@askexenow/exe-os 0.8.58 → 0.8.60

package/dist/bin/cli.js

@@ -4864,6 +4864,32 @@ function readCachedToken() {
     return null;
   }
 }
+function getRawCachedPlan() {
+  try {
+    const token = readCachedToken();
+    if (!token) return null;
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+    const plan = payload.plan ?? "free";
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    process.stderr.write(
+      `[license] WARN: using unverified cached plan (API unreachable, JWT expired). Plan: ${plan}
+`
+    );
+    return {
+      valid: true,
+      plan,
+      email: payload.sub ?? "",
+      expiresAt: payload.exp ? new Date(payload.exp * 1e3).toISOString() : null,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
 function cacheResponse(token) {
   try {
     writeFileSync2(CACHE_PATH, JSON.stringify({ token }), "utf8");
@@ -4884,6 +4910,8 @@ async function validateLicense(apiKey, deviceId) {
       if (data.error === "device_limit_exceeded") {
         const cached2 = await getCachedLicense();
         if (cached2) return cached2;
+        const raw2 = getRawCachedPlan();
+        if (raw2) return { ...raw2, valid: false };
         return { ...FREE_LICENSE, valid: false, plan: "free" };
       }
       if (data.token) {
@@ -4904,10 +4932,14 @@ async function validateLicense(apiKey, deviceId) {
     }
     const cached = await getCachedLicense();
     if (cached) return cached;
+    const raw = getRawCachedPlan();
+    if (raw) return raw;
     return { ...FREE_LICENSE, valid: false, plan: "free" };
   } catch {
     const cached = await getCachedLicense();
     if (cached) return cached;
+    const rawFallback = getRawCachedPlan();
+    if (rawFallback) return rawFallback;
     return { ...FREE_LICENSE, valid: false, error: "offline" };
   }
 }
@@ -5096,8 +5128,8 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
 -----END PUBLIC KEY-----`;
     LICENSE_JWT_ALG = "ES256";
     PLAN_LIMITS = {
-      free: { devices: 1, employees: 1, memories: 5e3 },
-      pro: { devices: 2, employees: 5, memories: 1e5 },
+      free: { devices: 1, employees: 1, memories: 5e4 },
+      pro: { devices: 2, employees: 5, memories: 25e4 },
       team: { devices: 10, employees: 20, memories: 1e6 },
       agency: { devices: 50, employees: 100, memories: 1e7 },
       enterprise: { devices: -1, employees: -1, memories: -1 }
@@ -5109,7 +5141,7 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
       expiresAt: null,
       deviceLimit: 1,
       employeeLimit: 1,
-      memoryLimit: 5e3
+      memoryLimit: 5e4
     };
     CACHE_MAX_AGE_MS = 36e5;
     _revalTimer = null;
@@ -13238,6 +13270,21 @@ var init_session_kill_telemetry = __esm({
 });
 
 // src/lib/tasks-crud.ts
+var tasks_crud_exports = {};
+__export(tasks_crud_exports, {
+  TASK_ALREADY_CLAIMED_PREFIX: () => TASK_ALREADY_CLAIMED_PREFIX,
+  checkStaleCompletion: () => checkStaleCompletion,
+  createTaskCore: () => createTaskCore,
+  deleteTaskCore: () => deleteTaskCore,
+  ensureArchitectureDoc: () => ensureArchitectureDoc,
+  ensureGitignoreExe: () => ensureGitignoreExe,
+  extractParentFromContext: () => extractParentFromContext,
+  listTasks: () => listTasks,
+  resolveTask: () => resolveTask,
+  slugify: () => slugify,
+  updateTaskStatus: () => updateTaskStatus,
+  writeCheckpoint: () => writeCheckpoint
+});
 import crypto6 from "crypto";
 import path19 from "path";
 import { execSync as execSync8 } from "child_process";
@@ -13854,7 +13901,6 @@ var init_tasks_review = __esm({
     init_config();
     init_employees();
     init_notifications();
-    init_tasks_crud();
     init_tmux_routing();
     init_session_key();
     init_state_bus();
@@ -14990,18 +15036,21 @@ function exportBehaviorsSync(agentId, projectName, sessionKey) {
 function getMySession() {
   return getTransport().getMySession();
 }
+function isRootSession(name) {
+  return name.length > 0 && !name.includes("-");
+}
 function employeeSessionName(employee, exeSession, instance) {
-  if (!/^exe\d+$/.test(exeSession)) {
+  if (!isRootSession(exeSession)) {
     const root = extractRootExe(exeSession);
     if (root) {
       process.stderr.write(
-        `[tmux-routing] WARN: exeSession="${exeSession}" is not a root exe session, using "${root}" instead
+        `[tmux-routing] WARN: exeSession="${exeSession}" is not a root session, using "${root}" instead
 `
       );
       exeSession = root;
     } else {
       throw new Error(
-        `Invalid exeSession "${exeSession}" \u2014 must be a root exe session (e.g., "exe1"), not an agent session`
+        `Invalid exeSession "${exeSession}" \u2014 contains a dash but no recognizable root session. Pass a root session name (e.g., "exe1", "work", "yoda1")`
       );
     }
   }
@@ -15009,7 +15058,7 @@ function employeeSessionName(employee, exeSession, instance) {
   const name = `${employee}${suffix}-${exeSession}`;
   if (!VALID_SESSION_NAME.test(name)) {
     throw new Error(
-      `Invalid session name "${name}" \u2014 must match {agent}-exe{N} or {agent}{instance}-exe{N}`
+      `Invalid session name "${name}" \u2014 must match {agent}-{rootSession} or {agent}{instance}-{rootSession}`
     );
   }
   return name;
@@ -15252,11 +15301,11 @@ function ensureEmployee(employeeName, exeSession, projectDir, opts) {
       error: `Error: pass employee name ('${bare}'), not session name ('${employeeName}')`
     };
   }
-  if (!/^exe\d+$/.test(exeSession)) {
+  if (!isRootSession(exeSession)) {
     const root = extractRootExe(exeSession);
     if (root) {
       process.stderr.write(
-        `[ensureEmployee] WARN: caller passed exeSession="${exeSession}" (not a root exe). Auto-correcting to "${root}".
+        `[ensureEmployee] WARN: caller passed exeSession="${exeSession}" (not a root session). Auto-correcting to "${root}".
 `
       );
       exeSession = root;
@@ -15264,7 +15313,7 @@ function ensureEmployee(employeeName, exeSession, projectDir, opts) {
       return {
         status: "failed",
         sessionName: "",
-        error: `Invalid exeSession "${exeSession}" \u2014 must be a root exe session (e.g., "exe1")`
+        error: `Invalid exeSession "${exeSession}" \u2014 contains a dash but no recognizable root session. Pass a root session name (e.g., "exe1", "work", "yoda1")`
       };
     }
   }
@@ -15529,7 +15578,7 @@ var init_tmux_routing = __esm({
     SPAWN_LOCK_DIR = path24.join(os9.homedir(), ".exe-os", "spawn-locks");
     SESSION_CACHE = path24.join(os9.homedir(), ".exe-os", "session-cache");
     BEHAVIORS_EXPORT_TIMEOUT_MS = 1e4;
-    VALID_SESSION_NAME = /^[a-z]+-exe\d+$|^[a-z]+\d+-exe\d+$/;
+    VALID_SESSION_NAME = /^[a-z]+\d*-[a-zA-Z0-9_]+$/;
     VERIFY_PANE_LINES = 200;
     INTERCOM_DEBOUNCE_MS = 3e4;
     INTERCOM_LOG2 = path24.join(os9.homedir(), ".exe-os", "intercom.log");
@@ -19515,6 +19564,7 @@ var init_orchestrator = __esm({
     init_task_router();
     init_tmux_routing();
     init_task_scope();
+    init_tasks_crud();
     STALE_THRESHOLD_MS = 2 * 60 * 60 * 1e3;
     MultiAgentOrchestrator = class {
       config;
@@ -19551,6 +19601,26 @@ ${task.context}`,
           targetEmployee = routed.employee;
           routingScore = routed.score;
         }
+        try {
+          await createTaskCore({
+            title: task.title,
+            assignedTo: targetEmployee.name,
+            assignedBy: "exe",
+            projectName: task.projectName,
+            priority: task.priority,
+            context: task.context,
+            baseDir: this.config.projectDir,
+            skipDispatch: true
+          });
+        } catch (err) {
+          return {
+            employee: targetEmployee.name,
+            sessionName: "",
+            status: "failed",
+            routingScore,
+            error: `Task creation failed: ${err instanceof Error ? err.message : String(err)}`
+          };
+        }
         const result = ensureEmployee(
           targetEmployee.name,
           this.config.exeSession,
@@ -19838,7 +19908,17 @@ function useOrchestrator(enabled = true) {
   const spawnSession = useCallback5(
     async (agentId) => {
       try {
+        const { createTaskCore: createTaskCore2 } = await Promise.resolve().then(() => (init_tasks_crud(), tasks_crud_exports));
         const { ensureEmployee: ensureEmployee2 } = await Promise.resolve().then(() => (init_tmux_routing(), tmux_routing_exports));
+        await createTaskCore2({
+          title: `Session launched for ${agentId} (TUI)`,
+          assignedTo: agentId,
+          assignedBy: "exe",
+          projectName: "exe-os",
+          priority: "p2",
+          context: "Session spawned from TUI Sessions view. Agent will pick up any queued tasks via intercom.",
+          skipDispatch: true
+        });
         return ensureEmployee2(agentId, exeSessionRef.current, process.cwd());
       } catch {
         return null;

package/dist/bin/exe-boot.js

@@ -2418,6 +2418,32 @@ function readCachedToken() {
     return null;
   }
 }
+function getRawCachedPlan() {
+  try {
+    const token = readCachedToken();
+    if (!token) return null;
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+    const plan = payload.plan ?? "free";
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    process.stderr.write(
+      `[license] WARN: using unverified cached plan (API unreachable, JWT expired). Plan: ${plan}
+`
+    );
+    return {
+      valid: true,
+      plan,
+      email: payload.sub ?? "",
+      expiresAt: payload.exp ? new Date(payload.exp * 1e3).toISOString() : null,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
 function cacheResponse(token) {
   try {
     writeFileSync3(CACHE_PATH, JSON.stringify({ token }), "utf8");
@@ -2438,6 +2464,8 @@ async function validateLicense(apiKey, deviceId) {
       if (data.error === "device_limit_exceeded") {
         const cached2 = await getCachedLicense();
         if (cached2) return cached2;
+        const raw2 = getRawCachedPlan();
+        if (raw2) return { ...raw2, valid: false };
         return { ...FREE_LICENSE, valid: false, plan: "free" };
       }
       if (data.token) {
@@ -2458,10 +2486,14 @@ async function validateLicense(apiKey, deviceId) {
     }
     const cached = await getCachedLicense();
     if (cached) return cached;
+    const raw = getRawCachedPlan();
+    if (raw) return raw;
     return { ...FREE_LICENSE, valid: false, plan: "free" };
   } catch {
     const cached = await getCachedLicense();
     if (cached) return cached;
+    const rawFallback = getRawCachedPlan();
+    if (rawFallback) return rawFallback;
     return { ...FREE_LICENSE, valid: false, error: "offline" };
   }
 }
@@ -2650,8 +2682,8 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
 -----END PUBLIC KEY-----`;
     LICENSE_JWT_ALG = "ES256";
     PLAN_LIMITS = {
-      free: { devices: 1, employees: 1, memories: 5e3 },
-      pro: { devices: 2, employees: 5, memories: 1e5 },
+      free: { devices: 1, employees: 1, memories: 5e4 },
+      pro: { devices: 2, employees: 5, memories: 25e4 },
       team: { devices: 10, employees: 20, memories: 1e6 },
       agency: { devices: 50, employees: 100, memories: 1e7 },
       enterprise: { devices: -1, employees: -1, memories: -1 }
@@ -2663,7 +2695,7 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
       expiresAt: null,
       deviceLimit: 1,
       employeeLimit: 1,
-      memoryLimit: 5e3
+      memoryLimit: 5e4
     };
     CACHE_MAX_AGE_MS = 36e5;
     _revalTimer = null;
@@ -3642,7 +3674,6 @@ var init_tasks_review = __esm({
     init_config();
     init_employees();
     init_notifications();
-    init_tasks_crud();
     init_tmux_routing();
     init_session_key();
     init_state_bus();
@@ -4787,18 +4818,21 @@ function exportBehaviorsSync(agentId, projectName, sessionKey) {
 function getMySession() {
   return getTransport().getMySession();
 }
+function isRootSession(name) {
+  return name.length > 0 && !name.includes("-");
+}
 function employeeSessionName(employee, exeSession, instance) {
-  if (!/^exe\d+$/.test(exeSession)) {
+  if (!isRootSession(exeSession)) {
     const root = extractRootExe(exeSession);
     if (root) {
       process.stderr.write(
-        `[tmux-routing] WARN: exeSession="${exeSession}" is not a root exe session, using "${root}" instead
+        `[tmux-routing] WARN: exeSession="${exeSession}" is not a root session, using "${root}" instead
 `
       );
       exeSession = root;
     } else {
       throw new Error(
-        `Invalid exeSession "${exeSession}" \u2014 must be a root exe session (e.g., "exe1"), not an agent session`
+        `Invalid exeSession "${exeSession}" \u2014 contains a dash but no recognizable root session. Pass a root session name (e.g., "exe1", "work", "yoda1")`
       );
     }
   }
@@ -4806,7 +4840,7 @@ function employeeSessionName(employee, exeSession, instance) {
   const name = `${employee}${suffix}-${exeSession}`;
   if (!VALID_SESSION_NAME.test(name)) {
     throw new Error(
-      `Invalid session name "${name}" \u2014 must match {agent}-exe{N} or {agent}{instance}-exe{N}`
+      `Invalid session name "${name}" \u2014 must match {agent}-{rootSession} or {agent}{instance}-{rootSession}`
     );
   }
   return name;
@@ -5049,11 +5083,11 @@ function ensureEmployee(employeeName, exeSession, projectDir, opts) {
       error: `Error: pass employee name ('${bare}'), not session name ('${employeeName}')`
     };
   }
-  if (!/^exe\d+$/.test(exeSession)) {
+  if (!isRootSession(exeSession)) {
     const root = extractRootExe(exeSession);
     if (root) {
       process.stderr.write(
-        `[ensureEmployee] WARN: caller passed exeSession="${exeSession}" (not a root exe). Auto-correcting to "${root}".
+        `[ensureEmployee] WARN: caller passed exeSession="${exeSession}" (not a root session). Auto-correcting to "${root}".
 `
       );
       exeSession = root;
@@ -5061,7 +5095,7 @@ function ensureEmployee(employeeName, exeSession, projectDir, opts) {
       return {
         status: "failed",
         sessionName: "",
-        error: `Invalid exeSession "${exeSession}" \u2014 must be a root exe session (e.g., "exe1")`
+        error: `Invalid exeSession "${exeSession}" \u2014 contains a dash but no recognizable root session. Pass a root session name (e.g., "exe1", "work", "yoda1")`
       };
     }
   }
@@ -5326,7 +5360,7 @@ var init_tmux_routing = __esm({
     SPAWN_LOCK_DIR = path15.join(os6.homedir(), ".exe-os", "spawn-locks");
     SESSION_CACHE = path15.join(os6.homedir(), ".exe-os", "session-cache");
     BEHAVIORS_EXPORT_TIMEOUT_MS = 1e4;
-    VALID_SESSION_NAME = /^[a-z]+-exe\d+$|^[a-z]+\d+-exe\d+$/;
+    VALID_SESSION_NAME = /^[a-z]+\d*-[a-zA-Z0-9_]+$/;
     VERIFY_PANE_LINES = 200;
     INTERCOM_DEBOUNCE_MS = 3e4;
     INTERCOM_LOG2 = path15.join(os6.homedir(), ".exe-os", "intercom.log");
@@ -5716,6 +5750,9 @@ import { readFileSync as readFileSync12, writeFileSync as writeFileSync8, exists
 import crypto8 from "crypto";
 import path19 from "path";
 import { homedir } from "os";
+function sqlSafe(v) {
+  return v === void 0 ? null : v;
+}
 function logError(msg) {
   try {
     const logPath = path19.join(homedir(), ".exe-os", "workers.log");
@@ -5886,18 +5923,18 @@ async function cloudSync(config) {
              author_device_id, scope)
             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
       args: [
-        rec.id ?? null,
-        rec.agent_id ?? null,
-        rec.agent_role ?? null,
-        rec.session_id ?? null,
-        rec.timestamp ?? null,
-        rec.tool_name ?? null,
-        rec.project_name ?? null,
-        rec.has_error ?? 0,
-        rec.raw_text ?? "",
-        rec.version ?? 0,
-        rec.author_device_id ?? null,
-        rec.scope ?? "business"
+        sqlSafe(rec.id),
+        sqlSafe(rec.agent_id),
+        sqlSafe(rec.agent_role),
+        sqlSafe(rec.session_id),
+        sqlSafe(rec.timestamp),
+        sqlSafe(rec.tool_name),
+        sqlSafe(rec.project_name),
+        sqlSafe(rec.has_error ?? 0),
+        sqlSafe(rec.raw_text ?? ""),
+        sqlSafe(rec.version ?? 0),
+        sqlSafe(rec.author_device_id),
+        sqlSafe(rec.scope ?? "business")
       ]
     }));
     await client.batch(stmts, "write");
@@ -6318,14 +6355,14 @@ async function cloudPullGlobalProcedures(config) {
             updated_at = excluded.updated_at
           WHERE excluded.updated_at > global_procedures.updated_at`,
     args: [
-      p.id ?? null,
-      p.title ?? null,
-      p.content ?? null,
-      p.priority ?? "p0",
-      p.domain ?? null,
-      p.active ?? 1,
-      p.created_at ?? null,
-      p.updated_at ?? null
+      sqlSafe(p.id),
+      sqlSafe(p.title),
+      sqlSafe(p.content),
+      sqlSafe(p.priority ?? "p0"),
+      sqlSafe(p.domain),
+      sqlSafe(p.active ?? 1),
+      sqlSafe(p.created_at),
+      sqlSafe(p.updated_at)
     ]
   }));
   await client.batch(stmts, "write");
@@ -6355,7 +6392,7 @@ async function cloudPullBehaviors(config) {
     const existing = await client.execute({
       sql: `SELECT COUNT(*) as cnt FROM behaviors
             WHERE agent_id = ? AND content = ?`,
-      args: [behavior.agent_id ?? null, behavior.content ?? null]
+      args: [sqlSafe(behavior.agent_id), sqlSafe(behavior.content)]
     });
     if (Number(existing.rows[0]?.cnt) > 0) continue;
     await client.execute({
@@ -6363,15 +6400,15 @@ async function cloudPullBehaviors(config) {
             (id, agent_id, project_name, domain, content, active, priority, created_at, updated_at)
             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
       args: [
-        behavior.id ?? null,
-        behavior.agent_id ?? null,
-        behavior.project_name ?? null,
-        behavior.domain ?? null,
-        behavior.content ?? null,
-        behavior.active ?? 1,
-        behavior.priority ?? "p1",
-        behavior.created_at ?? null,
-        behavior.updated_at ?? null
+        sqlSafe(behavior.id),
+        sqlSafe(behavior.agent_id),
+        sqlSafe(behavior.project_name),
+        sqlSafe(behavior.domain),
+        sqlSafe(behavior.content),
+        sqlSafe(behavior.active ?? 1),
+        sqlSafe(behavior.priority ?? "p1"),
+        sqlSafe(behavior.created_at),
+        sqlSafe(behavior.updated_at)
       ]
     });
     pulled++;
@@ -6419,7 +6456,7 @@ async function cloudPullGraphRAG(config) {
     const stmts = blob.entities.map((e) => ({
       sql: `INSERT OR IGNORE INTO entities (id, name, type, first_seen, last_seen, properties)
             VALUES (?, ?, ?, ?, ?, ?)`,
-      args: [e.id, e.name, e.type, e.first_seen, e.last_seen, e.properties ?? "{}"]
+      args: [sqlSafe(e.id), sqlSafe(e.name), sqlSafe(e.type), sqlSafe(e.first_seen), sqlSafe(e.last_seen), sqlSafe(e.properties ?? "{}")]
     }));
     await client.batch(stmts, "write");
     pulled += stmts.length;
@@ -6430,15 +6467,15 @@ async function cloudPullGraphRAG(config) {
             (id, source_entity_id, target_entity_id, type, weight, timestamp, properties, confidence, confidence_label)
             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
       args: [
-        r.id,
-        r.source_entity_id,
-        r.target_entity_id,
-        r.type,
-        r.weight ?? 1,
-        r.timestamp,
-        r.properties ?? "{}",
-        r.confidence ?? 1,
-        r.confidence_label ?? "extracted"
+        sqlSafe(r.id),
+        sqlSafe(r.source_entity_id),
+        sqlSafe(r.target_entity_id),
+        sqlSafe(r.type),
+        sqlSafe(r.weight ?? 1),
+        sqlSafe(r.timestamp),
+        sqlSafe(r.properties ?? "{}"),
+        sqlSafe(r.confidence ?? 1),
+        sqlSafe(r.confidence_label ?? "extracted")
       ]
     }));
     await client.batch(stmts, "write");
@@ -6447,7 +6484,7 @@ async function cloudPullGraphRAG(config) {
   if (blob.entity_aliases.length > 0) {
     const stmts = blob.entity_aliases.map((a) => ({
       sql: `INSERT OR IGNORE INTO entity_aliases (alias, canonical_entity_id) VALUES (?, ?)`,
-      args: [a.alias, a.canonical_entity_id]
+      args: [sqlSafe(a.alias), sqlSafe(a.canonical_entity_id)]
     }));
     await client.batch(stmts, "write");
     pulled += stmts.length;
@@ -6455,7 +6492,7 @@ async function cloudPullGraphRAG(config) {
   if (blob.entity_memories.length > 0) {
     const stmts = blob.entity_memories.map((em) => ({
       sql: `INSERT OR IGNORE INTO entity_memories (entity_id, memory_id) VALUES (?, ?)`,
-      args: [em.entity_id, em.memory_id]
+      args: [sqlSafe(em.entity_id), sqlSafe(em.memory_id)]
     }));
     await client.batch(stmts, "write");
     pulled += stmts.length;
@@ -6463,7 +6500,7 @@ async function cloudPullGraphRAG(config) {
   if (blob.relationship_memories.length > 0) {
     const stmts = blob.relationship_memories.map((rm) => ({
       sql: `INSERT OR IGNORE INTO relationship_memories (relationship_id, memory_id) VALUES (?, ?)`,
-      args: [rm.relationship_id, rm.memory_id]
+      args: [sqlSafe(rm.relationship_id), sqlSafe(rm.memory_id)]
     }));
     await client.batch(stmts, "write");
     pulled += stmts.length;
@@ -6472,7 +6509,7 @@ async function cloudPullGraphRAG(config) {
     const stmts = blob.hyperedges.map((h) => ({
       sql: `INSERT OR IGNORE INTO hyperedges (id, label, relation, confidence, timestamp)
             VALUES (?, ?, ?, ?, ?)`,
-      args: [h.id, h.label, h.relation, h.confidence ?? 1, h.timestamp]
+      args: [sqlSafe(h.id), sqlSafe(h.label), sqlSafe(h.relation), sqlSafe(h.confidence ?? 1), sqlSafe(h.timestamp)]
     }));
     await client.batch(stmts, "write");
     pulled += stmts.length;
@@ -6480,7 +6517,7 @@ async function cloudPullGraphRAG(config) {
   if (blob.hyperedge_nodes.length > 0) {
     const stmts = blob.hyperedge_nodes.map((hn) => ({
       sql: `INSERT OR IGNORE INTO hyperedge_nodes (hyperedge_id, entity_id) VALUES (?, ?)`,
-      args: [hn.hyperedge_id, hn.entity_id]
+      args: [sqlSafe(hn.hyperedge_id), sqlSafe(hn.entity_id)]
     }));
     await client.batch(stmts, "write");
     pulled += stmts.length;
@@ -6512,22 +6549,22 @@ async function cloudPullTasks(config) {
            blocked_by, parent_task_id, budget_tokens, budget_fallback_model, tokens_used, tokens_warned_at)
           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
     args: [
-      t.id ?? null,
-      t.title ?? null,
-      t.assigned_to ?? null,
-      t.assigned_by ?? null,
-      t.project_name ?? null,
-      t.priority ?? "p1",
-      t.status ?? "open",
-      t.task_file ?? null,
-      t.created_at ?? null,
-      t.updated_at ?? null,
-      t.blocked_by ?? null,
-      t.parent_task_id ?? null,
-      t.budget_tokens ?? null,
-      t.budget_fallback_model ?? null,
-      t.tokens_used ?? 0,
-      t.tokens_warned_at ?? null
+      sqlSafe(t.id),
+      sqlSafe(t.title),
+      sqlSafe(t.assigned_to),
+      sqlSafe(t.assigned_by),
+      sqlSafe(t.project_name),
+      sqlSafe(t.priority ?? "p1"),
+      sqlSafe(t.status ?? "open"),
+      sqlSafe(t.task_file),
+      sqlSafe(t.created_at),
+      sqlSafe(t.updated_at),
+      sqlSafe(t.blocked_by),
+      sqlSafe(t.parent_task_id),
+      sqlSafe(t.budget_tokens),
+      sqlSafe(t.budget_fallback_model),
+      sqlSafe(t.tokens_used ?? 0),
+      sqlSafe(t.tokens_warned_at)
     ]
   }));
   await client.batch(stmts, "write");
@@ -6559,24 +6596,24 @@ async function cloudPullConversations(config) {
            content_metadata, agent_response, agent_name, timestamp, ingested_at)
           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
     args: [
-      c.id ?? null,
-      c.platform ?? null,
-      c.external_id ?? null,
-      c.sender_id ?? null,
-      c.sender_name ?? null,
-      c.sender_phone ?? null,
-      c.sender_email ?? null,
-      c.recipient_id ?? null,
-      c.channel_id ?? null,
-      c.thread_id ?? null,
-      c.reply_to_id ?? null,
-      c.content_text ?? null,
-      c.content_media ?? null,
-      c.content_metadata ?? null,
-      c.agent_response ?? null,
-      c.agent_name ?? null,
-      c.timestamp ?? null,
-      c.ingested_at ?? null
+      sqlSafe(c.id),
+      sqlSafe(c.platform),
+      sqlSafe(c.external_id),
+      sqlSafe(c.sender_id),
+      sqlSafe(c.sender_name),
+      sqlSafe(c.sender_phone),
+      sqlSafe(c.sender_email),
+      sqlSafe(c.recipient_id),
+      sqlSafe(c.channel_id),
+      sqlSafe(c.thread_id),
+      sqlSafe(c.reply_to_id),
+      sqlSafe(c.content_text),
+      sqlSafe(c.content_media),
+      sqlSafe(c.content_metadata),
+      sqlSafe(c.agent_response),
+      sqlSafe(c.agent_name),
+      sqlSafe(c.timestamp),
+      sqlSafe(c.ingested_at)
     ]
   }));
   await client.batch(stmts, "write");
@@ -6613,7 +6650,7 @@ async function cloudPullDocuments(config) {
     const stmts = blob.workspaces.map((w) => ({
       sql: `INSERT OR IGNORE INTO workspaces (id, slug, name, owner_agent_id, created_at, metadata)
             VALUES (?, ?, ?, ?, ?, ?)`,
-      args: [w.id, w.slug, w.name, w.owner_agent_id ?? null, w.created_at, w.metadata ?? null]
+      args: [sqlSafe(w.id), sqlSafe(w.slug), sqlSafe(w.name), sqlSafe(w.owner_agent_id), sqlSafe(w.created_at), sqlSafe(w.metadata)]
     }));
     await client.batch(stmts, "write");
     pulled += stmts.length;
@@ -6624,14 +6661,14 @@ async function cloudPullDocuments(config) {
             (id, workspace_id, filename, mime, source_type, user_id, uploaded_at, metadata)
             VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
       args: [
-        d.id,
-        d.workspace_id,
-        d.filename,
-        d.mime ?? null,
-        d.source_type ?? null,
-        d.user_id ?? null,
-        d.uploaded_at,
-        d.metadata ?? null
+        sqlSafe(d.id),
+        sqlSafe(d.workspace_id),
+        sqlSafe(d.filename),
+        sqlSafe(d.mime),
+        sqlSafe(d.source_type),
+        sqlSafe(d.user_id),
+        sqlSafe(d.uploaded_at),
+        sqlSafe(d.metadata)
       ]
     }));
     await client.batch(stmts, "write");