@askexenow/exe-os 0.8.37 → 0.8.39

package/dist/bin/exe-call.js

@@ -10,7 +10,7 @@ var __export = (target, all) => {
 };
 
 // src/lib/config.ts
-import { readFile, writeFile, mkdir } from "fs/promises";
+import { readFile, writeFile, mkdir, chmod } from "fs/promises";
 import { readFileSync, existsSync, renameSync } from "fs";
 import path from "path";
 import os from "os";
@@ -193,15 +193,20 @@ function addEmployee(employees, employee) {
   }
   return [...employees, normalized];
 }
+function findExeBin() {
+  try {
+    return execSync(process.platform === "win32" ? "where exe-os" : "which exe-os", { encoding: "utf8" }).trim();
+  } catch {
+    return null;
+  }
+}
 function registerBinSymlinks(name) {
   const created = [];
   const skipped = [];
   const errors = [];
-  let exeBinPath;
-  try {
-    exeBinPath = execSync("which exe", { encoding: "utf-8" }).trim();
-  } catch {
-    errors.push("Could not find 'exe' in PATH");
+  const exeBinPath = findExeBin();
+  if (!exeBinPath) {
+    errors.push("Could not find 'exe-os' in PATH");
     return { created, skipped, errors };
   }
   const binDir = path2.dirname(exeBinPath);
@@ -249,6 +254,7 @@ __export(employee_templates_exports, {
   buildCustomEmployeePrompt: () => buildCustomEmployeePrompt,
   getSessionPrompt: () => getSessionPrompt,
   getTemplate: () => getTemplate,
+  getTemplateByRole: () => getTemplateByRole,
   personalizePrompt: () => personalizePrompt,
   renderClientCOOTemplate: () => renderClientCOOTemplate
 });
@@ -264,6 +270,10 @@ function buildCustomEmployeePrompt(name, role) {
 function getTemplate(name) {
   return TEMPLATES[name];
 }
+function getTemplateByRole(role) {
+  const lower = role.toLowerCase();
+  return Object.values(TEMPLATES).find((t) => t.role.toLowerCase() === lower);
+}
 function personalizePrompt(prompt, templateName, actualName) {
   if (templateName === actualName) return prompt;
   const escaped = templateName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
@@ -907,7 +917,8 @@ if (isMainModule(import.meta.url)) {
     const bootPath = path3.join(__dirname, "exe-boot.js");
     try {
       execSync2(`node "${bootPath}"`, { stdio: "inherit" });
-    } catch {
+    } catch (err) {
+      console.error(`Failed to boot exe: ${err instanceof Error ? err.message : String(err)}`);
       process.exit(1);
     }
     process.exit(0);
@@ -944,9 +955,8 @@ if (isMainModule(import.meta.url)) {
     );
     execSync2("claude --dangerously-skip-permissions", { stdio: "inherit", env });
   } catch (err) {
-    console.error(
-      err instanceof Error ? err.message : String(err)
-    );
+    console.error(`Failed to launch employee session: ${err instanceof Error ? err.message : String(err)}`);
+    console.error("Try running: exe-os team");
     process.exit(1);
   }
 }

package/dist/bin/exe-cloud.js

@@ -16,15 +16,15 @@ var __export = (target, all) => {
 };
 
 // src/lib/config.ts
-import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
 import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
 import path2 from "path";
-import os from "os";
+import os2 from "os";
 function resolveDataDir() {
   if (process.env.EXE_OS_DIR) return process.env.EXE_OS_DIR;
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
-  const newDir = path2.join(os.homedir(), ".exe-os");
-  const legacyDir = path2.join(os.homedir(), ".exe-mem");
+  const newDir = path2.join(os2.homedir(), ".exe-os");
+  const legacyDir = path2.join(os2.homedir(), ".exe-mem");
   if (!existsSync2(newDir) && existsSync2(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
@@ -111,7 +111,7 @@ async function loadConfig() {
     normalizeAutoUpdate(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
-      config.dbPath = config.dbPath.replace(/^~/, os.homedir());
+      config.dbPath = config.dbPath.replace(/^~/, os2.homedir());
     }
     return config;
   } catch {
@@ -123,6 +123,9 @@ async function saveConfig(config) {
   await mkdir2(dir, { recursive: true });
   const configPath = path2.join(dir, "config.json");
   await writeFile2(configPath, JSON.stringify(config, null, 2) + "\n");
+  if (config.cloud?.apiKey) {
+    await chmod2(configPath, 384);
+  }
 }
 var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CONFIG_VERSION, DEFAULT_CONFIG, CONFIG_MIGRATIONS;
 var init_config = __esm({
@@ -223,24 +226,34 @@ __export(license_exports, {
   loadLicense: () => loadLicense,
   mirrorLicenseKey: () => mirrorLicenseKey,
   saveLicense: () => saveLicense,
+  startLicenseRevalidation: () => startLicenseRevalidation,
+  stopLicenseRevalidation: () => stopLicenseRevalidation,
   validateLicense: () => validateLicense
 });
-import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3, mkdirSync } from "fs";
+import { readFileSync as readFileSync3, writeFileSync, existsSync as existsSync4, mkdirSync } from "fs";
 import { randomUUID } from "crypto";
-import path3 from "path";
+import path4 from "path";
 import { jwtVerify, importSPKI } from "jose";
+async function fetchRetry(url, init) {
+  try {
+    return await fetch(url, init);
+  } catch {
+    await new Promise((r) => setTimeout(r, RETRY_DELAY_MS));
+    return fetch(url, { ...init, signal: AbortSignal.timeout(1e4) });
+  }
+}
 function loadDeviceId() {
-  const deviceJsonPath = path3.join(EXE_AI_DIR, "device.json");
+  const deviceJsonPath = path4.join(EXE_AI_DIR, "device.json");
   try {
-    if (existsSync3(deviceJsonPath)) {
-      const data = JSON.parse(readFileSync2(deviceJsonPath, "utf8"));
+    if (existsSync4(deviceJsonPath)) {
+      const data = JSON.parse(readFileSync3(deviceJsonPath, "utf8"));
       if (data.deviceId) return data.deviceId;
     }
   } catch {
   }
   try {
-    if (existsSync3(DEVICE_ID_PATH)) {
-      const id2 = readFileSync2(DEVICE_ID_PATH, "utf8").trim();
+    if (existsSync4(DEVICE_ID_PATH)) {
+      const id2 = readFileSync3(DEVICE_ID_PATH, "utf8").trim();
       if (id2) return id2;
     }
   } catch {
@@ -252,15 +265,15 @@ function loadDeviceId() {
 }
 function loadLicense() {
   try {
-    if (!existsSync3(LICENSE_PATH)) return null;
-    return readFileSync2(LICENSE_PATH, "utf8").trim();
+    if (!existsSync4(LICENSE_PATH)) return null;
+    return readFileSync3(LICENSE_PATH, "utf8").trim();
   } catch {
     return null;
   }
 }
 function saveLicense(apiKey) {
   mkdirSync(EXE_AI_DIR, { recursive: true });
-  writeFileSync(LICENSE_PATH, apiKey.trim(), "utf8");
+  writeFileSync(LICENSE_PATH, apiKey.trim(), { encoding: "utf8", mode: 384 });
 }
 async function verifyLicenseJwt(token) {
   try {
@@ -286,8 +299,8 @@ async function verifyLicenseJwt(token) {
 }
 async function getCachedLicense() {
   try {
-    if (!existsSync3(CACHE_PATH)) return null;
-    const raw = JSON.parse(readFileSync2(CACHE_PATH, "utf8"));
+    if (!existsSync4(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync3(CACHE_PATH, "utf8"));
     if (!raw.token || typeof raw.token !== "string") return null;
     return await verifyLicenseJwt(raw.token);
   } catch {
@@ -296,8 +309,8 @@ async function getCachedLicense() {
 }
 function readCachedToken() {
   try {
-    if (!existsSync3(CACHE_PATH)) return null;
-    const raw = JSON.parse(readFileSync2(CACHE_PATH, "utf8"));
+    if (!existsSync4(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync3(CACHE_PATH, "utf8"));
     return typeof raw.token === "string" ? raw.token : null;
   } catch {
     return null;
@@ -312,7 +325,7 @@ function cacheResponse(token) {
 async function validateLicense(apiKey, deviceId) {
   const did = deviceId ?? loadDeviceId();
   try {
-    const res = await fetch(`${API_BASE}/auth/activate`, {
+    const res = await fetchRetry(`${API_BASE}/auth/activate`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ apiKey, deviceId: did }),
@@ -347,14 +360,23 @@ async function validateLicense(apiKey, deviceId) {
   } catch {
     const cached = await getCachedLicense();
     if (cached) return cached;
-    return FREE_LICENSE;
+    return { ...FREE_LICENSE, valid: false, error: "offline" };
+  }
+}
+function getCacheAgeMs() {
+  try {
+    const { statSync } = __require("fs");
+    const s = statSync(CACHE_PATH);
+    return Date.now() - s.mtimeMs;
+  } catch {
+    return Infinity;
   }
 }
 async function checkLicense() {
   const key = loadLicense();
   if (!key) return FREE_LICENSE;
   const cached = await getCachedLicense();
-  if (cached) return cached;
+  if (cached && getCacheAgeMs() < CACHE_MAX_AGE_MS) return cached;
   const deviceId = loadDeviceId();
   return validateLicense(key, deviceId);
 }
@@ -394,7 +416,7 @@ async function assertVpsLicense(opts) {
   let explicitRejection = false;
   let transientFailure = false;
   try {
-    const res = await fetch(`${API_BASE}/auth/activate`, {
+    const res = await fetchRetry(`${API_BASE}/auth/activate`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ apiKey, deviceId }),
@@ -475,15 +497,37 @@ async function assertVpsLicense(opts) {
     `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://askexe.com/cloud and retry. This VPS image refuses to boot after the offline grace window.`
   );
 }
-var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE;
+function startLicenseRevalidation(intervalMs = 36e5) {
+  if (_revalTimer) return;
+  _revalTimer = setInterval(async () => {
+    try {
+      const license = await checkLicense();
+      if (!license.valid) {
+        process.stderr.write("[exe-os] License expired or invalid \u2014 features may be restricted\n");
+      }
+    } catch {
+    }
+  }, intervalMs);
+  if (_revalTimer && typeof _revalTimer === "object" && "unref" in _revalTimer) {
+    _revalTimer.unref();
+  }
+}
+function stopLicenseRevalidation() {
+  if (_revalTimer) {
+    clearInterval(_revalTimer);
+    _revalTimer = null;
+  }
+}
+var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, CACHE_MAX_AGE_MS, _revalTimer;
 var init_license = __esm({
   "src/lib/license.ts"() {
     "use strict";
     init_config();
-    LICENSE_PATH = path3.join(EXE_AI_DIR, "license.key");
-    CACHE_PATH = path3.join(EXE_AI_DIR, "license-cache.json");
-    DEVICE_ID_PATH = path3.join(EXE_AI_DIR, "device-id");
+    LICENSE_PATH = path4.join(EXE_AI_DIR, "license.key");
+    CACHE_PATH = path4.join(EXE_AI_DIR, "license-cache.json");
+    DEVICE_ID_PATH = path4.join(EXE_AI_DIR, "device-id");
     API_BASE = "https://askexe.com/cloud";
+    RETRY_DELAY_MS = 500;
     LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
 4uj+UqeKCcvtgNHKmOK278HJaJcANe9xAeji8AFYu27q3WtzCi04pHudow==
@@ -505,6 +549,8 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
       employeeLimit: 1,
       memoryLimit: 5e3
     };
+    CACHE_MAX_AGE_MS = 36e5;
+    _revalTimer = null;
   }
 });
 
@@ -515,11 +561,12 @@ import { createInterface } from "readline";
 import { readFile, writeFile, unlink, mkdir, chmod } from "fs/promises";
 import { existsSync } from "fs";
 import path from "path";
+import os from "os";
 import crypto from "crypto";
 var SERVICE = "exe-mem";
 var ACCOUNT = "master-key";
 function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path.join(process.env.HOME ?? "/tmp", ".exe-os");
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path.join(os.homedir(), ".exe-os");
 }
 function getKeyPath() {
   return path.join(getKeyDir(), "master.key");
@@ -662,6 +709,58 @@ function isMainModule(importMetaUrl) {
   }
 }
 
+// src/lib/cloud-sync.ts
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync2, existsSync as existsSync6, readdirSync, mkdirSync as mkdirSync2, appendFileSync, unlinkSync } from "fs";
+import path6 from "path";
+import { homedir } from "os";
+
+// src/lib/database.ts
+import { createClient } from "@libsql/client";
+
+// src/lib/crypto.ts
+import crypto3 from "crypto";
+
+// src/lib/compress.ts
+import { brotliCompressSync, brotliDecompressSync, constants } from "zlib";
+
+// src/lib/plan-limits.ts
+import { readFileSync as readFileSync4, existsSync as existsSync5 } from "fs";
+import path5 from "path";
+
+// src/lib/employees.ts
+init_config();
+import { readFile as readFile3, writeFile as writeFile3, mkdir as mkdir3 } from "fs/promises";
+import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2 } from "fs";
+import { execSync } from "child_process";
+import path3 from "path";
+var EMPLOYEES_PATH = path3.join(EXE_AI_DIR, "exe-employees.json");
+
+// src/lib/plan-limits.ts
+init_license();
+init_config();
+var CACHE_PATH2 = path5.join(EXE_AI_DIR, "license-cache.json");
+
+// src/lib/cloud-sync.ts
+init_license();
+init_config();
+var LOCALHOST_PATTERNS = /^(localhost|127\.0\.0\.1|\[::1\])$/i;
+var ROSTER_LOCK_PATH = path6.join(EXE_AI_DIR, "roster-merge.lock");
+function assertSecureEndpoint(endpoint) {
+  if (endpoint.startsWith("https://")) return;
+  if (endpoint.startsWith("http://")) {
+    try {
+      const parsed = new URL(endpoint);
+      if (LOCALHOST_PATTERNS.test(parsed.hostname)) return;
+    } catch {
+      return;
+    }
+    throw new Error(
+      `Insecure cloud endpoint rejected: "${endpoint}". Use https:// for remote hosts. Plain http:// is only allowed for localhost.`
+    );
+  }
+}
+var ROSTER_DELETIONS_PATH = path6.join(EXE_AI_DIR, "roster-deletions.json");
+
 // src/bin/exe-cloud.ts
 var BAR = "\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550";
 function ask(rl, question) {
@@ -709,6 +808,7 @@ async function setupMode() {
       const orgId = deriveOrgId(masterKey);
       const authTokenHash = hashAuthToken(deriveWsAuthToken(masterKey));
       try {
+        assertSecureEndpoint(config.cloud.endpoint);
         const regResp = await fetch(`${config.cloud.endpoint}/api/register-org`, {
           method: "POST",
           headers: { Authorization: `Bearer ${config.cloud.apiKey}`, "Content-Type": "application/json" },
@@ -730,6 +830,7 @@ async function setupMode() {
     const endpoint = await ask(rl, "  Endpoint [https://askexe.com/cloud]: ") || "https://askexe.com/cloud";
     console.log("  Validating...");
     try {
+      assertSecureEndpoint(endpoint);
       const resp = await fetch(`${endpoint}/auth/verify`, {
         method: "POST",
         headers: { Authorization: `Bearer ${apiKey}`, "Content-Type": "application/json" }
@@ -740,7 +841,8 @@ async function setupMode() {
         try {
           const { mirrorLicenseKey: mirrorLicenseKey2 } = await Promise.resolve().then(() => (init_license(), license_exports));
           mirrorLicenseKey2(apiKey);
-        } catch {
+        } catch (err) {
+          console.log(`  \u26A0 License mirror failed: ${err instanceof Error ? err.message : String(err)}`);
         }
         console.log("  \u2713 Cloud sync configured.\n");
         const masterKey = await getMasterKey();
@@ -749,6 +851,7 @@ async function setupMode() {
           const orgId = deriveOrgId(masterKey);
           const authTokenHash = hashAuthToken(deriveWsAuthToken(masterKey));
           try {
+            assertSecureEndpoint(endpoint);
             const regResp = await fetch(`${endpoint}/api/register-org`, {
               method: "POST",
               headers: { Authorization: `Bearer ${apiKey}`, "Content-Type": "application/json" },
@@ -796,9 +899,11 @@ async function syncMode() {
   console.log("  24-word recovery phrase:");
   console.log(`  ${mnemonic}
 `);
+  console.log("  \u26A0  Clear your terminal history after copying.\n");
   if (config.cloud?.apiKey) {
+    const maskedKey = config.cloud.apiKey.slice(0, 10) + "..." + config.cloud.apiKey.slice(-4);
     console.log("  Cloud API key:");
-    console.log(`  ${config.cloud.apiKey}
+    console.log(`  ${maskedKey}
 `);
     console.log("  Endpoint:");
     console.log(`  ${config.cloud.endpoint}

package/dist/bin/exe-dispatch.js

@@ -335,7 +335,7 @@ var init_database = __esm({
 });
 
 // src/lib/config.ts
-import { readFile, writeFile, mkdir } from "fs/promises";
+import { readFile, writeFile, mkdir, chmod } from "fs/promises";
 import { readFileSync as readFileSync3, existsSync as existsSync3, renameSync as renameSync2 } from "fs";
 import path3 from "path";
 import os3 from "os";

package/dist/bin/exe-doctor.js

@@ -1,12 +1,6 @@
 #!/usr/bin/env node
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
@@ -16,15 +10,15 @@ var __export = (target, all) => {
 };
 
 // src/lib/config.ts
-import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
 import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
 import path2 from "path";
-import os from "os";
+import os2 from "os";
 function resolveDataDir() {
   if (process.env.EXE_OS_DIR) return process.env.EXE_OS_DIR;
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
-  const newDir = path2.join(os.homedir(), ".exe-os");
-  const legacyDir = path2.join(os.homedir(), ".exe-mem");
+  const newDir = path2.join(os2.homedir(), ".exe-os");
+  const legacyDir = path2.join(os2.homedir(), ".exe-mem");
   if (!existsSync2(newDir) && existsSync2(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
@@ -111,7 +105,7 @@ async function loadConfig() {
     normalizeAutoUpdate(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
-      config.dbPath = config.dbPath.replace(/^~/, os.homedir());
+      config.dbPath = config.dbPath.replace(/^~/, os2.homedir());
     }
     return config;
   } catch {
@@ -218,7 +212,7 @@ __export(shard_manager_exports, {
   shardExists: () => shardExists
 });
 import path3 from "path";
-import { existsSync as existsSync3, mkdirSync } from "fs";
+import { existsSync as existsSync3, mkdirSync, readdirSync } from "fs";
 import { createClient as createClient2 } from "@libsql/client";
 function initShardManager(encryptionKey) {
   _encryptionKey = encryptionKey;
@@ -257,7 +251,6 @@ function shardExists(projectName) {
 }
 function listShards() {
   if (!existsSync3(SHARDS_DIR)) return [];
-  const { readdirSync } = __require("fs");
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
 async function ensureShardSchema(client) {
@@ -533,6 +526,7 @@ async function ensureSchema() {
   const client = getRawClient();
   await client.execute("PRAGMA journal_mode = WAL");
   await client.execute("PRAGMA busy_timeout = 30000");
+  await client.execute("PRAGMA wal_autocheckpoint = 1000");
   try {
     await client.execute("PRAGMA libsql_vector_search_ef = 128");
   } catch {
@@ -1326,11 +1320,12 @@ async function ensureSchema() {
 import { readFile, writeFile, unlink, mkdir, chmod } from "fs/promises";
 import { existsSync } from "fs";
 import path from "path";
+import os from "os";
 import crypto from "crypto";
 var SERVICE = "exe-mem";
 var ACCOUNT = "master-key";
 function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path.join(process.env.HOME ?? "/tmp", ".exe-os");
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path.join(os.homedir(), ".exe-os");
 }
 function getKeyPath() {
   return path.join(getKeyDir(), "master.key");
@@ -1367,6 +1362,30 @@ async function getMasterKey() {
 
 // src/lib/store.ts
 init_config();
+var INIT_MAX_RETRIES = 3;
+var INIT_RETRY_DELAY_MS = 1e3;
+function isBusyError2(err) {
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    return msg.includes("sqlite_busy") || msg.includes("database is locked");
+  }
+  return false;
+}
+async function retryOnBusy2(fn, label) {
+  for (let attempt = 0; attempt <= INIT_MAX_RETRIES; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      if (!isBusyError2(err) || attempt === INIT_MAX_RETRIES) throw err;
+      process.stderr.write(
+        `[store] SQLITE_BUSY during ${label}, retry ${attempt + 1}/${INIT_MAX_RETRIES}
+`
+      );
+      await new Promise((r) => setTimeout(r, INIT_RETRY_DELAY_MS * (attempt + 1)));
+    }
+  }
+  throw new Error("unreachable");
+}
 var _pendingRecords = [];
 var _batchSize = 20;
 var _flushIntervalMs = 1e4;
@@ -1401,14 +1420,17 @@ async function initStore(options) {
     dbPath,
     encryptionKey: hexKey
   });
-  await ensureSchema();
+  await retryOnBusy2(() => ensureSchema(), "ensureSchema");
   try {
     const { initShardManager: initShardManager2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
     initShardManager2(hexKey);
   } catch {
   }
   const client = getClient();
-  const vResult = await client.execute("SELECT MAX(version) as max_v FROM memories");
+  const vResult = await retryOnBusy2(
+    () => client.execute("SELECT MAX(version) as max_v FROM memories"),
+    "version-query"
+  );
   _nextVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
 }