const ur of unblockedRows.rows) {
       try {
-        const ubFile = path25.join(baseDir, String(ur.task_file));
+        const ubFile = path26.join(baseDir, String(ur.task_file));
         let ubContent = await readFile5(ubFile, "utf-8");
         ubContent = ubContent.replace(/\*\*Status:\*\* blocked/, "**Status:** open");
         ubContent = ubContent.replace(/\n\*\*Blocked by:\*\*.*\n/, "\n");
@@ -16634,34 +17063,34 @@ var init_tasks_chain = __esm({
 });
 
 // src/lib/project-name.ts
-import { execSync as execSync7 } from "child_process";
-import path26 from "path";
+import { execSync as execSync8 } from "child_process";
+import path27 from "path";
 function getProjectName(cwd2) {
   const dir = cwd2 ?? process.cwd();
   if (_cached2 && _cachedCwd === dir) return _cached2;
   try {
     let repoRoot;
     try {
-      const gitCommonDir = execSync7("git rev-parse --path-format=absolute --git-common-dir", {
+      const gitCommonDir = execSync8("git rev-parse --path-format=absolute --git-common-dir", {
         cwd: dir,
         encoding: "utf8",
         timeout: 2e3,
         stdio: ["pipe", "pipe", "pipe"]
       }).trim();
-      repoRoot = path26.dirname(gitCommonDir);
+      repoRoot = path27.dirname(gitCommonDir);
     } catch {
-      repoRoot = execSync7("git rev-parse --show-toplevel", {
+      repoRoot = execSync8("git rev-parse --show-toplevel", {
         cwd: dir,
         encoding: "utf8",
         timeout: 2e3,
         stdio: ["pipe", "pipe", "pipe"]
       }).trim();
     }
-    _cached2 = path26.basename(repoRoot);
+    _cached2 = path27.basename(repoRoot);
     _cachedCwd = dir;
     return _cached2;
   } catch {
-    _cached2 = path26.basename(dir);
+    _cached2 = path27.basename(dir);
     _cachedCwd = dir;
     return _cached2;
   }
@@ -16763,7 +17192,7 @@ async function dispatchTaskToEmployee(input) {
     } else {
       const projectDir = input.projectDir ?? process.cwd();
       const result = ensureEmployee(input.assignedTo, exeSession, projectDir, {
-        autoInstance: input.assignedTo === "tom" || input.assignedTo === "sasha"
+        autoInstance: isMultiInstance(input.assignedTo)
       });
       if (result.status === "failed") {
         process.stderr.write(
@@ -16798,6 +17227,7 @@ var init_tasks_notify = __esm({
     init_session_key();
     init_notifications();
     init_transport();
+    init_employees();
   }
 });
 
@@ -17131,8 +17561,8 @@ __export(tasks_exports, {
   updateTaskStatus: () => updateTaskStatus,
   writeCheckpoint: () => writeCheckpoint
 });
-import path27 from "path";
-import { writeFileSync as writeFileSync6, mkdirSync as mkdirSync8, unlinkSync as unlinkSync5 } from "fs";
+import path28 from "path";
+import { writeFileSync as writeFileSync7, mkdirSync as mkdirSync8, unlinkSync as unlinkSync6 } from "fs";
 async function createTask(input) {
   const result = await createTaskCore(input);
   if (!input.skipDispatch && result.status !== "blocked" && !process.env.VITEST) {
@@ -17151,14 +17581,14 @@ async function updateTask(input) {
   const { row, taskFile, now, taskId } = await updateTaskStatus(input);
   try {
     const agent = String(row.assigned_to);
-    const cacheDir = path27.join(EXE_AI_DIR, "session-cache");
-    const cachePath = path27.join(cacheDir, `current-task-${agent}.json`);
+    const cacheDir = path28.join(EXE_AI_DIR, "session-cache");
+    const cachePath = path28.join(cacheDir, `current-task-${agent}.json`);
     if (input.status === "in_progress") {
       mkdirSync8(cacheDir, { recursive: true });
-      writeFileSync6(cachePath, JSON.stringify({ taskId, title: String(row.title) }));
+      writeFileSync7(cachePath, JSON.stringify({ taskId, title: String(row.title) }));
     } else if (input.status === "done" || input.status === "blocked" || input.status === "cancelled") {
       try {
-        unlinkSync5(cachePath);
+        unlinkSync6(cachePath);
       } catch {
       }
     }
@@ -17551,6 +17981,7 @@ var init_capacity_monitor = __esm({
 // src/lib/tmux-routing.ts
 var tmux_routing_exports = {};
 __export(tmux_routing_exports, {
+  acquireSpawnLock: () => acquireSpawnLock2,
   employeeSessionName: () => employeeSessionName,
   ensureEmployee: () => ensureEmployee,
   extractRootExe: () => extractRootExe,
@@ -17565,26 +17996,63 @@ __export(tmux_routing_exports, {
   notifyParentExe: () => notifyParentExe,
   parseParentExe: () => parseParentExe,
   registerParentExe: () => registerParentExe,
+  releaseSpawnLock: () => releaseSpawnLock2,
   resolveExeSession: () => resolveExeSession,
   sendIntercom: () => sendIntercom,
   spawnEmployee: () => spawnEmployee,
   verifyPaneAtCapacity: () => verifyPaneAtCapacity
 });
-import { execFileSync as execFileSync3, execSync as execSync8 } from "child_process";
-import { readFileSync as readFileSync13, writeFileSync as writeFileSync7, mkdirSync as mkdirSync9, existsSync as existsSync19, appendFileSync } from "fs";
-import path28 from "path";
+import { execFileSync as execFileSync3, execSync as execSync9 } from "child_process";
+import { readFileSync as readFileSync15, writeFileSync as writeFileSync8, mkdirSync as mkdirSync9, existsSync as existsSync20, appendFileSync } from "fs";
+import path29 from "path";
 import os9 from "os";
 import { fileURLToPath as fileURLToPath4 } from "url";
+import { unlinkSync as unlinkSync7 } from "fs";
+function spawnLockPath(sessionName) {
+  return path29.join(SPAWN_LOCK_DIR, `${sessionName}.lock`);
+}
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function acquireSpawnLock2(sessionName) {
+  if (!existsSync20(SPAWN_LOCK_DIR)) {
+    mkdirSync9(SPAWN_LOCK_DIR, { recursive: true });
+  }
+  const lockFile = spawnLockPath(sessionName);
+  if (existsSync20(lockFile)) {
+    try {
+      const lock = JSON.parse(readFileSync15(lockFile, "utf8"));
+      const age = Date.now() - lock.timestamp;
+      if (isProcessAlive(lock.pid) && age < 6e4) {
+        return false;
+      }
+    } catch {
+    }
+  }
+  writeFileSync8(lockFile, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
+  return true;
+}
+function releaseSpawnLock2(sessionName) {
+  try {
+    unlinkSync7(spawnLockPath(sessionName));
+  } catch {
+  }
+}
 function resolveBehaviorsExporterScript() {
   try {
     const thisFile = fileURLToPath4(import.meta.url);
-    const scriptPath = path28.join(
-      path28.dirname(thisFile),
+    const scriptPath = path29.join(
+      path29.dirname(thisFile),
       "..",
       "bin",
       "exe-export-behaviors.js"
     );
-    return existsSync19(scriptPath) ? scriptPath : null;
+    return existsSync20(scriptPath) ? scriptPath : null;
   } catch {
     return null;
   }
@@ -17625,12 +18093,12 @@ function extractRootExe(name) {
   return match?.[1] ?? null;
 }
 function registerParentExe(sessionKey, parentExe, dispatchedBy) {
-  if (!existsSync19(SESSION_CACHE)) {
+  if (!existsSync20(SESSION_CACHE)) {
     mkdirSync9(SESSION_CACHE, { recursive: true });
   }
   const rootExe = extractRootExe(parentExe) ?? parentExe;
-  const filePath = path28.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`);
-  writeFileSync7(filePath, JSON.stringify({
+  const filePath = path29.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`);
+  writeFileSync8(filePath, JSON.stringify({
     parentExe: rootExe,
     dispatchedBy: dispatchedBy || rootExe,
     registeredAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -17638,7 +18106,7 @@ function registerParentExe(sessionKey, parentExe, dispatchedBy) {
 }
 function getParentExe(sessionKey) {
   try {
-    const data = JSON.parse(readFileSync13(path28.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
+    const data = JSON.parse(readFileSync15(path29.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
     return data.parentExe || null;
   } catch {
     return null;
@@ -17646,8 +18114,8 @@ function getParentExe(sessionKey) {
 }
 function getDispatchedBy(sessionKey) {
   try {
-    const data = JSON.parse(readFileSync13(
-      path28.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`),
+    const data = JSON.parse(readFileSync15(
+      path29.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`),
       "utf8"
     ));
     return data.dispatchedBy ?? data.parentExe ?? null;
@@ -17673,10 +18141,10 @@ function isEmployeeAlive(sessionName) {
 }
 function findFreeInstance(employeeName, exeSession, maxInstances = 10, isAlive = isEmployeeAlive) {
   const base = employeeSessionName(employeeName, exeSession);
-  if (!isAlive(base)) return 0;
+  if (!isAlive(base) && acquireSpawnLock2(base)) return 0;
   for (let i = 2; i <= maxInstances; i++) {
     const candidate = employeeSessionName(employeeName, exeSession, i);
-    if (!isAlive(candidate)) return i;
+    if (!isAlive(candidate) && acquireSpawnLock2(candidate)) return i;
   }
   return null;
 }
@@ -17708,16 +18176,16 @@ async function verifyPaneAtCapacity(sessionName) {
 }
 function readDebounceState() {
   try {
-    if (!existsSync19(DEBOUNCE_FILE)) return {};
-    return JSON.parse(readFileSync13(DEBOUNCE_FILE, "utf8"));
+    if (!existsSync20(DEBOUNCE_FILE)) return {};
+    return JSON.parse(readFileSync15(DEBOUNCE_FILE, "utf8"));
   } catch {
     return {};
   }
 }
 function writeDebounceState(state) {
   try {
-    if (!existsSync19(SESSION_CACHE)) mkdirSync9(SESSION_CACHE, { recursive: true });
-    writeFileSync7(DEBOUNCE_FILE, JSON.stringify(state));
+    if (!existsSync20(SESSION_CACHE)) mkdirSync9(SESSION_CACHE, { recursive: true });
+    writeFileSync8(DEBOUNCE_FILE, JSON.stringify(state));
   } catch {
   }
 }
@@ -17890,26 +18358,26 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   const transport = getTransport();
   const sessionName = employeeSessionName(employeeName, exeSession, opts?.instance);
   const instanceLabel = opts?.instance != null && opts.instance > 0 ? `${employeeName}${opts.instance}` : employeeName;
-  const logDir = path28.join(os9.homedir(), ".exe-os", "session-logs");
-  const logFile = path28.join(logDir, `${instanceLabel}-${Date.now()}.log`);
-  if (!existsSync19(logDir)) {
+  const logDir = path29.join(os9.homedir(), ".exe-os", "session-logs");
+  const logFile = path29.join(logDir, `${instanceLabel}-${Date.now()}.log`);
+  if (!existsSync20(logDir)) {
     mkdirSync9(logDir, { recursive: true });
   }
   transport.kill(sessionName);
   let cleanupSuffix = "";
   try {
     const thisFile = fileURLToPath4(import.meta.url);
-    const cleanupScript = path28.join(path28.dirname(thisFile), "..", "bin", "exe-session-cleanup.js");
-    if (existsSync19(cleanupScript)) {
+    const cleanupScript = path29.join(path29.dirname(thisFile), "..", "bin", "exe-session-cleanup.js");
+    if (existsSync20(cleanupScript)) {
       cleanupSuffix = `; ${process.execPath} "${cleanupScript}" "${employeeName}" "${exeSession}"`;
     }
   } catch {
   }
   try {
-    const claudeJsonPath = path28.join(os9.homedir(), ".claude.json");
+    const claudeJsonPath = path29.join(os9.homedir(), ".claude.json");
     let claudeJson = {};
     try {
-      claudeJson = JSON.parse(readFileSync13(claudeJsonPath, "utf8"));
+      claudeJson = JSON.parse(readFileSync15(claudeJsonPath, "utf8"));
     } catch {
     }
     if (!claudeJson.projects) claudeJson.projects = {};
@@ -17917,17 +18385,17 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     const trustDir = opts?.cwd ?? projectDir;
     if (!projects[trustDir]) projects[trustDir] = {};
     projects[trustDir].hasTrustDialogAccepted = true;
-    writeFileSync7(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
+    writeFileSync8(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
   } catch {
   }
   try {
-    const settingsDir = path28.join(os9.homedir(), ".claude", "projects");
+    const settingsDir = path29.join(os9.homedir(), ".claude", "projects");
     const normalizedKey = (opts?.cwd ?? projectDir).replace(/\//g, "-").replace(/^-/, "");
-    const projSettingsDir = path28.join(settingsDir, normalizedKey);
-    const settingsPath = path28.join(projSettingsDir, "settings.json");
+    const projSettingsDir = path29.join(settingsDir, normalizedKey);
+    const settingsPath = path29.join(projSettingsDir, "settings.json");
     let settings = {};
     try {
-      settings = JSON.parse(readFileSync13(settingsPath, "utf8"));
+      settings = JSON.parse(readFileSync15(settingsPath, "utf8"));
     } catch {
     }
     const perms = settings.permissions ?? {};
@@ -17956,7 +18424,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
       perms.allow = allow;
       settings.permissions = perms;
       mkdirSync9(projSettingsDir, { recursive: true });
-      writeFileSync7(settingsPath, JSON.stringify(settings, null, 2) + "\n");
+      writeFileSync8(settingsPath, JSON.stringify(settings, null, 2) + "\n");
     }
   } catch {
   }
@@ -17968,7 +18436,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   let behaviorsFlag = "";
   let legacyFallbackWarned = false;
   if (!useExeAgent && !useBinSymlink) {
-    const identityPath2 = path28.join(
+    const identityPath2 = path29.join(
       os9.homedir(),
       ".exe-os",
       "identity",
@@ -17978,13 +18446,13 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     const hasAgentFlag = claudeSupportsAgentFlag();
     if (hasAgentFlag) {
       identityFlag = ` --agent ${employeeName}`;
-    } else if (existsSync19(identityPath2)) {
+    } else if (existsSync20(identityPath2)) {
       identityFlag = ` --append-system-prompt-file ${identityPath2}`;
       legacyFallbackWarned = true;
     }
     const behaviorsFile = exportBehaviorsSync(
       employeeName,
-      path28.basename(spawnCwd),
+      path29.basename(spawnCwd),
       sessionName
     );
     if (behaviorsFile) {
@@ -17999,16 +18467,16 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   let sessionContextFlag = "";
   try {
-    const ctxDir = path28.join(os9.homedir(), ".exe-os", "session-cache");
+    const ctxDir = path29.join(os9.homedir(), ".exe-os", "session-cache");
     mkdirSync9(ctxDir, { recursive: true });
-    const ctxFile = path28.join(ctxDir, `session-context-${sessionName}.md`);
+    const ctxFile = path29.join(ctxDir, `session-context-${sessionName}.md`);
     const ctxContent = [
       `## Session Context`,
       `You are running in tmux session: ${sessionName}.`,
       `Your parent exe session is ${exeSession}.`,
       `Your employees (if any) use the -${exeSession} suffix (e.g., tom-${exeSession}).`
     ].join("\n");
-    writeFileSync7(ctxFile, ctxContent);
+    writeFileSync8(ctxFile, ctxContent);
     sessionContextFlag = ` --append-system-prompt-file ${ctxFile}`;
   } catch {
   }
@@ -18040,13 +18508,14 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     command: spawnCommand
   });
   if (spawnResult.error) {
+    releaseSpawnLock2(sessionName);
     return { sessionName, error: `tmux new-session failed: ${spawnResult.error}` };
   }
   transport.pipeLog(sessionName, logFile);
   try {
     const mySession = getMySession();
-    const dispatchInfo = path28.join(SESSION_CACHE, `dispatch-info-${sessionName}.json`);
-    writeFileSync7(dispatchInfo, JSON.stringify({
+    const dispatchInfo = path29.join(SESSION_CACHE, `dispatch-info-${sessionName}.json`);
+    writeFileSync8(dispatchInfo, JSON.stringify({
       dispatchedBy: mySession,
       rootExe: exeSession,
       provider: useBinSymlink ? ccProvider : useExeAgent ? opts.provider : "anthropic",
@@ -18057,7 +18526,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   let booted = false;
   for (let i = 0; i < 30; i++) {
     try {
-      execSync8("sleep 0.5");
+      execSync9("sleep 0.5");
     } catch {
     }
     try {
@@ -18077,6 +18546,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     }
   }
   if (!booted) {
+    releaseSpawnLock2(sessionName);
     return { sessionName, error: `${useExeAgent ? "exe-agent" : "claude"} did not boot within 15s` };
   }
   if (!useExeAgent) {
@@ -18093,9 +18563,10 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     pid: 0,
     registeredAt: (/* @__PURE__ */ new Date()).toISOString()
   });
+  releaseSpawnLock2(sessionName);
   return { sessionName };
 }
-var SESSION_CACHE, BEHAVIORS_EXPORT_TIMEOUT_MS, VERIFY_PANE_LINES, INTERCOM_DEBOUNCE_MS, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS, BUSY_PATTERN;
+var SPAWN_LOCK_DIR, SESSION_CACHE, BEHAVIORS_EXPORT_TIMEOUT_MS, VERIFY_PANE_LINES, INTERCOM_DEBOUNCE_MS, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS, BUSY_PATTERN;
 var init_tmux_routing = __esm({
   "src/lib/tmux-routing.ts"() {
     "use strict";
@@ -18107,12 +18578,13 @@ var init_tmux_routing = __esm({
     init_provider_table();
     init_intercom_queue();
     init_plan_limits();
-    SESSION_CACHE = path28.join(os9.homedir(), ".exe-os", "session-cache");
+    SPAWN_LOCK_DIR = path29.join(os9.homedir(), ".exe-os", "spawn-locks");
+    SESSION_CACHE = path29.join(os9.homedir(), ".exe-os", "session-cache");
     BEHAVIORS_EXPORT_TIMEOUT_MS = 1e4;
     VERIFY_PANE_LINES = 200;
     INTERCOM_DEBOUNCE_MS = 3e4;
-    INTERCOM_LOG2 = path28.join(os9.homedir(), ".exe-os", "intercom.log");
-    DEBOUNCE_FILE = path28.join(SESSION_CACHE, "intercom-debounce.json");
+    INTERCOM_LOG2 = path29.join(os9.homedir(), ".exe-os", "intercom.log");
+    DEBOUNCE_FILE = path29.join(SESSION_CACHE, "intercom-debounce.json");
     DEBOUNCE_CLEANUP_AGE_MS = 5 * 60 * 1e3;
     BUSY_PATTERN = /[✻✽✶✳·].*…|Running…/;
   }
@@ -18587,12 +19059,12 @@ function SessionsView({
           return;
         }
       } else {
-        const { execSync: execSync12 } = await import("child_process");
+        const { execSync: execSync13 } = await import("child_process");
         const dir = projectDir || process.cwd();
-        execSync12(`tmux new-session -d -s ${JSON.stringify(entry.sessionName)} -c ${JSON.stringify(dir)}`, { timeout: 5e3 });
-        execSync12(`tmux send-keys -t ${JSON.stringify(entry.sessionName)} "claude --dangerously-skip-permissions" Enter`, { timeout: 3e3 });
+        execSync13(`tmux new-session -d -s ${JSON.stringify(entry.sessionName)} -c ${JSON.stringify(dir)}`, { timeout: 5e3 });
+        execSync13(`tmux send-keys -t ${JSON.stringify(entry.sessionName)} "claude --dangerously-skip-permissions" Enter`, { timeout: 3e3 });
         await new Promise((r) => setTimeout(r, 3e3));
-        execSync12(`tmux send-keys -t ${JSON.stringify(entry.sessionName)} "/exe" Enter`, { timeout: 3e3 });
+        execSync13(`tmux send-keys -t ${JSON.stringify(entry.sessionName)} "/exe" Enter`, { timeout: 3e3 });
       }
       const updated = { ...entry, status: "active", activity: "Starting...", attached: false };
       setViewingEmployee(updated);
@@ -18692,7 +19164,7 @@ function SessionsView({
       const { listSessions: listSessions2 } = await Promise.resolve().then(() => (init_session_registry(), session_registry_exports));
       const { listTmuxSessions: listTmuxSessions2, inTmux: inTmux2, capturePaneLines: capturePaneLines2, parseActivity: parseActivity2 } = await Promise.resolve().then(() => (init_tmux_status(), tmux_status_exports));
       const { loadEmployees: loadEmployees2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
-      const { execSync: execSync12 } = await import("child_process");
+      const { execSync: execSync13 } = await import("child_process");
       if (!inTmux2()) {
         setTmuxAvailable(false);
         setProjects([]);
@@ -18701,7 +19173,7 @@ function SessionsView({
       setTmuxAvailable(true);
       const attachedMap = /* @__PURE__ */ new Map();
       try {
-        const out = execSync12("tmux list-sessions -F '#{session_name}:#{session_attached}' 2>/dev/null", {
+        const out = execSync13("tmux list-sessions -F '#{session_name}:#{session_attached}' 2>/dev/null", {
           encoding: "utf8",
           timeout: 3e3
         });
@@ -19635,19 +20107,19 @@ function upsertConversation(conversations, platform, senderId, message) {
 async function loadGatewayConfig() {
   const state = { running: false, port: 3100, adapters: [], agents: [], gatewayUrl: "" };
   try {
-    const { execSync: execSync12 } = await import("child_process");
-    const ps = execSync12("pgrep -f exe-gateway 2>/dev/null", { encoding: "utf8", timeout: 3e3 });
+    const { execSync: execSync13 } = await import("child_process");
+    const ps = execSync13("pgrep -f exe-gateway 2>/dev/null", { encoding: "utf8", timeout: 3e3 });
     state.running = ps.trim().length > 0;
   } catch {
     state.running = false;
   }
   try {
-    const { existsSync: existsSync21, readFileSync: readFileSync16 } = await import("fs");
+    const { existsSync: existsSync22, readFileSync: readFileSync18 } = await import("fs");
     const { join } = await import("path");
     const home = process.env.HOME ?? "";
     const configPath = join(home, ".exe-os", "gateway.json");
-    if (existsSync21(configPath)) {
-      const raw = JSON.parse(readFileSync16(configPath, "utf8"));
+    if (existsSync22(configPath)) {
+      const raw = JSON.parse(readFileSync18(configPath, "utf8"));
       state.port = raw.port ?? 3100;
       state.gatewayUrl = raw.gatewayUrl ?? "";
       if (raw.adapters) {
@@ -20086,10 +20558,10 @@ var init_Gateway = __esm({
 });
 
 // src/tui/utils/agent-status.ts
-import { execSync as execSync9 } from "child_process";
+import { execSync as execSync10 } from "child_process";
 function getAgentStatus(agentId) {
   try {
-    const sessions = execSync9("tmux list-sessions -F '#{session_name}' 2>/dev/null", {
+    const sessions = execSync10("tmux list-sessions -F '#{session_name}' 2>/dev/null", {
       encoding: "utf8",
       timeout: 2e3
     }).trim().split("\n");
@@ -20100,7 +20572,7 @@ function getAgentStatus(agentId) {
       return /^\d?-/.test(suffix) || /^\d+$/.test(suffix);
     });
     if (!agentSession) return { label: "offline", color: "gray" };
-    const pane = execSync9(`tmux capture-pane -t "${agentSession}" -p 2>/dev/null | tail -3`, {
+    const pane = execSync10(`tmux capture-pane -t "${agentSession}" -p 2>/dev/null | tail -3`, {
       encoding: "utf8",
       timeout: 2e3
     });
@@ -20215,12 +20687,12 @@ function TeamView({ onBack }) {
       setMembers(teamData);
       setDbError(false);
       try {
-        const { existsSync: existsSync21, readFileSync: readFileSync16 } = await import("fs");
+        const { existsSync: existsSync22, readFileSync: readFileSync18 } = await import("fs");
         const { join } = await import("path");
         const home = process.env.HOME ?? "";
         const gatewayConfig = join(home, ".exe-os", "gateway.json");
-        if (existsSync21(gatewayConfig)) {
-          const raw = JSON.parse(readFileSync16(gatewayConfig, "utf8"));
+        if (existsSync22(gatewayConfig)) {
+          const raw = JSON.parse(readFileSync18(gatewayConfig, "utf8"));
           if (raw.agents && raw.agents.length > 0) {
             setExternals(raw.agents.map((a) => ({
               name: a.name,
@@ -20395,8 +20867,8 @@ __export(wiki_client_exports, {
   listDocuments: () => listDocuments,
   listWorkspaces: () => listWorkspaces
 });
-async function wikiFetch(config, path31, method = "GET", body) {
-  const url = `${config.baseUrl}/api/v1${path31}`;
+async function wikiFetch(config, path32, method = "GET", body) {
+  const url = `${config.baseUrl}/api/v1${path32}`;
   const headers = {
     Authorization: `Bearer ${config.apiKey}`,
     "Content-Type": "application/json"
@@ -20411,7 +20883,7 @@ async function wikiFetch(config, path31, method = "GET", body) {
       signal: controller.signal
     });
     if (!response.ok) {
-      throw new Error(`Wiki API ${method} ${path31}: ${response.status} ${response.statusText}`);
+      throw new Error(`Wiki API ${method} ${path32}: ${response.status} ${response.statusText}`);
     }
     return response.json();
   } finally {
@@ -20866,18 +21338,18 @@ function SettingsView({ onBack }) {
       { name: "Chutes", configured: !!process.env.CHUTES_API_KEY, detail: process.env.CHUTES_API_KEY ? "CHUTES_API_KEY set" : "not configured" }
     ];
     try {
-      const { execSync: execSync12 } = await import("child_process");
-      execSync12("curl -s --max-time 1 http://localhost:11434/api/tags", { timeout: 2e3 });
+      const { execSync: execSync13 } = await import("child_process");
+      execSync13("curl -s --max-time 1 http://localhost:11434/api/tags", { timeout: 2e3 });
       providerList.push({ name: "Ollama", configured: true, detail: "localhost:11434" });
     } catch {
       providerList.push({ name: "Ollama", configured: false, detail: "not running" });
     }
     setProviders(providerList);
     try {
-      const { existsSync: existsSync21 } = await import("fs");
+      const { existsSync: existsSync22 } = await import("fs");
       const { join } = await import("path");
       const home = process.env.HOME ?? "";
-      const hasKey = existsSync21(join(home, ".exe-os", "master.key"));
+      const hasKey = existsSync22(join(home, ".exe-os", "master.key"));
       const { loadConfig: loadConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
       const cfg = await loadConfig2();
       setMemory({
@@ -20901,14 +21373,14 @@ function SettingsView({ onBack }) {
     try {
       const { loadEmployees: loadEmployees2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
       const roster = await loadEmployees2();
-      const { existsSync: existsSync21, readFileSync: readFileSync16 } = await import("fs");
+      const { existsSync: existsSync22, readFileSync: readFileSync18 } = await import("fs");
       const { join } = await import("path");
       const home = process.env.HOME ?? "";
       const configPath = join(home, ".exe-os", "config.json");
       let empConfig = {};
-      if (existsSync21(configPath)) {
+      if (existsSync22(configPath)) {
         try {
-          const raw = JSON.parse(readFileSync16(configPath, "utf8"));
+          const raw = JSON.parse(readFileSync18(configPath, "utf8"));
           if (raw.employees && typeof raw.employees === "object") {
             empConfig = raw.employees;
           }
@@ -20923,15 +21395,15 @@ function SettingsView({ onBack }) {
     } catch {
     }
     try {
-      const { existsSync: existsSync21, readFileSync: readFileSync16 } = await import("fs");
+      const { existsSync: existsSync22, readFileSync: readFileSync18 } = await import("fs");
       const { join } = await import("path");
       const home = process.env.HOME ?? "";
       const ccSettingsPath = join(home, ".claude", "settings.json");
-      const installed = existsSync21(ccSettingsPath);
+      const installed = existsSync22(ccSettingsPath);
       let hooksWired = false;
       if (installed) {
         try {
-          const settings = JSON.parse(readFileSync16(ccSettingsPath, "utf8"));
+          const settings = JSON.parse(readFileSync18(ccSettingsPath, "utf8"));
           const hooks = settings.hooks;
           if (hooks) {
             hooksWired = Object.values(hooks).flat().some((h) => h.command?.includes("exe-os") || h.command?.includes("exe-mem"));
@@ -20943,13 +21415,13 @@ function SettingsView({ onBack }) {
     } catch {
     }
     try {
-      const { existsSync: existsSync21, readFileSync: readFileSync16 } = await import("fs");
+      const { existsSync: existsSync22, readFileSync: readFileSync18 } = await import("fs");
       const { join } = await import("path");
       const home = process.env.HOME ?? "";
       const licensePath = join(home, ".exe-os", "license.json");
-      if (existsSync21(licensePath)) {
+      if (existsSync22(licensePath)) {
         try {
-          const lic = JSON.parse(readFileSync16(licensePath, "utf8"));
+          const lic = JSON.parse(readFileSync18(licensePath, "utf8"));
           setLicense({ valid: lic.valid !== false, detail: lic.plan ?? "licensed" });
         } catch {
           setLicense({ valid: false, detail: "invalid license file" });
@@ -20960,11 +21432,11 @@ function SettingsView({ onBack }) {
     } catch {
     }
     try {
-      const { existsSync: existsSync21 } = await import("fs");
+      const { existsSync: existsSync22 } = await import("fs");
       const { join } = await import("path");
       const home = process.env.HOME ?? "";
       const cloudPath = join(home, ".exe-os", "cloud.json");
-      if (existsSync21(cloudPath)) {
+      if (existsSync22(cloudPath)) {
         setCloudSync({ configured: true, detail: "configured" });
       } else {
         setCloudSync({ configured: false, detail: "not configured" });
@@ -21260,17 +21732,17 @@ var init_App2 = __esm({
 });
 
 // src/lib/update-check.ts
-import { execSync as execSync10 } from "child_process";
-import { readFileSync as readFileSync14 } from "fs";
-import path29 from "path";
+import { execSync as execSync11 } from "child_process";
+import { readFileSync as readFileSync16 } from "fs";
+import path30 from "path";
 function getLocalVersion(packageRoot) {
-  const pkgPath = path29.join(packageRoot, "package.json");
-  const pkg = JSON.parse(readFileSync14(pkgPath, "utf-8"));
+  const pkgPath = path30.join(packageRoot, "package.json");
+  const pkg = JSON.parse(readFileSync16(pkgPath, "utf-8"));
   return pkg.version;
 }
 function getRemoteVersion() {
   try {
-    const output = execSync10("npm view @askexenow/exe-os version", {
+    const output = execSync11("npm view @askexenow/exe-os version", {
       encoding: "utf-8",
       timeout: 15e3,
       stdio: ["pipe", "pipe", "pipe"]
@@ -21308,7 +21780,7 @@ __export(update_exports, {
   getLocalVersion: () => getLocalVersion,
   getRemoteVersion: () => getRemoteVersion
 });
-import { execSync as execSync11 } from "child_process";
+import { execSync as execSync12 } from "child_process";
 import { createInterface as createInterface3 } from "readline";
 var init_update = __esm({
   async "src/bin/update.ts"() {
@@ -21339,7 +21811,7 @@ var init_update = __esm({
       if (answer.toLowerCase() === "y") {
         console.log("Updating...");
         try {
-          execSync11("npm install -g @askexenow/exe-os@latest", { stdio: "inherit" });
+          execSync12("npm install -g @askexenow/exe-os@latest", { stdio: "inherit" });
           console.log("Update complete!");
         } catch {
           console.error(
@@ -21355,8 +21827,8 @@ var init_update = __esm({
 });
 
 // src/bin/cli.ts
-import { existsSync as existsSync20, readFileSync as readFileSync15 } from "fs";
-import path30 from "path";
+import { existsSync as existsSync21, readFileSync as readFileSync17, writeFileSync as writeFileSync9, readdirSync as readdirSync4, rmSync } from "fs";
+import path31 from "path";
 import os10 from "os";
 var args = process.argv.slice(2);
 if (args.includes("--global")) {
@@ -21387,7 +21859,7 @@ if (args.includes("--global")) {
       await runClaudeCheck();
       break;
     case "uninstall":
-      await runClaudeUninstall();
+      await runClaudeUninstall(args.slice(2));
       break;
     default:
       await runClaudeInstall();
@@ -21403,6 +21875,10 @@ if (args.includes("--global")) {
     console.error("Backfill failed:", err instanceof Error ? err.message : String(err));
     process.exit(1);
   }
+} else if (args[0] === "rename") {
+  process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
+  const { main: runRename } = await Promise.resolve().then(() => (init_exe_rename(), exe_rename_exports));
+  await runRename();
 } else if (args[0] === "--activate" || args[0] === "activate") {
   await runActivate(args[1]);
 } else if (args[0] === "setup" || args[0] === "-setup" || args[0] === "--setup") {
@@ -21426,12 +21902,12 @@ async function runClaudeInstall() {
   }
 }
 async function runClaudeCheck() {
-  const claudeDir = path30.join(os10.homedir(), ".claude");
-  const settingsPath = path30.join(claudeDir, "settings.json");
-  const claudeJsonPath = path30.join(os10.homedir(), ".claude.json");
+  const claudeDir = path31.join(os10.homedir(), ".claude");
+  const settingsPath = path31.join(claudeDir, "settings.json");
+  const claudeJsonPath = path31.join(os10.homedir(), ".claude.json");
   let ok = true;
-  if (existsSync20(settingsPath)) {
-    const settings = JSON.parse(readFileSync15(settingsPath, "utf8"));
+  if (existsSync21(settingsPath)) {
+    const settings = JSON.parse(readFileSync17(settingsPath, "utf8"));
     const hasHooks = settings.hooks && Object.keys(settings.hooks).some((k) => {
       const groups = settings.hooks[k];
       return Array.isArray(groups) && groups.some((g) => {
@@ -21452,8 +21928,8 @@ async function runClaudeCheck() {
     console.log("\x1B[31m\u2717\x1B[0m settings.json not found");
     ok = false;
   }
-  if (existsSync20(claudeJsonPath)) {
-    const claudeJson = JSON.parse(readFileSync15(claudeJsonPath, "utf8"));
+  if (existsSync21(claudeJsonPath)) {
+    const claudeJson = JSON.parse(readFileSync17(claudeJsonPath, "utf8"));
     const hasMcp = claudeJson.mcpServers && (claudeJson.mcpServers["exe-mem"] || claudeJson.mcpServers["exe-os"]);
     if (hasMcp) {
       console.log("\x1B[32m\u2713\x1B[0m MCP server configured in claude.json");
@@ -21467,11 +21943,11 @@ async function runClaudeCheck() {
     console.log("\x1B[31m\u2717\x1B[0m claude.json not found");
     ok = false;
   }
-  const commandsDir = path30.join(claudeDir, "commands");
-  if (existsSync20(commandsDir)) {
-    console.log("\x1B[32m\u2713\x1B[0m Slash commands directory exists");
+  const skillsDir = path31.join(claudeDir, "skills");
+  if (existsSync21(skillsDir)) {
+    console.log("\x1B[32m\u2713\x1B[0m Slash skills directory exists");
   } else {
-    console.log("\x1B[31m\u2717\x1B[0m Slash commands directory missing");
+    console.log("\x1B[31m\u2717\x1B[0m Slash skills directory missing");
     ok = false;
   }
   if (!ok) {
@@ -21481,13 +21957,18 @@ async function runClaudeCheck() {
     console.log("\nAll checks passed.");
   }
 }
-async function runClaudeUninstall() {
-  const claudeDir = path30.join(os10.homedir(), ".claude");
-  const settingsPath = path30.join(claudeDir, "settings.json");
-  const claudeJsonPath = path30.join(os10.homedir(), ".claude.json");
+async function runClaudeUninstall(flags = []) {
+  const dryRun = flags.includes("--dry-run");
+  const purge = flags.includes("--purge");
+  const homeDir = os10.homedir();
+  const claudeDir = path31.join(homeDir, ".claude");
+  const settingsPath = path31.join(claudeDir, "settings.json");
+  const claudeJsonPath = path31.join(homeDir, ".claude.json");
+  const exeOsDir = path31.join(homeDir, ".exe-os");
   let removed = 0;
-  if (existsSync20(settingsPath)) {
-    const settings = JSON.parse(readFileSync15(settingsPath, "utf8"));
+  const log = (msg) => console.log(dryRun ? `[dry-run] ${msg}` : msg);
+  if (existsSync21(settingsPath)) {
+    const settings = JSON.parse(readFileSync17(settingsPath, "utf8"));
     if (settings.hooks) {
       for (const key of Object.keys(settings.hooks)) {
         const groups = settings.hooks[key];
@@ -21507,37 +21988,176 @@ async function runClaudeUninstall() {
           delete settings.hooks[key];
         }
       }
-      const { writeFileSync: writeFileSync8 } = await import("fs");
-      writeFileSync8(settingsPath, JSON.stringify(settings, null, 2) + "\n");
-      console.log("Removed exe-os hooks from settings.json");
+      let permCount = 0;
+      if (Array.isArray(settings.permissions?.allow)) {
+        const before = settings.permissions.allow.length;
+        settings.permissions.allow = settings.permissions.allow.filter(
+          (p) => !p.startsWith("mcp__exe-mem__") && !p.startsWith("mcp__exe-os__")
+        );
+        permCount = before - settings.permissions.allow.length;
+      }
+      if (!dryRun) {
+        writeFileSync9(settingsPath, JSON.stringify(settings, null, 2) + "\n");
+      }
+      log("\u2713 Removed exe-os hooks from settings.json");
+      if (permCount > 0) log(`\u2713 Removed ${permCount} MCP permission entries`);
       removed++;
     }
   }
-  if (existsSync20(claudeJsonPath)) {
-    const claudeJson = JSON.parse(readFileSync15(claudeJsonPath, "utf8"));
+  if (existsSync21(claudeJsonPath)) {
+    const claudeJson = JSON.parse(readFileSync17(claudeJsonPath, "utf8"));
     if (claudeJson.mcpServers) {
       let removedMcp = false;
       for (const key of ["exe-mem", "exe-os"]) {
         if (claudeJson.mcpServers[key]) {
-          delete claudeJson.mcpServers[key];
+          if (!dryRun) delete claudeJson.mcpServers[key];
           removedMcp = true;
         }
       }
       if (removedMcp) {
-        const { writeFileSync: writeFileSync8 } = await import("fs");
-        writeFileSync8(
-          claudeJsonPath,
-          JSON.stringify(claudeJson, null, 2) + "\n"
-        );
-        console.log("Removed exe-os MCP server from claude.json");
+        if (!dryRun) {
+          writeFileSync9(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
+        }
+        log("\u2713 Removed exe-os MCP server from claude.json");
         removed++;
       }
     }
   }
+  const skillsDir = path31.join(claudeDir, "skills");
+  if (existsSync21(skillsDir)) {
+    let skillCount = 0;
+    try {
+      const entries = readdirSync4(skillsDir);
+      for (const entry of entries) {
+        if (entry.startsWith("exe")) {
+          const fullPath = path31.join(skillsDir, entry);
+          if (!dryRun) rmSync(fullPath, { recursive: true, force: true });
+          skillCount++;
+        }
+      }
+    } catch {
+    }
+    if (skillCount > 0) {
+      log(`\u2713 Removed ${skillCount} skill directories`);
+      removed++;
+    }
+  }
+  const claudeMdPath = path31.join(claudeDir, "CLAUDE.md");
+  if (existsSync21(claudeMdPath)) {
+    const content = readFileSync17(claudeMdPath, "utf8");
+    const startMarker = "<!-- exe-os:orchestration-start -->";
+    const endMarker = "<!-- exe-os:orchestration-end -->";
+    const startIdx = content.indexOf(startMarker);
+    const endIdx = content.indexOf(endMarker);
+    if (startIdx !== -1 && endIdx !== -1) {
+      const cleaned = (content.slice(0, startIdx) + content.slice(endIdx + endMarker.length)).replace(/\n{3,}/g, "\n\n").trim() + "\n";
+      if (!dryRun) writeFileSync9(claudeMdPath, cleaned);
+      log("\u2713 Removed orchestration block from CLAUDE.md");
+      removed++;
+    }
+  }
+  const agentsDir = path31.join(claudeDir, "agents");
+  if (existsSync21(agentsDir)) {
+    let agentCount = 0;
+    try {
+      const entries = readdirSync4(agentsDir).filter((f) => f.endsWith(".md"));
+      let knownNames = /* @__PURE__ */ new Set();
+      const rosterPath = path31.join(exeOsDir, "exe-employees.json");
+      if (existsSync21(rosterPath)) {
+        try {
+          const roster = JSON.parse(readFileSync17(rosterPath, "utf8"));
+          knownNames = new Set(roster.map((e) => e.name));
+        } catch {
+        }
+      }
+      for (const entry of entries) {
+        const name = entry.replace(/\.md$/, "");
+        if (knownNames.has(name)) {
+          if (!dryRun) rmSync(path31.join(agentsDir, entry), { force: true });
+          agentCount++;
+        }
+      }
+    } catch {
+    }
+    if (agentCount > 0) {
+      log(`\u2713 Removed ${agentCount} agent identity files`);
+      removed++;
+    }
+  }
+  const projectsDir = path31.join(claudeDir, "projects");
+  if (existsSync21(projectsDir)) {
+    let projectCount = 0;
+    try {
+      const projects = readdirSync4(projectsDir);
+      for (const proj of projects) {
+        const projSettings = path31.join(projectsDir, proj, "settings.json");
+        if (!existsSync21(projSettings)) continue;
+        try {
+          const pSettings = JSON.parse(readFileSync17(projSettings, "utf8"));
+          let changed = false;
+          if (Array.isArray(pSettings.permissions?.allow)) {
+            const before = pSettings.permissions.allow.length;
+            pSettings.permissions.allow = pSettings.permissions.allow.filter(
+              (p) => !p.startsWith("mcp__exe-mem__") && !p.startsWith("mcp__exe-os__")
+            );
+            if (pSettings.permissions.allow.length < before) changed = true;
+          }
+          if (changed && !dryRun) {
+            writeFileSync9(projSettings, JSON.stringify(pSettings, null, 2) + "\n");
+          }
+          if (changed) projectCount++;
+        } catch {
+        }
+      }
+    } catch {
+    }
+    if (projectCount > 0) {
+      log(`\u2713 Cleaned exe-os entries from ${projectCount} project settings`);
+      removed++;
+    }
+  }
+  try {
+    const { execSync: execSync13 } = await import("child_process");
+    const exeBinPath = execSync13("which exe", { encoding: "utf-8" }).trim();
+    const binDir = path31.dirname(exeBinPath);
+    let symlinkCount = 0;
+    const rosterPath = path31.join(exeOsDir, "exe-employees.json");
+    if (existsSync21(rosterPath)) {
+      const roster = JSON.parse(readFileSync17(rosterPath, "utf8"));
+      for (const emp of roster) {
+        if (emp.name === "exe") continue;
+        for (const suffix of ["", "-opencode"]) {
+          const linkPath = path31.join(binDir, `${emp.name}${suffix}`);
+          if (existsSync21(linkPath)) {
+            if (!dryRun) rmSync(linkPath, { force: true });
+            symlinkCount++;
+          }
+        }
+      }
+    }
+    if (symlinkCount > 0) {
+      log(`\u2713 Removed ${symlinkCount} employee symlinks`);
+      removed++;
+    }
+  } catch {
+  }
+  if (purge && existsSync21(exeOsDir)) {
+    if (!dryRun) {
+      process.stdout.write("\x1B[33m\u26A0 This will delete all memories, identities, and agent data.\x1B[0m\n");
+      process.stdout.write("  Removing ~/.exe-os...\n");
+      rmSync(exeOsDir, { recursive: true, force: true });
+    }
+    log("\u2713 Purged ~/.exe-os data directory");
+    removed++;
+  }
   if (removed === 0) {
     console.log("Nothing to remove \u2014 exe-os was not installed.");
   } else {
-    console.log("Done. Run \x1B[36mexe-os claude install\x1B[0m to reinstall.");
+    if (dryRun) {
+      console.log("\nDry run complete. Re-run without --dry-run to apply.");
+    } else {
+      console.log("\nDone. Run \x1B[36mexe-os claude install\x1B[0m to reinstall.");
+    }
   }
 }
 async function checkForUpdateOnBoot() {
@@ -21546,7 +22166,7 @@ async function checkForUpdateOnBoot() {
     const config = await loadConfig2();
     if (!config.autoUpdate.checkOnBoot) return;
     const { checkForUpdate: checkForUpdate2 } = await init_update().then(() => update_exports);
-    const packageRoot = path30.resolve(
+    const packageRoot = path31.resolve(
       new URL("../..", import.meta.url).pathname
     );
     const result = checkForUpdate2(packageRoot);
@@ -21602,7 +22222,7 @@ async function runActivate(key) {
       const idTemplate = getIdentityTemplate(identityKey);
       if (idTemplate) {
         const idPath = identityPath2(name);
-        const dir = path30.dirname(idPath);
+        const dir = path31.dirname(idPath);
         if (!fs8.existsSync(dir)) fs8.mkdirSync(dir, { recursive: true });
         fs8.writeFileSync(idPath, idTemplate.replace(/^agent_id: \w+/m, `agent_id: ${name}`), "utf-8");
       }