@askexenow/exe-os 0.8.37 → 0.8.39

package/dist/bin/setup.js

@@ -1,6 +1,12 @@
 #!/usr/bin/env node
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
@@ -25,7 +31,7 @@ __export(config_exports, {
   migrateConfig: () => migrateConfig,
   saveConfig: () => saveConfig
 });
-import { readFile, writeFile, mkdir } from "fs/promises";
+import { readFile, writeFile, mkdir, chmod } from "fs/promises";
 import { readFileSync, existsSync, renameSync } from "fs";
 import path from "path";
 import os from "os";
@@ -151,6 +157,9 @@ async function saveConfig(config) {
   await mkdir(dir, { recursive: true });
   const configPath = path.join(dir, "config.json");
   await writeFile(configPath, JSON.stringify(config, null, 2) + "\n");
+  if (config.cloud?.apiKey) {
+    await chmod(configPath, 384);
+  }
 }
 async function loadConfigFrom(configPath) {
   const raw = await readFile(configPath, "utf-8");
@@ -270,6 +279,10 @@ import path4 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
+  if (_buffer.length > MAX_BUFFER) {
+    _buffer = "";
+    return;
+  }
   let newlineIdx;
   while ((newlineIdx = _buffer.indexOf("\n")) !== -1) {
     const line = _buffer.slice(0, newlineIdx).trim();
@@ -577,7 +590,7 @@ function disconnectClient() {
     entry.resolve({ error: "Client disconnected" });
   }
 }
-var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, _socket, _connected, _buffer, _requestCount, HEALTH_CHECK_INTERVAL, _pending;
+var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, _socket, _connected, _buffer, _requestCount, HEALTH_CHECK_INTERVAL, _pending, MAX_BUFFER;
 var init_exe_daemon_client = __esm({
   "src/lib/exe-daemon-client.ts"() {
     "use strict";
@@ -594,6 +607,7 @@ var init_exe_daemon_client = __esm({
     _requestCount = 0;
     HEALTH_CHECK_INTERVAL = 100;
     _pending = /* @__PURE__ */ new Map();
+    MAX_BUFFER = 1e7;
   }
 });
 
@@ -678,12 +692,22 @@ __export(license_exports, {
   loadLicense: () => loadLicense,
   mirrorLicenseKey: () => mirrorLicenseKey,
   saveLicense: () => saveLicense,
+  startLicenseRevalidation: () => startLicenseRevalidation,
+  stopLicenseRevalidation: () => stopLicenseRevalidation,
   validateLicense: () => validateLicense
 });
 import { readFileSync as readFileSync3, writeFileSync, existsSync as existsSync5, mkdirSync } from "fs";
 import { randomUUID as randomUUID2 } from "crypto";
 import path5 from "path";
 import { jwtVerify, importSPKI } from "jose";
+async function fetchRetry(url, init) {
+  try {
+    return await fetch(url, init);
+  } catch {
+    await new Promise((r) => setTimeout(r, RETRY_DELAY_MS));
+    return fetch(url, { ...init, signal: AbortSignal.timeout(1e4) });
+  }
+}
 function loadDeviceId() {
   const deviceJsonPath = path5.join(EXE_AI_DIR, "device.json");
   try {
@@ -715,7 +739,7 @@ function loadLicense() {
 }
 function saveLicense(apiKey) {
   mkdirSync(EXE_AI_DIR, { recursive: true });
-  writeFileSync(LICENSE_PATH, apiKey.trim(), "utf8");
+  writeFileSync(LICENSE_PATH, apiKey.trim(), { encoding: "utf8", mode: 384 });
 }
 async function verifyLicenseJwt(token) {
   try {
@@ -767,7 +791,7 @@ function cacheResponse(token) {
 async function validateLicense(apiKey, deviceId) {
   const did = deviceId ?? loadDeviceId();
   try {
-    const res = await fetch(`${API_BASE}/auth/activate`, {
+    const res = await fetchRetry(`${API_BASE}/auth/activate`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ apiKey, deviceId: did }),
@@ -802,14 +826,23 @@ async function validateLicense(apiKey, deviceId) {
   } catch {
     const cached = await getCachedLicense();
     if (cached) return cached;
-    return FREE_LICENSE;
+    return { ...FREE_LICENSE, valid: false, error: "offline" };
+  }
+}
+function getCacheAgeMs() {
+  try {
+    const { statSync: statSync2 } = __require("fs");
+    const s = statSync2(CACHE_PATH);
+    return Date.now() - s.mtimeMs;
+  } catch {
+    return Infinity;
   }
 }
 async function checkLicense() {
   const key = loadLicense();
   if (!key) return FREE_LICENSE;
   const cached = await getCachedLicense();
-  if (cached) return cached;
+  if (cached && getCacheAgeMs() < CACHE_MAX_AGE_MS) return cached;
   const deviceId = loadDeviceId();
   return validateLicense(key, deviceId);
 }
@@ -849,7 +882,7 @@ async function assertVpsLicense(opts) {
   let explicitRejection = false;
   let transientFailure = false;
   try {
-    const res = await fetch(`${API_BASE}/auth/activate`, {
+    const res = await fetchRetry(`${API_BASE}/auth/activate`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ apiKey, deviceId }),
@@ -930,7 +963,28 @@ async function assertVpsLicense(opts) {
     `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://askexe.com/cloud and retry. This VPS image refuses to boot after the offline grace window.`
   );
 }
-var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE;
+function startLicenseRevalidation(intervalMs = 36e5) {
+  if (_revalTimer) return;
+  _revalTimer = setInterval(async () => {
+    try {
+      const license = await checkLicense();
+      if (!license.valid) {
+        process.stderr.write("[exe-os] License expired or invalid \u2014 features may be restricted\n");
+      }
+    } catch {
+    }
+  }, intervalMs);
+  if (_revalTimer && typeof _revalTimer === "object" && "unref" in _revalTimer) {
+    _revalTimer.unref();
+  }
+}
+function stopLicenseRevalidation() {
+  if (_revalTimer) {
+    clearInterval(_revalTimer);
+    _revalTimer = null;
+  }
+}
+var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, CACHE_MAX_AGE_MS, _revalTimer;
 var init_license = __esm({
   "src/lib/license.ts"() {
     "use strict";
@@ -939,6 +993,7 @@ var init_license = __esm({
     CACHE_PATH = path5.join(EXE_AI_DIR, "license-cache.json");
     DEVICE_ID_PATH = path5.join(EXE_AI_DIR, "device-id");
     API_BASE = "https://askexe.com/cloud";
+    RETRY_DELAY_MS = 500;
     LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
 4uj+UqeKCcvtgNHKmOK278HJaJcANe9xAeji8AFYu27q3WtzCi04pHudow==
@@ -960,6 +1015,8 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
       employeeLimit: 1,
       memoryLimit: 5e3
     };
+    CACHE_MAX_AGE_MS = 36e5;
+    _revalTimer = null;
   }
 });
 
@@ -1050,15 +1107,20 @@ function addEmployee(employees, employee) {
   }
   return [...employees, normalized];
 }
+function findExeBin() {
+  try {
+    return execSync(process.platform === "win32" ? "where exe-os" : "which exe-os", { encoding: "utf8" }).trim();
+  } catch {
+    return null;
+  }
+}
 function registerBinSymlinks(name) {
   const created = [];
   const skipped = [];
   const errors = [];
-  let exeBinPath;
-  try {
-    exeBinPath = execSync("which exe", { encoding: "utf-8" }).trim();
-  } catch {
-    errors.push("Could not find 'exe' in PATH");
+  const exeBinPath = findExeBin();
+  if (!exeBinPath) {
+    errors.push("Could not find 'exe-os' in PATH");
     return { created, skipped, errors };
   }
   const binDir = path6.dirname(exeBinPath);
@@ -1106,6 +1168,7 @@ __export(employee_templates_exports, {
   buildCustomEmployeePrompt: () => buildCustomEmployeePrompt,
   getSessionPrompt: () => getSessionPrompt,
   getTemplate: () => getTemplate,
+  getTemplateByRole: () => getTemplateByRole,
   personalizePrompt: () => personalizePrompt,
   renderClientCOOTemplate: () => renderClientCOOTemplate
 });
@@ -1121,6 +1184,10 @@ function buildCustomEmployeePrompt(name, role) {
 function getTemplate(name) {
   return TEMPLATES[name];
 }
+function getTemplateByRole(role) {
+  const lower = role.toLowerCase();
+  return Object.values(TEMPLATES).find((t) => t.role.toLowerCase() === lower);
+}
 function personalizePrompt(prompt, templateName, actualName) {
   if (templateName === actualName) return prompt;
   const escaped = templateName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
@@ -1868,6 +1935,7 @@ var init_identity = __esm({
 var identity_templates_exports = {};
 __export(identity_templates_exports, {
   IDENTITY_TEMPLATES: () => IDENTITY_TEMPLATES,
+  PLAN_MODE_COMPAT: () => PLAN_MODE_COMPAT,
   POST_WORK_CHECKLIST: () => POST_WORK_CHECKLIST,
   getTemplate: () => getTemplate2,
   getTemplateForTitle: () => getTemplateForTitle
@@ -1887,10 +1955,18 @@ function getTemplateForTitle(title) {
   if (t.includes("review") || t.includes("audit") || t.includes("qa")) return IDENTITY_TEMPLATES["staff-code-reviewer"];
   return null;
 }
-var POST_WORK_CHECKLIST, IDENTITY_TEMPLATES;
+var PLAN_MODE_COMPAT, POST_WORK_CHECKLIST, IDENTITY_TEMPLATES;
 var init_identity_templates = __esm({
   "src/lib/identity-templates.ts"() {
     "use strict";
+    PLAN_MODE_COMPAT = `
+## Plan Mode Compatibility
+If tool execution is unavailable (e.g., CC plan mode), switch to planning:
+- Reason about the task and create a written plan
+- Document what tools you would call and with what parameters
+- Output structured text that can be acted on when tools become available
+Do not repeatedly attempt tool calls that fail \u2014 switch to planning mode.
+`;
     POST_WORK_CHECKLIST = `
 5. Check for pending reviews (list_tasks status='needs_review' where you are reviewer) \u2014 reviews are work, process before new tasks
 6. Check for blocked tasks (list_tasks status='blocked') \u2014 can you unblock it? Do it now. Can't? Escalate to exe immediately.
@@ -1970,7 +2046,7 @@ Never say "I have no memories" without first searching broadly. Your memory may
 - **update_identity** \u2014 rewrite any agent's identity when role/responsibilities change (exe/founder only)
 - **get_identity** \u2014 read any agent's identity for coordination
 - **send_message** \u2014 direct intercom to employees
-
+${PLAN_MODE_COMPAT}
 ## Completion Workflow
 
 1. Read the task file and verify the deliverable matches the brief
@@ -2041,7 +2117,7 @@ You are \${agent_id}. CTO. You hold deep context on the entire codebase, archite
 - **store_behavior** \u2014 record corrections for engineers (p0 = always injected)
 - **get_identity** \u2014 read any agent's identity for review context
 - **query_relationships** \u2014 GraphRAG entity connections for architecture analysis
-
+${PLAN_MODE_COMPAT}
 ## Completion Workflow
 
 1. Read ARCHITECTURE.md before starting work on any repo
@@ -2108,7 +2184,7 @@ You are \${agent_id}. CMO. You hold deep context on design, branding, storytelli
 - **update_task** \u2014 mark tasks done with result summary
 - **store_memory** \u2014 report completions with brand alignment notes, SEO considerations
 - **get_identity** \u2014 read team identities for brand-consistent communication
-
+${PLAN_MODE_COMPAT}
 ## Completion Workflow
 
 1. Read the task file and understand the brief \u2014 tone, format, channel requirements
@@ -2175,7 +2251,7 @@ You are a principal engineer. You write production-grade code with zero shortcut
 - **recall_my_memory** \u2014 check past work, patterns, gotchas in this project
 - **store_memory** \u2014 report completions for org visibility
 - **ask_team_memory** \u2014 pull context from colleagues when specs reference their work
-
+${PLAN_MODE_COMPAT}
 ## Completion Workflow
 
 1. Read ARCHITECTURE.md if it exists \u2014 understand architecture before changing anything
@@ -2235,7 +2311,7 @@ You are the content production specialist. You turn scripts and creative briefs
 - **update_task** \u2014 mark tasks done with result summary
 - **recall_my_memory** \u2014 check past work: which models worked, which prompts produced good results
 - **store_memory** \u2014 report completions with production decisions for future reference
-
+${PLAN_MODE_COMPAT}
 ## Completion Workflow
 
 1. Read the task file \u2014 understand the brief, check budget constraints
@@ -2307,7 +2383,7 @@ You are the AI Product Lead \u2014 the competitive intelligence engine. You stud
 - **update_task** \u2014 mark tasks done with analysis results
 - **store_memory** \u2014 persist competitive analyses, evaluations, recommendations
 - **create_task** \u2014 when a feature is worth building, spec it for the CTO
-
+${PLAN_MODE_COMPAT}
 ## Completion Workflow
 
 1. Read the task \u2014 understand what capability is needed
@@ -2370,7 +2446,7 @@ You are \${agent_id}. Staff Code Reviewer and System Auditor. Last line of defen
 - **store_behavior** \u2014 record new patterns
 - **update_task** \u2014 mark reviews done with structured findings
 - **create_task** \u2014 assign fixes to the CTO
-
+${PLAN_MODE_COMPAT}
 ## Completion Workflow
 
 1. Read the task brief and understand the audit scope
@@ -2388,20 +2464,21 @@ You are \${agent_id}. Staff Code Reviewer and System Auditor. Last line of defen
 // src/lib/setup-wizard.ts
 init_config();
 import crypto2 from "crypto";
-import { existsSync as existsSync8, mkdirSync as mkdirSync3, readFileSync as readFileSync6, writeFileSync as writeFileSync3 } from "fs";
-import os2 from "os";
+import { existsSync as existsSync8, mkdirSync as mkdirSync3, readFileSync as readFileSync6, writeFileSync as writeFileSync3, unlinkSync as unlinkSync3 } from "fs";
+import os3 from "os";
 import path8 from "path";
 import { createInterface } from "readline";
 
 // src/lib/keychain.ts
-import { readFile as readFile2, writeFile as writeFile2, unlink, mkdir as mkdir2, chmod } from "fs/promises";
+import { readFile as readFile2, writeFile as writeFile2, unlink, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
 import { existsSync as existsSync2 } from "fs";
 import path2 from "path";
+import os2 from "os";
 import crypto from "crypto";
 var SERVICE = "exe-mem";
 var ACCOUNT = "master-key";
 function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path2.join(process.env.HOME ?? "/tmp", ".exe-os");
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path2.join(os2.homedir(), ".exe-os");
 }
 function getKeyPath() {
   return path2.join(getKeyDir(), "master.key");
@@ -2449,7 +2526,7 @@ async function setMasterKey(key) {
   await mkdir2(dir, { recursive: true });
   const keyPath = getKeyPath();
   await writeFile2(keyPath, b64 + "\n", "utf-8");
-  await chmod(keyPath, 384);
+  await chmod2(keyPath, 384);
 }
 
 // src/lib/model-downloader.ts
@@ -2467,48 +2544,67 @@ async function downloadModel(opts) {
   const tmpPath = destPath + ".tmp";
   await mkdir3(destDir, { recursive: true });
   if (existsSync3(destPath)) {
-    const hash2 = await fileHash(destPath);
-    if (hash2 === EXPECTED_SHA256) {
+    const hash = await fileHash(destPath);
+    if (hash === EXPECTED_SHA256) {
       return destPath;
     }
   }
-  if (existsSync3(tmpPath)) unlinkSync(tmpPath);
-  const response = await fetchFn(GGUF_URL, { redirect: "follow" });
-  if (!response.ok || !response.body) {
-    throw new Error(`Download failed: HTTP ${response.status}`);
-  }
-  const contentLength = Number(response.headers.get("content-length") ?? EXPECTED_SIZE);
+  const MAX_RETRIES = 3;
+  const DOWNLOAD_TIMEOUT_MS = 3e5;
+  let lastErr;
   let downloaded = 0;
-  const hash = createHash("sha256");
-  const fileStream = createWriteStream(tmpPath);
-  const reader = response.body.getReader();
-  try {
-    while (true) {
-      const { done, value } = await reader.read();
-      if (done) break;
-      if (!fileStream.write(value)) {
-        await new Promise((resolve) => fileStream.once("drain", resolve));
+  for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
+    try {
+      if (existsSync3(tmpPath)) unlinkSync(tmpPath);
+      const response = await fetchFn(GGUF_URL, {
+        redirect: "follow",
+        signal: AbortSignal.timeout(DOWNLOAD_TIMEOUT_MS)
+      });
+      if (!response.ok || !response.body) {
+        throw new Error(`Download failed: HTTP ${response.status}`);
+      }
+      const contentLength = Number(response.headers.get("content-length") ?? EXPECTED_SIZE);
+      const hash = createHash("sha256");
+      const fileStream = createWriteStream(tmpPath);
+      const reader = response.body.getReader();
+      try {
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          if (!fileStream.write(value)) {
+            await new Promise((resolve) => fileStream.once("drain", resolve));
+          }
+          hash.update(value);
+          downloaded += value.byteLength;
+          onProgress?.(downloaded, contentLength);
+        }
+      } finally {
+        fileStream.end();
+        await new Promise((resolve, reject) => {
+          fileStream.on("finish", resolve);
+          fileStream.on("error", reject);
+        });
+      }
+      const actualHash = hash.digest("hex");
+      if (actualHash !== EXPECTED_SHA256) {
+        unlinkSync(tmpPath);
+        throw new Error(
+          `SHA256 mismatch: expected ${EXPECTED_SHA256}, got ${actualHash}`
+        );
+      }
+      renameSync2(tmpPath, destPath);
+      return destPath;
+    } catch (err) {
+      lastErr = err instanceof Error ? err : new Error(String(err));
+      if (attempt < MAX_RETRIES) {
+        process.stderr.write(`
+Download attempt ${attempt} failed, retrying...
+`);
+        if (existsSync3(tmpPath)) unlinkSync(tmpPath);
       }
-      hash.update(value);
-      downloaded += value.byteLength;
-      onProgress?.(downloaded, contentLength);
     }
-  } finally {
-    fileStream.end();
-    await new Promise((resolve, reject) => {
-      fileStream.on("finish", resolve);
-      fileStream.on("error", reject);
-    });
   }
-  const actualHash = hash.digest("hex");
-  if (actualHash !== EXPECTED_SHA256) {
-    unlinkSync(tmpPath);
-    throw new Error(
-      `SHA256 mismatch: expected ${EXPECTED_SHA256}, got ${actualHash}`
-    );
-  }
-  renameSync2(tmpPath, destPath);
-  return destPath;
+  throw lastErr;
 }
 async function fileHash(filePath) {
   return new Promise((resolve, reject) => {
@@ -2521,6 +2617,24 @@ async function fileHash(filePath) {
 }
 
 // src/lib/setup-wizard.ts
+var SETUP_STATE_PATH = path8.join(os3.homedir(), ".exe-os", "setup-state.json");
+function loadSetupState() {
+  try {
+    return JSON.parse(readFileSync6(SETUP_STATE_PATH, "utf8"));
+  } catch {
+    return { completedSteps: [], startedAt: (/* @__PURE__ */ new Date()).toISOString() };
+  }
+}
+function saveSetupState(state) {
+  mkdirSync3(path8.dirname(SETUP_STATE_PATH), { recursive: true });
+  writeFileSync3(SETUP_STATE_PATH, JSON.stringify(state, null, 2));
+}
+function clearSetupState() {
+  try {
+    unlinkSync3(SETUP_STATE_PATH);
+  } catch {
+  }
+}
 function ask(rl, prompt) {
   return new Promise((resolve) => {
     const doAsk = () => {
@@ -2560,88 +2674,133 @@ async function runSetupWizard(opts = {}) {
       rl.close();
       return;
     }
+    const state = loadSetupState();
+    if (state.completedSteps.length > 0) {
+      log(`Resuming setup from step ${Math.max(...state.completedSteps) + 1}...`);
+    }
     if (existsSync8(LEGACY_LANCE_PATH)) {
       log("\u26A0 Found v1.0 LanceDB at ~/.exe-os/local.lance");
       log("  v1.1 uses libSQL (SQLite). Your existing memories are not automatically migrated.");
       log("  The old directory will not be modified or deleted.");
       log("");
     }
-    const existingKey = await getMasterKey();
-    if (existingKey) {
-      log("Encryption key already exists \u2014 skipping generation.");
+    if (!state.completedSteps.includes(1)) {
+      const existingKey = await getMasterKey();
+      if (existingKey) {
+        log("Encryption key already exists \u2014 skipping generation.");
+      } else {
+        log("Generating 256-bit encryption key...");
+        const key = crypto2.randomBytes(32);
+        await setMasterKey(key);
+        log("Encryption key generated and stored securely.");
+      }
+      state.completedSteps.push(1);
+      saveSetupState(state);
     } else {
-      log("Generating 256-bit encryption key...");
-      const key = crypto2.randomBytes(32);
-      await setMasterKey(key);
-      log("Encryption key generated and stored securely.");
+      log("Step 1 already complete \u2014 skipping.");
     }
     log("");
-    log("Exe Cloud: your memories are end-to-end encrypted, compressed, and");
-    log("backed up on Exe Cloud. Free for all plans. We can't read your data \u2014");
-    log("only your encryption key can decrypt it.");
     let cloudConfig;
-    try {
-      const { loadDeviceId: loadDeviceId2 } = await Promise.resolve().then(() => (init_license(), license_exports));
-      const deviceId = loadDeviceId2();
-      const res = await fetch("https://askexe.com/cloud/auth/auto-provision", {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ deviceId }),
-        signal: AbortSignal.timeout(1e4)
-      });
-      if (res.ok) {
-        const data = await res.json();
-        if (data.apiKey) {
-          cloudConfig = { apiKey: data.apiKey, endpoint: "https://askexe.com/cloud" };
-          const { saveLicense: saveLicense3, mirrorLicenseKey: mirrorLicenseKey3 } = await Promise.resolve().then(() => (init_license(), license_exports));
-          saveLicense3(data.apiKey);
-          mirrorLicenseKey3(data.apiKey);
-          log("Cloud sync activated automatically.");
+    if (!state.completedSteps.includes(2)) {
+      log("Exe Cloud: your memories are end-to-end encrypted, compressed, and");
+      log("backed up on Exe Cloud. Free for all plans. We can't read your data \u2014");
+      log("only your encryption key can decrypt it.");
+      try {
+        const { loadDeviceId: loadDeviceId2 } = await Promise.resolve().then(() => (init_license(), license_exports));
+        const deviceId = loadDeviceId2();
+        let res;
+        try {
+          res = await fetch("https://askexe.com/cloud/auth/auto-provision", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ deviceId }),
+            signal: AbortSignal.timeout(1e4)
+          });
+        } catch {
+          await new Promise((r) => setTimeout(r, 500));
+          res = await fetch("https://askexe.com/cloud/auth/auto-provision", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ deviceId }),
+            signal: AbortSignal.timeout(1e4)
+          });
         }
+        if (res.ok) {
+          const data = await res.json();
+          if (data.apiKey) {
+            cloudConfig = { apiKey: data.apiKey, endpoint: "https://askexe.com/cloud" };
+            const { saveLicense: saveLicense3, mirrorLicenseKey: mirrorLicenseKey3 } = await Promise.resolve().then(() => (init_license(), license_exports));
+            saveLicense3(data.apiKey);
+            mirrorLicenseKey3(data.apiKey);
+            log("Cloud sync activated automatically.");
+          }
+        }
+      } catch {
+        log("Cloud sync will activate when online.");
       }
-    } catch {
-      log("Cloud sync will activate when online.");
+      state.completedSteps.push(2);
+      saveSetupState(state);
+    } else {
+      log("Step 2 already complete \u2014 skipping.");
     }
     log("");
-    if (!skipModel2) {
-      log("Note: jina-embeddings-v5-text-small is licensed CC-BY-NC-4.0 (non-commercial)");
-      log("");
-      await downloadModel({
-        destDir: MODELS_DIR,
-        onProgress: (downloaded, total) => {
-          const pct = (downloaded / total * 100).toFixed(1);
-          const dlMB = (downloaded / 1e6).toFixed(0);
-          const totalMB = (total / 1e6).toFixed(0);
-          process.stderr.write(`\rDownloading model: ${pct}% (${dlMB}/${totalMB} MB)`);
-        }
-      });
-      process.stderr.write("\n");
-      log("Model downloaded and verified.");
+    if (!state.completedSteps.includes(3)) {
+      if (!skipModel2) {
+        log("Note: jina-embeddings-v5-text-small is licensed CC-BY-NC-4.0 (non-commercial)");
+        log("");
+        await downloadModel({
+          destDir: MODELS_DIR,
+          onProgress: (downloaded, total) => {
+            const pct = (downloaded / total * 100).toFixed(1);
+            const dlMB = (downloaded / 1e6).toFixed(0);
+            const totalMB = (total / 1e6).toFixed(0);
+            process.stderr.write(`\rDownloading model: ${pct}% (${dlMB}/${totalMB} MB)`);
+          }
+        });
+        process.stderr.write("\n");
+        log("Model downloaded and verified.");
+      }
+      state.completedSteps.push(3);
+      saveSetupState(state);
+    } else {
+      log("Step 3 already complete \u2014 skipping.");
     }
-    if (!skipModel2 && !skipModelValidation) {
-      await validateModel(log);
+    if (!state.completedSteps.includes(4)) {
+      if (!skipModel2 && !skipModelValidation) {
+        await validateModel(log);
+      }
+      state.completedSteps.push(4);
+      saveSetupState(state);
+    } else {
+      log("Step 4 already complete \u2014 skipping.");
     }
     const config = await loadConfig();
-    if (cloudConfig) {
-      config.cloud = cloudConfig;
-    }
-    await saveConfig(config);
-    log("");
-    try {
-      const claudeJsonPath = path8.join(os2.homedir(), ".claude.json");
-      let claudeJson = {};
+    if (!state.completedSteps.includes(5)) {
+      if (cloudConfig) {
+        config.cloud = cloudConfig;
+      }
+      await saveConfig(config);
+      log("");
       try {
-        claudeJson = JSON.parse(readFileSync6(claudeJsonPath, "utf8"));
+        const claudeJsonPath = path8.join(os3.homedir(), ".claude.json");
+        let claudeJson = {};
+        try {
+          claudeJson = JSON.parse(readFileSync6(claudeJsonPath, "utf8"));
+        } catch {
+        }
+        if (!claudeJson.projects) claudeJson.projects = {};
+        const projects = claudeJson.projects;
+        for (const dir of [process.cwd(), os3.homedir()]) {
+          if (!projects[dir]) projects[dir] = {};
+          projects[dir].hasTrustDialogAccepted = true;
+        }
+        writeFileSync3(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
       } catch {
       }
-      if (!claudeJson.projects) claudeJson.projects = {};
-      const projects = claudeJson.projects;
-      for (const dir of [process.cwd(), os2.homedir()]) {
-        if (!projects[dir]) projects[dir] = {};
-        projects[dir].hasTrustDialogAccepted = true;
-      }
-      writeFileSync3(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
-    } catch {
+      state.completedSteps.push(5);
+      saveSetupState(state);
+    } else {
+      log("Step 5 already complete \u2014 skipping.");
     }
     const {
       loadEmployees: loadEmployees2,
@@ -2650,7 +2809,7 @@ async function runSetupWizard(opts = {}) {
       registerBinSymlinks: registerBinSymlinks2,
       EMPLOYEES_PATH: EMPLOYEES_PATH2
     } = await Promise.resolve().then(() => (init_employees(), employees_exports));
-    const { getTemplate: getEmployeeTemplate } = await Promise.resolve().then(() => (init_employee_templates(), employee_templates_exports));
+    const { getTemplateByRole: getTemplateByRole2 } = await Promise.resolve().then(() => (init_employee_templates(), employee_templates_exports));
     const { identityPath: identityPath2 } = await Promise.resolve().then(() => (init_identity(), identity_exports));
     const { getTemplate: getIdentityTemplate } = await Promise.resolve().then(() => (init_identity_templates(), identity_templates_exports));
     const {
@@ -2660,152 +2819,178 @@ async function runSetupWizard(opts = {}) {
       validateLicense: validateLicense2
     } = await Promise.resolve().then(() => (init_license(), license_exports));
     const createdEmployees = [];
-    log("=== Your Team ===");
-    log("");
-    log("Every install starts with a COO \u2014 your right-hand operator.");
-    log("They hold the big picture: priorities, progress, and blockers.");
-    log("You talk to them. They coordinate everyone else.");
-    log("");
-    const cooNameInput = await ask(rl, "Name your COO (default: exe): ");
-    const cooName = (cooNameInput || "exe").toLowerCase();
-    let employees = await loadEmployees2(EMPLOYEES_PATH2).catch(() => []);
-    if (!employees.some((e) => e.name === cooName)) {
-      const { DEFAULT_EXE: DEFAULT_EXE2, personalizePrompt: personalizePrompt2 } = await Promise.resolve().then(() => (init_employee_templates(), employee_templates_exports));
-      const cooEmployee = {
-        name: cooName,
-        role: "COO",
-        systemPrompt: personalizePrompt2(DEFAULT_EXE2.systemPrompt, "exe", cooName),
-        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-        templateName: "exe",
-        templateVersion: 1
-      };
-      employees = addEmployee2(employees, cooEmployee);
-      await saveEmployees2(employees, EMPLOYEES_PATH2);
-    }
-    const cooIdentityContent = getIdentityTemplate("coo");
-    if (cooIdentityContent) {
-      const cooIdPath = identityPath2(cooName);
-      mkdirSync3(path8.dirname(cooIdPath), { recursive: true });
-      const replaced = cooIdentityContent.replace(/agent_id:\s*exe/g, `agent_id: ${cooName}`).replace(/\$\{agent_id\}/g, cooName);
-      writeFileSync3(cooIdPath, replaced, "utf-8");
-    }
-    registerBinSymlinks2(cooName);
-    createdEmployees.push({ name: cooName, role: "COO" });
-    log("");
-    log("=== Meet Your Specialists ===");
-    log("");
-    log("Your COO coordinates specialists. Here's who you can hire:");
-    log("");
-    log("  CTO (default: yoshi)");
-    log("  Your head of engineering. Architecture, code reviews, tech decisions.");
-    log("  Manages your projects and delegates to engineers when there's parallel work.");
-    log("");
-    log("  CMO (default: mari)");
-    log("  Design, brand, content, SEO. Builds your visual identity, writes");
-    log("  your copy, and gets you found online. Delegates to content specialists.");
-    log("");
-    log("Why separate roles instead of one AI that does everything?");
-    log("");
-    log("Memory saturates. One agent juggling architecture decisions AND landing page");
-    log("copy AND CI/CD AND social media loses context on all of them. Competing");
-    log("priorities \u2014 should I fix the auth bug or write the blog post? When you split");
-    log("responsibilities, each specialist stays sharp because they stay focused.");
-    log("Your COO connects them so nothing falls through the cracks.");
-    log("");
-    log("This is how real companies scale \u2014 you're just doing it with AI");
-    log("instead of headcount.");
-    log("");
-    await ask(rl, "Press Enter to continue. ");
-    let license;
-    try {
-      license = await checkLicense2();
-    } catch {
-      license = { valid: true, plan: "free", email: "", expiresAt: null, deviceLimit: 1, employeeLimit: 2, memoryLimit: 1e3 };
-    }
-    if (license.plan === "free") {
-      log("Your plan: Free \u2014 1 employee (your COO)");
+    let cooName = "exe";
+    if (!state.completedSteps.includes(6)) {
+      log("=== Your Team ===");
       log("");
-      log("The CTO and CMO are available on Solopreneur ($97/mo) \u2014 full engineering");
-      log("and marketing team, unlimited tasks, priority support.");
-      log("Get your key at https://askexe.com, then paste it here.");
+      log("Every install starts with a COO \u2014 your right-hand operator.");
+      log("They hold the big picture: priorities, progress, and blockers.");
+      log("You talk to them. They coordinate everyone else.");
       log("");
-      const licenseInput = await ask(rl, "License key (or press Enter to skip): ");
-      if (licenseInput.startsWith("exe_sk_")) {
-        saveLicense2(licenseInput);
-        mirrorLicenseKey2(licenseInput);
-        try {
-          license = await validateLicense2(licenseInput);
-        } catch {
-          log("Couldn't reach the license server \u2014 your key has been saved.");
-          log("Run exe-os --activate <key> anytime to finish activation.");
-        }
-      } else if (!licenseInput) {
-        log("You can activate anytime with: exe-os --activate <key>");
-      } else {
-        log("That doesn't look like a license key (should start with exe_sk_).");
-        log("You can activate anytime with: exe-os --activate <key>");
+      const cooNameInput = await ask(rl, "Name your COO (default: exe): ");
+      cooName = (cooNameInput || "exe").toLowerCase();
+      let employees = await loadEmployees2(EMPLOYEES_PATH2).catch(() => []);
+      if (!employees.some((e) => e.name === cooName)) {
+        const { DEFAULT_EXE: DEFAULT_EXE2, personalizePrompt: personalizePrompt2 } = await Promise.resolve().then(() => (init_employee_templates(), employee_templates_exports));
+        const cooEmployee = {
+          name: cooName,
+          role: "COO",
+          systemPrompt: personalizePrompt2(DEFAULT_EXE2.systemPrompt, "exe", cooName),
+          createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+          templateName: "exe",
+          templateVersion: 1
+        };
+        employees = addEmployee2(employees, cooEmployee);
+        await saveEmployees2(employees, EMPLOYEES_PATH2);
+      }
+      const cooIdentityContent = getIdentityTemplate("coo");
+      if (cooIdentityContent) {
+        const cooIdPath = identityPath2(cooName);
+        mkdirSync3(path8.dirname(cooIdPath), { recursive: true });
+        const replaced = cooIdentityContent.replace(/agent_id:\s*exe/g, `agent_id: ${cooName}`).replace(/\$\{agent_id\}/g, cooName);
+        writeFileSync3(cooIdPath, replaced, "utf-8");
       }
+      registerBinSymlinks2(cooName);
+      createdEmployees.push({ name: cooName, role: "COO" });
+      state.completedSteps.push(6);
+      saveSetupState(state);
+    } else {
+      log("Step 6 already complete \u2014 skipping.");
+      const roster = await loadEmployees2(EMPLOYEES_PATH2).catch(() => []);
+      const existingCoo = roster.find((e) => e.role === "COO");
+      if (existingCoo) cooName = existingCoo.name;
     }
-    if (license.plan !== "free") {
-      const planName = license.plan === "pro" ? "Solopreneur" : license.plan.charAt(0).toUpperCase() + license.plan.slice(1);
-      log(`Your plan: ${planName} (up to ${license.employeeLimit} employees)`);
+    log("");
+    if (!state.completedSteps.includes(7)) {
+      log("=== Meet Your Specialists ===");
       log("");
-      const createCto = await ask(rl, "Create your CTO? (Y/n): ");
-      if (createCto.toLowerCase() !== "n") {
-        const ctoNameInput = await ask(rl, "Name your CTO (default: yoshi): ");
-        const ctoName = (ctoNameInput || "yoshi").toLowerCase();
-        if (!employees.some((e) => e.name === ctoName)) {
-          const ctoTemplate = getEmployeeTemplate("yoshi");
-          const { personalizePrompt: personalizeCto } = await Promise.resolve().then(() => (init_employee_templates(), employee_templates_exports));
-          const ctoEmployee = {
-            name: ctoName,
-            role: "CTO",
-            systemPrompt: personalizeCto(ctoTemplate?.systemPrompt ?? "", "yoshi", ctoName),
-            createdAt: (/* @__PURE__ */ new Date()).toISOString()
-          };
-          employees = addEmployee2(employees, ctoEmployee);
-          await saveEmployees2(employees, EMPLOYEES_PATH2);
-        }
-        const ctoIdentityContent = getIdentityTemplate("cto");
-        if (ctoIdentityContent) {
-          const ctoIdPath = identityPath2(ctoName);
-          mkdirSync3(path8.dirname(ctoIdPath), { recursive: true });
-          const replaced = ctoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${ctoName}`).replace(/\$\{agent_id\}/g, ctoName);
-          writeFileSync3(ctoIdPath, replaced, "utf-8");
+      log("Your COO coordinates specialists. Here's who you can hire:");
+      log("");
+      log("  CTO (default: yoshi)");
+      log("  Your head of engineering. Architecture, code reviews, tech decisions.");
+      log("  Manages your projects and delegates to engineers when there's parallel work.");
+      log("");
+      log("  CMO (default: mari)");
+      log("  Design, brand, content, SEO. Builds your visual identity, writes");
+      log("  your copy, and gets you found online. Delegates to content specialists.");
+      log("");
+      log("Why separate roles instead of one AI that does everything?");
+      log("");
+      log("Memory saturates. One agent juggling architecture decisions AND landing page");
+      log("copy AND CI/CD AND social media loses context on all of them. Competing");
+      log("priorities \u2014 should I fix the auth bug or write the blog post? When you split");
+      log("responsibilities, each specialist stays sharp because they stay focused.");
+      log("Your COO connects them so nothing falls through the cracks.");
+      log("");
+      log("This is how real companies scale \u2014 you're just doing it with AI");
+      log("instead of headcount.");
+      log("");
+      await ask(rl, "Press Enter to continue. ");
+      state.completedSteps.push(7);
+      saveSetupState(state);
+    } else {
+      log("Step 7 already complete \u2014 skipping.");
+    }
+    if (!state.completedSteps.includes(8)) {
+      let employees = await loadEmployees2(EMPLOYEES_PATH2).catch(() => []);
+      let license;
+      try {
+        license = await checkLicense2();
+      } catch {
+        license = { valid: true, plan: "free", email: "", expiresAt: null, deviceLimit: 1, employeeLimit: 2, memoryLimit: 1e3 };
+      }
+      if (license.plan === "free") {
+        log("Your plan: Free \u2014 1 employee (your COO)");
+        log("");
+        log("The CTO and CMO are available on Solopreneur ($97/mo) \u2014 full engineering");
+        log("and marketing team, unlimited tasks, priority support.");
+        log("Get your key at https://askexe.com, then paste it here.");
+        log("");
+        const licenseInput = await ask(rl, "License key (or press Enter to skip): ");
+        if (licenseInput.startsWith("exe_sk_")) {
+          saveLicense2(licenseInput);
+          mirrorLicenseKey2(licenseInput);
+          try {
+            license = await validateLicense2(licenseInput);
+          } catch {
+            log("Couldn't reach the license server \u2014 your key has been saved.");
+            log("Run exe-os --activate <key> anytime to finish activation.");
+          }
+        } else if (!licenseInput) {
+          log("You can activate anytime with: exe-os --activate <key>");
+        } else {
+          log("That doesn't look like a license key (should start with exe_sk_).");
+          log("You can activate anytime with: exe-os --activate <key>");
         }
-        registerBinSymlinks2(ctoName);
-        createdEmployees.push({ name: ctoName, role: "CTO" });
-        log(`Created ${ctoName} (CTO)`);
       }
-      const createCmo = await ask(rl, "Create your CMO? (Y/n): ");
-      if (createCmo.toLowerCase() !== "n") {
-        const cmoNameInput = await ask(rl, "Name your CMO (default: mari): ");
-        const cmoName = (cmoNameInput || "mari").toLowerCase();
-        if (!employees.some((e) => e.name === cmoName)) {
-          const cmoTemplate = getEmployeeTemplate("mari");
-          const { personalizePrompt: personalizeCmo } = await Promise.resolve().then(() => (init_employee_templates(), employee_templates_exports));
-          const cmoEmployee = {
-            name: cmoName,
-            role: "CMO",
-            systemPrompt: personalizeCmo(cmoTemplate?.systemPrompt ?? "", "mari", cmoName),
-            createdAt: (/* @__PURE__ */ new Date()).toISOString()
-          };
-          employees = addEmployee2(employees, cmoEmployee);
-          await saveEmployees2(employees, EMPLOYEES_PATH2);
+      if (license.plan !== "free") {
+        const planName = license.plan === "pro" ? "Solopreneur" : license.plan.charAt(0).toUpperCase() + license.plan.slice(1);
+        log(`Your plan: ${planName} (up to ${license.employeeLimit} employees)`);
+        log("");
+        const createCto = await ask(rl, "Create your CTO? (Y/n): ");
+        if (createCto.toLowerCase() !== "n") {
+          const ctoTemplate = getTemplateByRole2("CTO");
+          const ctoDefault = ctoTemplate?.name ?? "cto";
+          const ctoNameInput = await ask(rl, `Name your CTO (default: ${ctoDefault}): `);
+          const ctoName = (ctoNameInput || ctoDefault).toLowerCase();
+          if (!employees.some((e) => e.name === ctoName)) {
+            const { personalizePrompt: personalizeCto } = await Promise.resolve().then(() => (init_employee_templates(), employee_templates_exports));
+            const ctoEmployee = {
+              name: ctoName,
+              role: "CTO",
+              systemPrompt: personalizeCto(ctoTemplate?.systemPrompt ?? "", ctoDefault, ctoName),
+              createdAt: (/* @__PURE__ */ new Date()).toISOString()
+            };
+            employees = addEmployee2(employees, ctoEmployee);
+            await saveEmployees2(employees, EMPLOYEES_PATH2);
+          }
+          const ctoIdentityContent = getIdentityTemplate("cto");
+          if (ctoIdentityContent) {
+            const ctoIdPath = identityPath2(ctoName);
+            mkdirSync3(path8.dirname(ctoIdPath), { recursive: true });
+            const replaced = ctoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${ctoName}`).replace(/\$\{agent_id\}/g, ctoName);
+            writeFileSync3(ctoIdPath, replaced, "utf-8");
+          }
+          registerBinSymlinks2(ctoName);
+          createdEmployees.push({ name: ctoName, role: "CTO" });
+          log(`Created ${ctoName} (CTO)`);
         }
-        const cmoIdentityContent = getIdentityTemplate("cmo");
-        if (cmoIdentityContent) {
-          const cmoIdPath = identityPath2(cmoName);
-          mkdirSync3(path8.dirname(cmoIdPath), { recursive: true });
-          const replaced = cmoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${cmoName}`).replace(/\$\{agent_id\}/g, cmoName);
-          writeFileSync3(cmoIdPath, replaced, "utf-8");
+        const createCmo = await ask(rl, "Create your CMO? (Y/n): ");
+        if (createCmo.toLowerCase() !== "n") {
+          const cmoTemplate = getTemplateByRole2("CMO");
+          const cmoDefault = cmoTemplate?.name ?? "cmo";
+          const cmoNameInput = await ask(rl, `Name your CMO (default: ${cmoDefault}): `);
+          const cmoName = (cmoNameInput || cmoDefault).toLowerCase();
+          if (!employees.some((e) => e.name === cmoName)) {
+            const { personalizePrompt: personalizeCmo } = await Promise.resolve().then(() => (init_employee_templates(), employee_templates_exports));
+            const cmoEmployee = {
+              name: cmoName,
+              role: "CMO",
+              systemPrompt: personalizeCmo(cmoTemplate?.systemPrompt ?? "", cmoDefault, cmoName),
+              createdAt: (/* @__PURE__ */ new Date()).toISOString()
+            };
+            employees = addEmployee2(employees, cmoEmployee);
+            await saveEmployees2(employees, EMPLOYEES_PATH2);
+          }
+          const cmoIdentityContent = getIdentityTemplate("cmo");
+          if (cmoIdentityContent) {
+            const cmoIdPath = identityPath2(cmoName);
+            mkdirSync3(path8.dirname(cmoIdPath), { recursive: true });
+            const replaced = cmoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${cmoName}`).replace(/\$\{agent_id\}/g, cmoName);
+            writeFileSync3(cmoIdPath, replaced, "utf-8");
+          }
+          registerBinSymlinks2(cmoName);
+          createdEmployees.push({ name: cmoName, role: "CMO" });
+          log(`Created ${cmoName} (CMO)`);
         }
-        registerBinSymlinks2(cmoName);
-        createdEmployees.push({ name: cmoName, role: "CMO" });
-        log(`Created ${cmoName} (CMO)`);
+        log("");
       }
-      log("");
+      state.completedSteps.push(8);
+      saveSetupState(state);
+    } else {
+      log("Step 8 already complete \u2014 skipping.");
     }
+    clearSetupState();
     log("=== Two Ways to Work ===");
     log("");
     log("  1. Claude Code mode");