@askexenow/exe-os 0.8.61 → 0.8.63

package/dist/bin/cli.js

@@ -1986,7 +1986,6 @@ import { readFile as readFile4, writeFile as writeFile4, unlink, mkdir as mkdir4
 import { existsSync as existsSync5 } from "fs";
 import path5 from "path";
 import os4 from "os";
-import crypto from "crypto";
 function getKeyDir() {
   return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path5.join(os4.homedir(), ".exe-os");
 }
@@ -2051,65 +2050,34 @@ async function deleteMasterKey() {
     await unlink(keyPath);
   }
 }
-function exportMnemonic(key) {
-  if (key.length !== 32) {
-    throw new Error(`Key must be 32 bytes, got ${key.length}`);
-  }
-  const hash = crypto.createHash("sha256").update(key).digest();
-  const checksumByte = hash[0];
-  let bits = "";
-  for (const byte of key) {
-    bits += byte.toString(2).padStart(8, "0");
-  }
-  bits += checksumByte.toString(2).padStart(8, "0");
-  const words = [];
-  let wordlist;
+async function loadBip39() {
   try {
-    const bip39 = __require("bip39");
-    wordlist = bip39.wordlists?.english ?? bip39.default?.wordlists?.english;
-    if (!wordlist) throw new Error("no wordlist");
+    return await import("bip39");
   } catch {
-    throw new Error("bip39 package required. Install with: npm install bip39");
+    throw new Error(
+      "bip39 package not found. Run: npm install -g bip39\nOr reinstall exe-os: npm install -g @askexenow/exe-os"
+    );
   }
-  for (let i = 0; i < 264; i += 11) {
-    const index = parseInt(bits.slice(i, i + 11), 2);
-    words.push(wordlist[index]);
+}
+async function exportMnemonic(key) {
+  if (key.length !== 32) {
+    throw new Error(`Key must be 32 bytes, got ${key.length}`);
   }
-  return words.join(" ");
+  const { entropyToMnemonic } = await loadBip39();
+  return entropyToMnemonic(key.toString("hex"));
 }
-function importMnemonic(mnemonic) {
-  const words = mnemonic.trim().split(/\s+/);
+async function importMnemonic(mnemonic) {
+  const trimmed = mnemonic.trim();
+  const words = trimmed.split(/\s+/);
   if (words.length !== 24) {
     throw new Error(`Expected 24 words, got ${words.length}`);
   }
-  let wordlist;
-  try {
-    const bip39 = __require("bip39");
-    wordlist = bip39.wordlists?.english ?? bip39.default?.wordlists?.english;
-    if (!wordlist) throw new Error("no wordlist");
-  } catch {
-    throw new Error("bip39 package required. Install with: npm install bip39");
+  const { validateMnemonic, mnemonicToEntropy } = await loadBip39();
+  if (!validateMnemonic(trimmed)) {
+    throw new Error("Invalid mnemonic \u2014 check for typos or missing words");
   }
-  let bits = "";
-  for (const word of words) {
-    const index = wordlist.indexOf(word.toLowerCase());
-    if (index === -1) {
-      throw new Error(`Invalid BIP39 word: "${word}"`);
-    }
-    bits += index.toString(2).padStart(11, "0");
-  }
-  const entropyBits = bits.slice(0, 256);
-  const checksumBits = bits.slice(256, 264);
-  const key = Buffer.alloc(32);
-  for (let i = 0; i < 32; i++) {
-    key[i] = parseInt(entropyBits.slice(i * 8, (i + 1) * 8), 2);
-  }
-  const hash = crypto.createHash("sha256").update(key).digest();
-  const expectedChecksum = hash[0].toString(2).padStart(8, "0");
-  if (checksumBits !== expectedChecksum) {
-    throw new Error("Invalid mnemonic checksum");
-  }
-  return key;
+  const entropy = mnemonicToEntropy(trimmed);
+  return Buffer.from(entropy, "hex");
 }
 var SERVICE, ACCOUNT;
 var init_keychain = __esm({
@@ -3450,7 +3418,7 @@ var backfill_conversations_exports = {};
 __export(backfill_conversations_exports, {
   backfillConversations: () => backfillConversations
 });
-import crypto2 from "crypto";
+import crypto from "crypto";
 import { createReadStream } from "fs";
 import { readdir as readdir2, stat } from "fs/promises";
 import path8 from "path";
@@ -3755,7 +3723,7 @@ async function backfillConversations(options) {
         }
       }
       await writeMemory({
-        id: crypto2.randomUUID(),
+        id: crypto.randomUUID(),
         agent_id: conv.agentId,
         agent_role: conv.agentId === "exe" ? "COO" : "specialist",
         session_id: conv.sessionId,
@@ -4770,10 +4738,10 @@ async function disposeEmbedder() {
 async function embedDirect(text) {
   const llamaCpp = await import("node-llama-cpp");
   const { MODELS_DIR: MODELS_DIR2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-  const { existsSync: existsSync22 } = await import("fs");
-  const path34 = await import("path");
-  const modelPath = path34.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
-  if (!existsSync22(modelPath)) {
+  const { existsSync: existsSync24 } = await import("fs");
+  const path36 = await import("path");
+  const modelPath = path36.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
+  if (!existsSync24(modelPath)) {
     throw new Error(`Embedding model not found at ${modelPath}. Run '/exe-setup' to download it.`);
   }
   const llama = await llamaCpp.getLlama();
@@ -5131,60 +5099,1125 @@ async function assertVpsLicense(opts) {
     `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://askexe.com/cloud and retry. This VPS image refuses to boot after the offline grace window.`
   );
 }
-function startLicenseRevalidation(intervalMs = 36e5) {
-  if (_revalTimer) return;
-  _revalTimer = setInterval(async () => {
-    try {
-      const license = await checkLicense();
-      if (!license.valid) {
-        process.stderr.write("[exe-os] License expired or invalid \u2014 features may be restricted\n");
-      }
-    } catch {
-    }
-  }, intervalMs);
-  if (_revalTimer && typeof _revalTimer === "object" && "unref" in _revalTimer) {
-    _revalTimer.unref();
+function startLicenseRevalidation(intervalMs = 36e5) {
+  if (_revalTimer) return;
+  _revalTimer = setInterval(async () => {
+    try {
+      const license = await checkLicense();
+      if (!license.valid) {
+        process.stderr.write("[exe-os] License expired or invalid \u2014 features may be restricted\n");
+      }
+    } catch {
+    }
+  }, intervalMs);
+  if (_revalTimer && typeof _revalTimer === "object" && "unref" in _revalTimer) {
+    _revalTimer.unref();
+  }
+}
+function stopLicenseRevalidation() {
+  if (_revalTimer) {
+    clearInterval(_revalTimer);
+    _revalTimer = null;
+  }
+}
+var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, CACHE_MAX_AGE_MS, _revalTimer;
+var init_license = __esm({
+  "src/lib/license.ts"() {
+    "use strict";
+    init_config();
+    LICENSE_PATH = path11.join(EXE_AI_DIR, "license.key");
+    CACHE_PATH = path11.join(EXE_AI_DIR, "license-cache.json");
+    DEVICE_ID_PATH = path11.join(EXE_AI_DIR, "device-id");
+    API_BASE = "https://askexe.com/cloud";
+    RETRY_DELAY_MS = 500;
+    LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
+4uj+UqeKCcvtgNHKmOK278HJaJcANe9xAeji8AFYu27q3WtzCi04pHudow==
+-----END PUBLIC KEY-----`;
+    LICENSE_JWT_ALG = "ES256";
+    PLAN_LIMITS = {
+      free: { devices: 1, employees: 1, memories: 5e4 },
+      pro: { devices: 2, employees: 5, memories: 25e4 },
+      team: { devices: 10, employees: 20, memories: 1e6 },
+      agency: { devices: 50, employees: 100, memories: 1e7 },
+      enterprise: { devices: -1, employees: -1, memories: -1 }
+    };
+    FREE_LICENSE = {
+      valid: true,
+      plan: "free",
+      email: "",
+      expiresAt: null,
+      deviceLimit: 1,
+      employeeLimit: 1,
+      memoryLimit: 5e4
+    };
+    CACHE_MAX_AGE_MS = 36e5;
+    _revalTimer = null;
+  }
+});
+
+// src/lib/crypto.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  decryptSyncBlob: () => decryptSyncBlob,
+  encryptSyncBlob: () => encryptSyncBlob,
+  initSyncCrypto: () => initSyncCrypto,
+  isSyncCryptoInitialized: () => isSyncCryptoInitialized
+});
+import crypto2 from "crypto";
+function initSyncCrypto(masterKey) {
+  if (masterKey.length !== 32) {
+    throw new Error(`Master key must be 32 bytes, got ${masterKey.length}`);
+  }
+  _syncKey = Buffer.from(
+    crypto2.hkdfSync("sha256", masterKey, "", SYNC_HKDF_INFO, 32)
+  );
+}
+function isSyncCryptoInitialized() {
+  return _syncKey !== null;
+}
+function requireSyncKey() {
+  if (!_syncKey) {
+    throw new Error("Sync crypto not initialized. Call initSyncCrypto(masterKey) first.");
+  }
+  return _syncKey;
+}
+function encryptSyncBlob(data) {
+  const key = requireSyncKey();
+  const iv = crypto2.randomBytes(IV_LENGTH);
+  const cipher = crypto2.createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, encrypted, tag]).toString("base64");
+}
+function decryptSyncBlob(ciphertext) {
+  const key = requireSyncKey();
+  const combined = Buffer.from(ciphertext, "base64");
+  if (combined.length < IV_LENGTH + TAG_LENGTH) {
+    throw new Error("Sync blob too short to contain IV + tag");
+  }
+  const iv = combined.subarray(0, IV_LENGTH);
+  const tag = combined.subarray(combined.length - TAG_LENGTH);
+  const encrypted = combined.subarray(IV_LENGTH, combined.length - TAG_LENGTH);
+  const decipher = crypto2.createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(encrypted), decipher.final()]);
+}
+var ALGORITHM, IV_LENGTH, TAG_LENGTH, SYNC_HKDF_INFO, _syncKey;
+var init_crypto = __esm({
+  "src/lib/crypto.ts"() {
+    "use strict";
+    ALGORITHM = "aes-256-gcm";
+    IV_LENGTH = 12;
+    TAG_LENGTH = 16;
+    SYNC_HKDF_INFO = "exe-mem-sync-v2";
+    _syncKey = null;
+  }
+});
+
+// src/lib/compress.ts
+import { brotliCompressSync, brotliDecompressSync, constants } from "zlib";
+function compress(input) {
+  if (input.length === 0) return Buffer.alloc(0);
+  return brotliCompressSync(input, {
+    params: {
+      [constants.BROTLI_PARAM_QUALITY]: 4
+    }
+  });
+}
+function decompress(input) {
+  if (input.length === 0) return Buffer.alloc(0);
+  return brotliDecompressSync(input);
+}
+var init_compress = __esm({
+  "src/lib/compress.ts"() {
+    "use strict";
+  }
+});
+
+// src/lib/cloud-sync.ts
+var cloud_sync_exports = {};
+__export(cloud_sync_exports, {
+  assertSecureEndpoint: () => assertSecureEndpoint,
+  buildRosterBlob: () => buildRosterBlob,
+  cloudPull: () => cloudPull,
+  cloudPullBehaviors: () => cloudPullBehaviors,
+  cloudPullBlob: () => cloudPullBlob,
+  cloudPullConversations: () => cloudPullConversations,
+  cloudPullDocuments: () => cloudPullDocuments,
+  cloudPullGlobalProcedures: () => cloudPullGlobalProcedures,
+  cloudPullGraphRAG: () => cloudPullGraphRAG,
+  cloudPullRoster: () => cloudPullRoster,
+  cloudPullTasks: () => cloudPullTasks,
+  cloudPush: () => cloudPush,
+  cloudPushBehaviors: () => cloudPushBehaviors,
+  cloudPushBlob: () => cloudPushBlob,
+  cloudPushConversations: () => cloudPushConversations,
+  cloudPushDocuments: () => cloudPushDocuments,
+  cloudPushGlobalProcedures: () => cloudPushGlobalProcedures,
+  cloudPushGraphRAG: () => cloudPushGraphRAG,
+  cloudPushRoster: () => cloudPushRoster,
+  cloudPushTasks: () => cloudPushTasks,
+  cloudSync: () => cloudSync,
+  mergeConfig: () => mergeConfig,
+  mergeRosterFromRemote: () => mergeRosterFromRemote,
+  recordRosterDeletion: () => recordRosterDeletion
+});
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync4, existsSync as existsSync11, readdirSync as readdirSync2, mkdirSync as mkdirSync5, appendFileSync, unlinkSync as unlinkSync4, openSync as openSync2, closeSync as closeSync2 } from "fs";
+import crypto3 from "crypto";
+import path12 from "path";
+import { homedir as homedir3 } from "os";
+function sqlSafe(v) {
+  return v === void 0 ? null : v;
+}
+function logError(msg) {
+  try {
+    const logPath = path12.join(homedir3(), ".exe-os", "workers.log");
+    appendFileSync(logPath, `${(/* @__PURE__ */ new Date()).toISOString()} ${msg}
+`);
+  } catch {
+  }
+}
+async function withRosterLock(fn) {
+  try {
+    const fd = openSync2(ROSTER_LOCK_PATH, "wx");
+    closeSync2(fd);
+    writeFileSync4(ROSTER_LOCK_PATH, String(Date.now()));
+  } catch (err) {
+    if (err.code === "EEXIST") {
+      try {
+        const ts = parseInt(readFileSync7(ROSTER_LOCK_PATH, "utf-8"), 10);
+        if (Date.now() - ts < LOCK_STALE_MS) {
+          throw new Error("Roster merge already in progress \u2014 another sync is running");
+        }
+        unlinkSync4(ROSTER_LOCK_PATH);
+        const fd = openSync2(ROSTER_LOCK_PATH, "wx");
+        closeSync2(fd);
+        writeFileSync4(ROSTER_LOCK_PATH, String(Date.now()));
+      } catch (retryErr) {
+        if (retryErr instanceof Error && retryErr.message.includes("already in progress")) throw retryErr;
+        throw new Error("Roster merge already in progress \u2014 another sync is running");
+      }
+    } else {
+      throw err;
+    }
+  }
+  try {
+    return await fn();
+  } finally {
+    try {
+      unlinkSync4(ROSTER_LOCK_PATH);
+    } catch {
+    }
+  }
+}
+async function fetchWithRetry(url, init) {
+  const MAX_RETRIES2 = 3;
+  const BASE_DELAY_MS2 = 200;
+  let lastError;
+  for (let attempt = 0; attempt <= MAX_RETRIES2; attempt++) {
+    try {
+      const signal = AbortSignal.timeout(FETCH_TIMEOUT_MS);
+      const resp = await fetch(url, { ...init, signal });
+      if (resp && resp.status >= 500 && attempt < MAX_RETRIES2) {
+        await new Promise((r) => setTimeout(r, BASE_DELAY_MS2 * Math.pow(2, attempt)));
+        continue;
+      }
+      return resp;
+    } catch (err) {
+      lastError = err;
+      if (attempt === MAX_RETRIES2) throw err;
+      await new Promise((r) => setTimeout(r, BASE_DELAY_MS2 * Math.pow(2, attempt)));
+    }
+  }
+  throw lastError;
+}
+function assertSecureEndpoint(endpoint) {
+  if (endpoint.startsWith("https://")) return;
+  if (endpoint.startsWith("http://")) {
+    try {
+      const parsed = new URL(endpoint);
+      if (LOCALHOST_PATTERNS.test(parsed.hostname)) return;
+    } catch {
+      return;
+    }
+    throw new Error(
+      `Insecure cloud endpoint rejected: "${endpoint}". Use https:// for remote hosts. Plain http:// is only allowed for localhost.`
+    );
+  }
+}
+async function cloudPush(records, maxVersion, config) {
+  if (records.length === 0) return true;
+  assertSecureEndpoint(config.endpoint);
+  try {
+    const json = JSON.stringify(records);
+    const compressed = compress(Buffer.from(json, "utf8"));
+    const blob = encryptSyncBlob(compressed);
+    const resp = await fetchWithRetry(`${config.endpoint}/sync/push`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "Content-Type": "application/json",
+        "X-Device-Id": loadDeviceId(),
+        "X-Expected-Version": String(maxVersion)
+      },
+      body: JSON.stringify({ version: maxVersion, blob })
+    });
+    if (resp == null) {
+      logError("[cloud-sync] PUSH FAILED: no response from server");
+      return false;
+    }
+    if (resp.status === 409) {
+      logError("[cloud-sync] PUSH VERSION CONFLICT \u2014 re-pull required before next push");
+      return false;
+    }
+    return resp.ok;
+  } catch (err) {
+    logError(`[cloud-sync] PUSH FAILED: ${err instanceof Error ? err.message : String(err)}`);
+    return false;
+  }
+}
+async function cloudPull(sinceVersion, config) {
+  assertSecureEndpoint(config.endpoint);
+  try {
+    const response = await fetchWithRetry(`${config.endpoint}/sync/pull`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "Content-Type": "application/json",
+        "X-Device-Id": loadDeviceId()
+      },
+      body: JSON.stringify({ since_version: sinceVersion })
+    });
+    if (response == null) {
+      logError("[cloud-sync] PULL FAILED: no response from server");
+      return { records: [], maxVersion: sinceVersion };
+    }
+    if (!response.ok) return { records: [], maxVersion: sinceVersion };
+    const data = await response.json();
+    const allRecords = [];
+    for (const { blob } of data.blobs ?? []) {
+      try {
+        const compressed = decryptSyncBlob(blob);
+        const json = decompress(compressed).toString("utf8");
+        const records = JSON.parse(json);
+        allRecords.push(...records);
+      } catch {
+        continue;
+      }
+    }
+    return { records: allRecords, maxVersion: data.max_version ?? sinceVersion };
+  } catch (err) {
+    logError(`[cloud-sync] PULL FAILED: ${err instanceof Error ? err.message : String(err)}`);
+    return { records: [], maxVersion: sinceVersion };
+  }
+}
+async function cloudSync(config) {
+  let client;
+  try {
+    client = getClient();
+  } catch {
+    throw new Error("[cloud-sync] Database not initialized. Call initStore() before cloudSync().");
+  }
+  try {
+    await client.execute(
+      "CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)"
+    );
+  } catch (e) {
+    logError(`[cloud-sync] sync_meta CREATE failed: ${e instanceof Error ? e.message : String(e)}`);
+  }
+  const pullMeta = await client.execute(
+    "SELECT value FROM sync_meta WHERE key = 'last_cloud_pull_version'"
+  );
+  const lastPullVersion = pullMeta.rows.length > 0 ? Number(pullMeta.rows[0].value) : 0;
+  const pullResult = await cloudPull(lastPullVersion, config);
+  let pulled = 0;
+  if (pullResult.records.length > 0) {
+    const stmts = pullResult.records.map((rec) => ({
+      sql: `INSERT OR REPLACE INTO memories
+            (id, agent_id, agent_role, session_id, timestamp,
+             tool_name, project_name, has_error, raw_text, version,
+             author_device_id, scope)
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+      args: [
+        sqlSafe(rec.id),
+        sqlSafe(rec.agent_id),
+        sqlSafe(rec.agent_role),
+        sqlSafe(rec.session_id),
+        sqlSafe(rec.timestamp),
+        sqlSafe(rec.tool_name),
+        sqlSafe(rec.project_name),
+        sqlSafe(rec.has_error ?? 0),
+        sqlSafe(rec.raw_text ?? ""),
+        sqlSafe(rec.version ?? 0),
+        sqlSafe(rec.author_device_id),
+        sqlSafe(rec.scope ?? "business")
+      ]
+    }));
+    await client.batch(stmts, "write");
+    pulled = pullResult.records.length;
+  }
+  if (pullResult.maxVersion > lastPullVersion) {
+    await client.execute({
+      sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('last_cloud_pull_version', ?)",
+      args: [String(pullResult.maxVersion)]
+    });
+  }
+  const pushMeta = await client.execute(
+    "SELECT value FROM sync_meta WHERE key = 'last_cloud_push_version'"
+  );
+  const lastPushVersion = pushMeta.rows.length > 0 ? Number(pushMeta.rows[0].value) : 0;
+  let pushed = 0;
+  let batchCursor = lastPushVersion;
+  while (true) {
+    const recordsResult = await client.execute({
+      sql: `SELECT id, agent_id, agent_role, session_id, timestamp,
+                   tool_name, project_name, has_error, raw_text, version,
+                   author_device_id, scope
+            FROM memories
+            WHERE version > ?
+              AND (scope IS NULL OR scope != 'personal')
+            ORDER BY version ASC
+            LIMIT ?`,
+      args: [batchCursor, PUSH_BATCH_SIZE]
+    });
+    if (recordsResult.rows.length === 0) break;
+    const records = recordsResult.rows.map((row) => ({
+      id: row.id,
+      agent_id: row.agent_id,
+      agent_role: row.agent_role,
+      session_id: row.session_id,
+      timestamp: row.timestamp,
+      tool_name: row.tool_name,
+      project_name: row.project_name,
+      has_error: row.has_error,
+      raw_text: row.raw_text,
+      version: row.version,
+      author_device_id: row.author_device_id,
+      scope: row.scope
+    }));
+    const maxVersion = Number(records[records.length - 1].version);
+    const pushOk = await cloudPush(records, maxVersion, config);
+    if (!pushOk) break;
+    await client.execute({
+      sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('last_cloud_push_version', ?)",
+      args: [String(maxVersion)]
+    });
+    pushed += records.length;
+    batchCursor = maxVersion;
+    if (recordsResult.rows.length < PUSH_BATCH_SIZE) break;
+  }
+  try {
+    await cloudPushRoster(config);
+  } catch (err) {
+    logError(`[cloud-sync] Roster push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    await cloudPullRoster(config);
+  } catch (err) {
+    logError(`[cloud-sync] Roster pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    await cloudPushGlobalProcedures(config);
+  } catch (err) {
+    logError(`[cloud-sync] Global procedures push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    await cloudPullGlobalProcedures(config);
+  } catch (err) {
+    logError(`[cloud-sync] Global procedures pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  let behaviorsResult = { pushed: false, pulled: 0 };
+  try {
+    behaviorsResult.pushed = await cloudPushBehaviors(config);
+  } catch (err) {
+    logError(`[cloud-sync] Behaviors push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    const pullResult2 = await cloudPullBehaviors(config);
+    behaviorsResult.pulled = pullResult2.pulled;
+  } catch (err) {
+    logError(`[cloud-sync] Behaviors pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  let graphragResult = { pushed: false, pulled: 0 };
+  try {
+    graphragResult.pushed = await cloudPushGraphRAG(config);
+  } catch (err) {
+    logError(`[cloud-sync] GraphRAG push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    const pullResult2 = await cloudPullGraphRAG(config);
+    graphragResult.pulled = pullResult2.pulled;
+  } catch (err) {
+    logError(`[cloud-sync] GraphRAG pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  let tasksResult = { pushed: false, pulled: 0 };
+  try {
+    tasksResult.pushed = await cloudPushTasks(config);
+  } catch (err) {
+    logError(`[cloud-sync] Tasks push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    const pullResult2 = await cloudPullTasks(config);
+    tasksResult.pulled = pullResult2.pulled;
+  } catch (err) {
+    logError(`[cloud-sync] Tasks pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  let conversationsResult = { pushed: false, pulled: 0 };
+  try {
+    conversationsResult.pushed = await cloudPushConversations(config);
+  } catch (err) {
+    logError(`[cloud-sync] Conversations push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    const pullResult2 = await cloudPullConversations(config);
+    conversationsResult.pulled = pullResult2.pulled;
+  } catch (err) {
+    logError(`[cloud-sync] Conversations pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  let documentsResult = { pushed: false, pulled: 0 };
+  try {
+    documentsResult.pushed = await cloudPushDocuments(config);
+  } catch (err) {
+    logError(`[cloud-sync] Documents push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    const pullResult2 = await cloudPullDocuments(config);
+    documentsResult.pulled = pullResult2.pulled;
+  } catch (err) {
+    logError(`[cloud-sync] Documents pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  return {
+    pushed,
+    pulled,
+    behaviors: behaviorsResult,
+    graphrag: graphragResult,
+    tasks: tasksResult,
+    conversations: conversationsResult,
+    documents: documentsResult
+  };
+}
+function recordRosterDeletion(name) {
+  let deletions = [];
+  try {
+    if (existsSync11(ROSTER_DELETIONS_PATH)) {
+      deletions = JSON.parse(readFileSync7(ROSTER_DELETIONS_PATH, "utf-8"));
+    }
+  } catch {
+  }
+  if (!deletions.includes(name)) deletions.push(name);
+  writeFileSync4(ROSTER_DELETIONS_PATH, JSON.stringify(deletions));
+}
+function consumeRosterDeletions() {
+  try {
+    if (!existsSync11(ROSTER_DELETIONS_PATH)) return [];
+    const deletions = JSON.parse(readFileSync7(ROSTER_DELETIONS_PATH, "utf-8"));
+    writeFileSync4(ROSTER_DELETIONS_PATH, "[]");
+    return deletions;
+  } catch {
+    return [];
+  }
+}
+function buildRosterBlob(paths) {
+  const rosterPath = paths?.rosterPath ?? path12.join(EXE_AI_DIR, "exe-employees.json");
+  const identityDir = paths?.identityDir ?? path12.join(EXE_AI_DIR, "identity");
+  const configPath = paths?.configPath ?? path12.join(EXE_AI_DIR, "config.json");
+  let roster = [];
+  if (existsSync11(rosterPath)) {
+    try {
+      roster = JSON.parse(readFileSync7(rosterPath, "utf-8"));
+    } catch {
+    }
+  }
+  const identities = {};
+  if (existsSync11(identityDir)) {
+    for (const file of readdirSync2(identityDir).filter((f) => f.endsWith(".md"))) {
+      try {
+        identities[file] = readFileSync7(path12.join(identityDir, file), "utf-8");
+      } catch {
+      }
+    }
+  }
+  let config;
+  if (existsSync11(configPath)) {
+    try {
+      config = JSON.parse(readFileSync7(configPath, "utf-8"));
+    } catch {
+    }
+  }
+  const deletedNames = consumeRosterDeletions();
+  const content = JSON.stringify({ roster, identities, config, deletedNames });
+  const hash = crypto3.createHash("sha256").update(content).digest("hex").slice(0, 16);
+  return { roster, identities, config, deletedNames, version: hash };
+}
+async function cloudPushRoster(config) {
+  assertSecureEndpoint(config.endpoint);
+  const blob = buildRosterBlob();
+  if (blob.roster.length === 0) return true;
+  try {
+    const client = getClient();
+    const meta = await client.execute(
+      "SELECT value FROM sync_meta WHERE key = 'last_roster_push_version'"
+    );
+    const lastVersion = meta.rows.length > 0 ? Number(meta.rows[0].value) : 0;
+    if (blob.version === lastVersion) return true;
+  } catch {
+  }
+  try {
+    const json = JSON.stringify(blob);
+    const compressed = compress(Buffer.from(json, "utf8"));
+    const encrypted = encryptSyncBlob(compressed);
+    const resp = await fetchWithRetry(`${config.endpoint}/sync/push-roster`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "Content-Type": "application/json",
+        "X-Device-Id": loadDeviceId()
+      },
+      body: JSON.stringify({ blob: encrypted })
+    });
+    if (resp.ok) {
+      try {
+        const client = getClient();
+        await client.execute({
+          sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('last_roster_push_version', ?)",
+          args: [String(blob.version)]
+        });
+      } catch {
+      }
+    }
+    return resp.ok;
+  } catch (err) {
+    process.stderr.write(`[cloud-sync] ROSTER PUSH FAILED: ${err instanceof Error ? err.message : String(err)}
+`);
+    return false;
+  }
+}
+async function cloudPullRoster(config) {
+  assertSecureEndpoint(config.endpoint);
+  try {
+    const resp = await fetchWithRetry(`${config.endpoint}/sync/pull-roster`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "X-Device-Id": loadDeviceId()
+      }
+    });
+    if (!resp.ok) return { added: 0 };
+    const data = await resp.json();
+    if (!data.blob) return { added: 0 };
+    const compressed = decryptSyncBlob(data.blob);
+    const json = decompress(compressed).toString("utf8");
+    const remote = JSON.parse(json);
+    return mergeRosterFromRemote(remote);
+  } catch (err) {
+    process.stderr.write(`[cloud-sync] ROSTER PULL FAILED: ${err instanceof Error ? err.message : String(err)}
+`);
+    return { added: 0 };
+  }
+}
+function mergeConfig(remoteConfig, configPath) {
+  const cfgPath = configPath ?? path12.join(EXE_AI_DIR, "config.json");
+  let local = {};
+  if (existsSync11(cfgPath)) {
+    try {
+      local = JSON.parse(readFileSync7(cfgPath, "utf-8"));
+    } catch {
+    }
+  }
+  const merged = { ...remoteConfig, ...local };
+  const dir = path12.dirname(cfgPath);
+  if (!existsSync11(dir)) mkdirSync5(dir, { recursive: true });
+  writeFileSync4(cfgPath, JSON.stringify(merged, null, 2), "utf-8");
+}
+async function mergeRosterFromRemote(remote, paths) {
+  return withRosterLock(async () => {
+    const rosterPath = paths?.rosterPath ?? void 0;
+    const identityDir = paths?.identityDir ?? path12.join(EXE_AI_DIR, "identity");
+    const localEmployees = await loadEmployees(rosterPath);
+    const localNames = new Set(localEmployees.map((e) => e.name));
+    let added = 0;
+    let identitiesUpdated = 0;
+    for (const remoteEmp of remote.roster) {
+      if (!localNames.has(remoteEmp.name)) {
+        localEmployees.push(remoteEmp);
+        localNames.add(remoteEmp.name);
+        added++;
+        try {
+          registerBinSymlinks(remoteEmp.name);
+        } catch {
+        }
+      }
+      const remoteIdentity = remote.identities[`${remoteEmp.name}.md`];
+      if (remoteIdentity) {
+        if (!existsSync11(identityDir)) mkdirSync5(identityDir, { recursive: true });
+        const idPath = path12.join(identityDir, `${remoteEmp.name}.md`);
+        let localIdentity = null;
+        try {
+          localIdentity = existsSync11(idPath) ? readFileSync7(idPath, "utf-8") : null;
+        } catch {
+        }
+        if (localIdentity !== remoteIdentity) {
+          writeFileSync4(idPath, remoteIdentity, "utf-8");
+          identitiesUpdated++;
+        }
+      }
+    }
+    let removed = 0;
+    if (remote.deletedNames && remote.deletedNames.length > 0) {
+      const toRemove = new Set(remote.deletedNames);
+      const filtered = localEmployees.filter((e) => !toRemove.has(e.name));
+      removed = localEmployees.length - filtered.length;
+      if (removed > 0) {
+        localEmployees.length = 0;
+        localEmployees.push(...filtered);
+      }
+    }
+    if (added > 0 || removed > 0) {
+      await saveEmployees(localEmployees, rosterPath);
+    }
+    if (remote.config && Object.keys(remote.config).length > 0) {
+      try {
+        mergeConfig(remote.config, paths?.configPath);
+      } catch {
+      }
+    }
+    return { added, identitiesUpdated };
+  });
+}
+async function cloudPushBlob(route, data, metaKey, config) {
+  if (data.length === 0) return { ok: true };
+  assertSecureEndpoint(config.endpoint);
+  const json = JSON.stringify(data);
+  const version = Buffer.from(json).length;
+  try {
+    const client = getClient();
+    const meta = await client.execute({
+      sql: "SELECT value FROM sync_meta WHERE key = ?",
+      args: [metaKey]
+    });
+    const lastVersion = meta.rows.length > 0 ? Number(meta.rows[0].value) : 0;
+    if (version === lastVersion) return { ok: true };
+  } catch {
+  }
+  try {
+    const compressed = compress(Buffer.from(json, "utf8"));
+    const encrypted = encryptSyncBlob(compressed);
+    const resp = await fetchWithRetry(`${config.endpoint}${route}`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "Content-Type": "application/json",
+        "X-Device-Id": loadDeviceId()
+      },
+      body: JSON.stringify({ blob: encrypted })
+    });
+    if (resp.ok) {
+      try {
+        const client = getClient();
+        await client.execute({
+          sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES (?, ?)",
+          args: [metaKey, String(version)]
+        });
+      } catch {
+      }
+    }
+    return { ok: resp.ok };
+  } catch (err) {
+    logError(`[cloud-sync] PUSH ${route}: ${err instanceof Error ? err.message : String(err)}`);
+    return { ok: false };
+  }
+}
+async function cloudPullBlob(route, config) {
+  assertSecureEndpoint(config.endpoint);
+  try {
+    const resp = await fetchWithRetry(`${config.endpoint}${route}`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "X-Device-Id": loadDeviceId()
+      }
+    });
+    if (!resp.ok) return null;
+    const data = await resp.json();
+    if (!data.blob) return null;
+    const compressed = decryptSyncBlob(data.blob);
+    const json = decompress(compressed).toString("utf8");
+    return JSON.parse(json);
+  } catch (err) {
+    logError(`[cloud-sync] PULL ${route}: ${err instanceof Error ? err.message : String(err)}`);
+    return null;
+  }
+}
+async function cloudPushGlobalProcedures(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM global_procedures LIMIT 1000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob(
+    "/sync/push-global-procedures",
+    rows,
+    "last_global_procedures_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullGlobalProcedures(config) {
+  const remoteProcs = await cloudPullBlob(
+    "/sync/pull-global-procedures",
+    config
+  );
+  if (!remoteProcs || remoteProcs.length === 0) return { pulled: 0 };
+  const client = getClient();
+  const stmts = remoteProcs.map((p) => ({
+    sql: `INSERT INTO global_procedures
+          (id, title, content, priority, domain, active, created_at, updated_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+          ON CONFLICT(id) DO UPDATE SET
+            title = excluded.title,
+            content = excluded.content,
+            priority = excluded.priority,
+            domain = excluded.domain,
+            active = excluded.active,
+            updated_at = excluded.updated_at
+          WHERE excluded.updated_at > global_procedures.updated_at`,
+    args: [
+      sqlSafe(p.id),
+      sqlSafe(p.title),
+      sqlSafe(p.content),
+      sqlSafe(p.priority ?? "p0"),
+      sqlSafe(p.domain),
+      sqlSafe(p.active ?? 1),
+      sqlSafe(p.created_at),
+      sqlSafe(p.updated_at)
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return { pulled: remoteProcs.length };
+}
+async function cloudPushBehaviors(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM behaviors LIMIT 10000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob(
+    "/sync/push-behaviors",
+    rows,
+    "last_behaviors_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullBehaviors(config) {
+  const remoteBehaviors = await cloudPullBlob(
+    "/sync/pull-behaviors",
+    config
+  );
+  if (!remoteBehaviors || remoteBehaviors.length === 0) return { pulled: 0 };
+  const client = getClient();
+  let pulled = 0;
+  for (const behavior of remoteBehaviors) {
+    const existing = await client.execute({
+      sql: `SELECT COUNT(*) as cnt FROM behaviors
+            WHERE agent_id = ? AND content = ?`,
+      args: [sqlSafe(behavior.agent_id), sqlSafe(behavior.content)]
+    });
+    if (Number(existing.rows[0]?.cnt) > 0) continue;
+    await client.execute({
+      sql: `INSERT OR IGNORE INTO behaviors
+            (id, agent_id, project_name, domain, content, active, priority, created_at, updated_at)
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+      args: [
+        sqlSafe(behavior.id),
+        sqlSafe(behavior.agent_id),
+        sqlSafe(behavior.project_name),
+        sqlSafe(behavior.domain),
+        sqlSafe(behavior.content),
+        sqlSafe(behavior.active ?? 1),
+        sqlSafe(behavior.priority ?? "p1"),
+        sqlSafe(behavior.created_at),
+        sqlSafe(behavior.updated_at)
+      ]
+    });
+    pulled++;
+  }
+  return { pulled };
+}
+async function cloudPushGraphRAG(config) {
+  const client = getClient();
+  const [entities, relationships, aliases, entityMems, relMems, hyperedges, hyperedgeNodes] = await Promise.all([
+    client.execute("SELECT * FROM entities LIMIT 50000"),
+    client.execute("SELECT * FROM relationships LIMIT 50000"),
+    client.execute("SELECT * FROM entity_aliases LIMIT 50000"),
+    client.execute("SELECT * FROM entity_memories LIMIT 50000"),
+    client.execute("SELECT * FROM relationship_memories LIMIT 50000"),
+    client.execute("SELECT * FROM hyperedges LIMIT 50000"),
+    client.execute("SELECT * FROM hyperedge_nodes LIMIT 50000")
+  ]);
+  const blob = {
+    entities: entities.rows,
+    relationships: relationships.rows,
+    entity_aliases: aliases.rows,
+    entity_memories: entityMems.rows,
+    relationship_memories: relMems.rows,
+    hyperedges: hyperedges.rows,
+    hyperedge_nodes: hyperedgeNodes.rows
+  };
+  const { ok } = await cloudPushBlob(
+    "/sync/push-graphrag",
+    [blob],
+    "last_graphrag_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullGraphRAG(config) {
+  const data = await cloudPullBlob(
+    "/sync/pull-graphrag",
+    config
+  );
+  if (!data || data.length === 0) return { pulled: 0 };
+  const blob = data[0];
+  const client = getClient();
+  let pulled = 0;
+  if (blob.entities.length > 0) {
+    const stmts = blob.entities.map((e) => ({
+      sql: `INSERT OR IGNORE INTO entities (id, name, type, first_seen, last_seen, properties)
+            VALUES (?, ?, ?, ?, ?, ?)`,
+      args: [sqlSafe(e.id), sqlSafe(e.name), sqlSafe(e.type), sqlSafe(e.first_seen), sqlSafe(e.last_seen), sqlSafe(e.properties ?? "{}")]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (blob.relationships.length > 0) {
+    const stmts = blob.relationships.map((r) => ({
+      sql: `INSERT OR IGNORE INTO relationships
+            (id, source_entity_id, target_entity_id, type, weight, timestamp, properties, confidence, confidence_label)
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+      args: [
+        sqlSafe(r.id),
+        sqlSafe(r.source_entity_id),
+        sqlSafe(r.target_entity_id),
+        sqlSafe(r.type),
+        sqlSafe(r.weight ?? 1),
+        sqlSafe(r.timestamp),
+        sqlSafe(r.properties ?? "{}"),
+        sqlSafe(r.confidence ?? 1),
+        sqlSafe(r.confidence_label ?? "extracted")
+      ]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (blob.entity_aliases.length > 0) {
+    const stmts = blob.entity_aliases.map((a) => ({
+      sql: `INSERT OR IGNORE INTO entity_aliases (alias, canonical_entity_id) VALUES (?, ?)`,
+      args: [sqlSafe(a.alias), sqlSafe(a.canonical_entity_id)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
   }
+  if (blob.entity_memories.length > 0) {
+    const stmts = blob.entity_memories.map((em) => ({
+      sql: `INSERT OR IGNORE INTO entity_memories (entity_id, memory_id) VALUES (?, ?)`,
+      args: [sqlSafe(em.entity_id), sqlSafe(em.memory_id)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (blob.relationship_memories.length > 0) {
+    const stmts = blob.relationship_memories.map((rm) => ({
+      sql: `INSERT OR IGNORE INTO relationship_memories (relationship_id, memory_id) VALUES (?, ?)`,
+      args: [sqlSafe(rm.relationship_id), sqlSafe(rm.memory_id)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (blob.hyperedges.length > 0) {
+    const stmts = blob.hyperedges.map((h) => ({
+      sql: `INSERT OR IGNORE INTO hyperedges (id, label, relation, confidence, timestamp)
+            VALUES (?, ?, ?, ?, ?)`,
+      args: [sqlSafe(h.id), sqlSafe(h.label), sqlSafe(h.relation), sqlSafe(h.confidence ?? 1), sqlSafe(h.timestamp)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (blob.hyperedge_nodes.length > 0) {
+    const stmts = blob.hyperedge_nodes.map((hn) => ({
+      sql: `INSERT OR IGNORE INTO hyperedge_nodes (hyperedge_id, entity_id) VALUES (?, ?)`,
+      args: [sqlSafe(hn.hyperedge_id), sqlSafe(hn.entity_id)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  return { pulled };
 }
-function stopLicenseRevalidation() {
-  if (_revalTimer) {
-    clearInterval(_revalTimer);
-    _revalTimer = null;
+async function cloudPushTasks(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM tasks LIMIT 10000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob(
+    "/sync/push-tasks",
+    rows,
+    "last_tasks_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullTasks(config) {
+  const remoteTasks = await cloudPullBlob(
+    "/sync/pull-tasks",
+    config
+  );
+  if (!remoteTasks || remoteTasks.length === 0) return { pulled: 0 };
+  const client = getClient();
+  const stmts = remoteTasks.map((t) => ({
+    sql: `INSERT OR IGNORE INTO tasks
+          (id, title, assigned_to, assigned_by, project_name, priority, status, task_file, created_at, updated_at,
+           blocked_by, parent_task_id, budget_tokens, budget_fallback_model, tokens_used, tokens_warned_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+    args: [
+      sqlSafe(t.id),
+      sqlSafe(t.title),
+      sqlSafe(t.assigned_to),
+      sqlSafe(t.assigned_by),
+      sqlSafe(t.project_name),
+      sqlSafe(t.priority ?? "p1"),
+      sqlSafe(t.status ?? "open"),
+      sqlSafe(t.task_file),
+      sqlSafe(t.created_at),
+      sqlSafe(t.updated_at),
+      sqlSafe(t.blocked_by),
+      sqlSafe(t.parent_task_id),
+      sqlSafe(t.budget_tokens),
+      sqlSafe(t.budget_fallback_model),
+      sqlSafe(t.tokens_used ?? 0),
+      sqlSafe(t.tokens_warned_at)
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return { pulled: remoteTasks.length };
+}
+async function cloudPushConversations(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM conversations LIMIT 50000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob(
+    "/sync/push-conversations",
+    rows,
+    "last_conversations_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullConversations(config) {
+  const remoteConvos = await cloudPullBlob(
+    "/sync/pull-conversations",
+    config
+  );
+  if (!remoteConvos || remoteConvos.length === 0) return { pulled: 0 };
+  const client = getClient();
+  const stmts = remoteConvos.map((c) => ({
+    sql: `INSERT OR IGNORE INTO conversations
+          (id, platform, external_id, sender_id, sender_name, sender_phone, sender_email,
+           recipient_id, channel_id, thread_id, reply_to_id, content_text, content_media,
+           content_metadata, agent_response, agent_name, timestamp, ingested_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+    args: [
+      sqlSafe(c.id),
+      sqlSafe(c.platform),
+      sqlSafe(c.external_id),
+      sqlSafe(c.sender_id),
+      sqlSafe(c.sender_name),
+      sqlSafe(c.sender_phone),
+      sqlSafe(c.sender_email),
+      sqlSafe(c.recipient_id),
+      sqlSafe(c.channel_id),
+      sqlSafe(c.thread_id),
+      sqlSafe(c.reply_to_id),
+      sqlSafe(c.content_text),
+      sqlSafe(c.content_media),
+      sqlSafe(c.content_metadata),
+      sqlSafe(c.agent_response),
+      sqlSafe(c.agent_name),
+      sqlSafe(c.timestamp),
+      sqlSafe(c.ingested_at)
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return { pulled: remoteConvos.length };
+}
+async function cloudPushDocuments(config) {
+  const client = getClient();
+  const [workspaces, documents] = await Promise.all([
+    client.execute("SELECT * FROM workspaces LIMIT 1000"),
+    client.execute("SELECT * FROM documents LIMIT 10000")
+  ]);
+  const blob = {
+    workspaces: workspaces.rows,
+    documents: documents.rows
+  };
+  const { ok } = await cloudPushBlob(
+    "/sync/push-documents",
+    [blob],
+    "last_documents_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullDocuments(config) {
+  const data = await cloudPullBlob(
+    "/sync/pull-documents",
+    config
+  );
+  if (!data || data.length === 0) return { pulled: 0 };
+  const blob = data[0];
+  const client = getClient();
+  let pulled = 0;
+  if (blob.workspaces.length > 0) {
+    const stmts = blob.workspaces.map((w) => ({
+      sql: `INSERT OR IGNORE INTO workspaces (id, slug, name, owner_agent_id, created_at, metadata)
+            VALUES (?, ?, ?, ?, ?, ?)`,
+      args: [sqlSafe(w.id), sqlSafe(w.slug), sqlSafe(w.name), sqlSafe(w.owner_agent_id), sqlSafe(w.created_at), sqlSafe(w.metadata)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (blob.documents.length > 0) {
+    const stmts = blob.documents.map((d) => ({
+      sql: `INSERT OR IGNORE INTO documents
+            (id, workspace_id, filename, mime, source_type, user_id, uploaded_at, metadata)
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+      args: [
+        sqlSafe(d.id),
+        sqlSafe(d.workspace_id),
+        sqlSafe(d.filename),
+        sqlSafe(d.mime),
+        sqlSafe(d.source_type),
+        sqlSafe(d.user_id),
+        sqlSafe(d.uploaded_at),
+        sqlSafe(d.metadata)
+      ]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
   }
+  return { pulled };
 }
-var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, CACHE_MAX_AGE_MS, _revalTimer;
-var init_license = __esm({
-  "src/lib/license.ts"() {
+var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, ROSTER_DELETIONS_PATH;
+var init_cloud_sync = __esm({
+  "src/lib/cloud-sync.ts"() {
     "use strict";
+    init_database();
+    init_crypto();
+    init_compress();
+    init_license();
     init_config();
-    LICENSE_PATH = path11.join(EXE_AI_DIR, "license.key");
-    CACHE_PATH = path11.join(EXE_AI_DIR, "license-cache.json");
-    DEVICE_ID_PATH = path11.join(EXE_AI_DIR, "device-id");
-    API_BASE = "https://askexe.com/cloud";
-    RETRY_DELAY_MS = 500;
-    LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
-4uj+UqeKCcvtgNHKmOK278HJaJcANe9xAeji8AFYu27q3WtzCi04pHudow==
------END PUBLIC KEY-----`;
-    LICENSE_JWT_ALG = "ES256";
-    PLAN_LIMITS = {
-      free: { devices: 1, employees: 1, memories: 5e4 },
-      pro: { devices: 2, employees: 5, memories: 25e4 },
-      team: { devices: 10, employees: 20, memories: 1e6 },
-      agency: { devices: 50, employees: 100, memories: 1e7 },
-      enterprise: { devices: -1, employees: -1, memories: -1 }
-    };
-    FREE_LICENSE = {
-      valid: true,
-      plan: "free",
-      email: "",
-      expiresAt: null,
-      deviceLimit: 1,
-      employeeLimit: 1,
-      memoryLimit: 5e4
-    };
-    CACHE_MAX_AGE_MS = 36e5;
-    _revalTimer = null;
+    init_employees();
+    LOCALHOST_PATTERNS = /^(localhost|127\.0\.0\.1|\[::1\])$/i;
+    FETCH_TIMEOUT_MS = 3e4;
+    PUSH_BATCH_SIZE = 5e3;
+    ROSTER_LOCK_PATH = path12.join(EXE_AI_DIR, "roster-merge.lock");
+    LOCK_STALE_MS = 3e4;
+    ROSTER_DELETIONS_PATH = path12.join(EXE_AI_DIR, "roster-deletions.json");
   }
 });
 
@@ -5197,17 +6230,17 @@ __export(identity_exports, {
   listIdentities: () => listIdentities,
   updateIdentity: () => updateIdentity
 });
-import { existsSync as existsSync11, mkdirSync as mkdirSync5, readFileSync as readFileSync7, writeFileSync as writeFileSync4 } from "fs";
-import { readdirSync as readdirSync2 } from "fs";
-import path12 from "path";
+import { existsSync as existsSync12, mkdirSync as mkdirSync6, readFileSync as readFileSync8, writeFileSync as writeFileSync5 } from "fs";
+import { readdirSync as readdirSync3 } from "fs";
+import path13 from "path";
 import { createHash as createHash2 } from "crypto";
 function ensureDir() {
-  if (!existsSync11(IDENTITY_DIR)) {
-    mkdirSync5(IDENTITY_DIR, { recursive: true });
+  if (!existsSync12(IDENTITY_DIR)) {
+    mkdirSync6(IDENTITY_DIR, { recursive: true });
   }
 }
 function identityPath(agentId) {
-  return path12.join(IDENTITY_DIR, `${agentId}.md`);
+  return path13.join(IDENTITY_DIR, `${agentId}.md`);
 }
 function parseFrontmatter(raw) {
   const match = raw.match(/^---\n([\s\S]*?)\n---\n([\s\S]*)$/);
@@ -5248,8 +6281,8 @@ function contentHash(content) {
 }
 function getIdentity(agentId) {
   const filePath = identityPath(agentId);
-  if (!existsSync11(filePath)) return null;
-  const raw = readFileSync7(filePath, "utf-8");
+  if (!existsSync12(filePath)) return null;
+  const raw = readFileSync8(filePath, "utf-8");
   const { frontmatter, body } = parseFrontmatter(raw);
   return {
     agentId,
@@ -5263,7 +6296,7 @@ async function updateIdentity(agentId, content, updatedBy) {
   ensureDir();
   const filePath = identityPath(agentId);
   const hash = contentHash(content);
-  writeFileSync4(filePath, content, "utf-8");
+  writeFileSync5(filePath, content, "utf-8");
   try {
     const client = getClient();
     await client.execute({
@@ -5280,7 +6313,7 @@ async function updateIdentity(agentId, content, updatedBy) {
 }
 function listIdentities() {
   ensureDir();
-  const files = readdirSync2(IDENTITY_DIR).filter((f) => f.endsWith(".md"));
+  const files = readdirSync3(IDENTITY_DIR).filter((f) => f.endsWith(".md"));
   const results = [];
   for (const file of files) {
     const agentId = file.replace(".md", "");
@@ -5319,7 +6352,7 @@ var init_identity = __esm({
     "use strict";
     init_config();
     init_database();
-    IDENTITY_DIR = path12.join(EXE_AI_DIR, "identity");
+    IDENTITY_DIR = path13.join(EXE_AI_DIR, "identity");
   }
 });
 
@@ -5853,31 +6886,162 @@ ${PLAN_MODE_COMPAT}
   }
 });
 
+// src/lib/session-wrappers.ts
+var session_wrappers_exports = {};
+__export(session_wrappers_exports, {
+  generateSessionWrappers: () => generateSessionWrappers
+});
+import {
+  existsSync as existsSync13,
+  readFileSync as readFileSync9,
+  writeFileSync as writeFileSync6,
+  mkdirSync as mkdirSync7,
+  chmodSync,
+  readdirSync as readdirSync4,
+  unlinkSync as unlinkSync5
+} from "fs";
+import path14 from "path";
+import { homedir as homedir4 } from "os";
+function generateSessionWrappers(packageRoot, homeDir) {
+  const home = homeDir ?? homedir4();
+  const binDir = path14.join(home, ".exe-os", "bin");
+  const rosterPath = path14.join(home, ".exe-os", "exe-employees.json");
+  mkdirSync7(binDir, { recursive: true });
+  const exeStartDst = path14.join(binDir, "exe-start");
+  const candidates = [
+    path14.join(packageRoot, "dist", "bin", "exe-start.sh"),
+    path14.join(packageRoot, "src", "bin", "exe-start.sh")
+  ];
+  for (const src of candidates) {
+    if (existsSync13(src)) {
+      writeFileSync6(exeStartDst, readFileSync9(src));
+      chmodSync(exeStartDst, 493);
+      break;
+    }
+  }
+  let employees = [];
+  try {
+    employees = JSON.parse(readFileSync9(rosterPath, "utf8"));
+  } catch {
+    return { created: 0, pathConfigured: false };
+  }
+  if (employees.length === 0) {
+    return { created: 0, pathConfigured: false };
+  }
+  try {
+    for (const f of readdirSync4(binDir)) {
+      if (f === "exe-start") continue;
+      const fPath = path14.join(binDir, f);
+      try {
+        const content = readFileSync9(fPath, "utf8");
+        if (content.includes("exe-start")) {
+          unlinkSync5(fPath);
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  let created = 0;
+  const wrapperContent = `#!/bin/bash
+exec "${exeStartDst}" "$0" "$@"
+`;
+  for (const emp of employees) {
+    for (let n = 1; n <= MAX_N; n++) {
+      const wrapperPath = path14.join(binDir, `${emp.name}${n}`);
+      writeFileSync6(wrapperPath, wrapperContent);
+      chmodSync(wrapperPath, 493);
+      created++;
+    }
+  }
+  const pathConfigured = ensurePath(home, binDir);
+  return { created, pathConfigured };
+}
+function ensurePath(home, binDir) {
+  if (process.env.PATH?.split(":").includes(binDir)) {
+    return false;
+  }
+  const exportLine = `
+# exe-os session commands
+export PATH="${binDir}:$PATH"
+`;
+  const shell = process.env.SHELL ?? "/bin/bash";
+  const profilePaths = [];
+  if (shell.includes("zsh")) {
+    profilePaths.push(path14.join(home, ".zshrc"));
+  } else if (shell.includes("bash")) {
+    profilePaths.push(path14.join(home, ".bashrc"));
+    profilePaths.push(path14.join(home, ".bash_profile"));
+  } else {
+    profilePaths.push(path14.join(home, ".profile"));
+  }
+  for (const profilePath of profilePaths) {
+    try {
+      let content = "";
+      try {
+        content = readFileSync9(profilePath, "utf8");
+      } catch {
+      }
+      if (content.includes(".exe-os/bin")) {
+        return false;
+      }
+      writeFileSync6(profilePath, content + exportLine);
+      return true;
+    } catch {
+      continue;
+    }
+  }
+  return false;
+}
+var MAX_N;
+var init_session_wrappers = __esm({
+  "src/lib/session-wrappers.ts"() {
+    "use strict";
+    MAX_N = 9;
+  }
+});
+
 // src/lib/setup-wizard.ts
 var setup_wizard_exports = {};
 __export(setup_wizard_exports, {
   runSetupWizard: () => runSetupWizard,
   validateModel: () => validateModel
 });
-import crypto3 from "crypto";
-import { existsSync as existsSync12, mkdirSync as mkdirSync6, readFileSync as readFileSync8, writeFileSync as writeFileSync5, unlinkSync as unlinkSync4 } from "fs";
+import crypto4 from "crypto";
+import { existsSync as existsSync14, mkdirSync as mkdirSync8, readFileSync as readFileSync10, writeFileSync as writeFileSync7, unlinkSync as unlinkSync6 } from "fs";
 import os5 from "os";
-import path13 from "path";
+import path15 from "path";
 import { createInterface as createInterface2 } from "readline";
+function findPackageRoot2() {
+  let dir = path15.dirname(new URL(import.meta.url).pathname);
+  const root = path15.parse(dir).root;
+  while (dir !== root) {
+    const pkgPath = path15.join(dir, "package.json");
+    if (existsSync14(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync10(pkgPath, "utf-8"));
+        if (pkg.name === "@askexenow/exe-os" || pkg.name === "exe-os") return dir;
+      } catch {
+      }
+    }
+    dir = path15.dirname(dir);
+  }
+  return null;
+}
 function loadSetupState() {
   try {
-    return JSON.parse(readFileSync8(SETUP_STATE_PATH, "utf8"));
+    return JSON.parse(readFileSync10(SETUP_STATE_PATH, "utf8"));
   } catch {
     return { completedSteps: [], startedAt: (/* @__PURE__ */ new Date()).toISOString() };
   }
 }
 function saveSetupState(state) {
-  mkdirSync6(path13.dirname(SETUP_STATE_PATH), { recursive: true });
-  writeFileSync5(SETUP_STATE_PATH, JSON.stringify(state, null, 2));
+  mkdirSync8(path15.dirname(SETUP_STATE_PATH), { recursive: true });
+  writeFileSync7(SETUP_STATE_PATH, JSON.stringify(state, null, 2));
 }
 function clearSetupState() {
   try {
-    unlinkSync4(SETUP_STATE_PATH);
+    unlinkSync6(SETUP_STATE_PATH);
   } catch {
   }
 }
@@ -5911,20 +7075,67 @@ async function runSetupWizard(opts = {}) {
     log("");
     log("=== exe-os Setup ===");
     log("");
-    log("Already set up on another device?");
-    log("  Run `exe-link` to sync your encryption key and skip setup.");
+    log("Is this a new installation or pairing with an existing device?");
     log("");
-    const skipSetup = await ask(rl, "Fresh install? (Y/n): ");
-    if (skipSetup.toLowerCase() === "n") {
-      log("Run `exe-link` to import your encryption key from another device.");
-      rl.close();
-      return;
+    log("  [1] New installation (first device)");
+    log("  [2] Pair with existing device (I have a 24-word phrase)");
+    log("");
+    const installType = await ask(rl, "Choice (1/2): ");
+    let isPairing = false;
+    let pairingRosterPulled = false;
+    if (installType === "2") {
+      isPairing = true;
+      log("");
+      const { importMnemonic: importMnemonic2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));
+      const mnemonic = await ask(rl, "Paste your 24-word recovery phrase: ");
+      try {
+        const key = await importMnemonic2(mnemonic);
+        await setMasterKey(key);
+        log("Master key imported and stored securely.");
+        log("");
+        log("Enter the API key from your existing device.");
+        log("(Find it in ~/.exe-os/config.json under cloud.apiKey, or ask your team lead.)");
+        log("");
+        const apiKey = await ask(rl, "API key (exe_sk_...): ");
+        if (apiKey && apiKey.startsWith("exe_sk_")) {
+          const cloudEndpoint = "https://askexe.com/cloud";
+          const cloudCfg = { apiKey, endpoint: cloudEndpoint };
+          const earlyConfig = await loadConfig();
+          earlyConfig.cloud = cloudCfg;
+          await saveConfig(earlyConfig);
+          const { saveLicense: saveLic, mirrorLicenseKey: mirrorLic } = await Promise.resolve().then(() => (init_license(), license_exports));
+          saveLic(apiKey);
+          mirrorLic(apiKey);
+          log("Cloud sync configured.");
+          try {
+            const { initSyncCrypto: initSyncCrypto2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+            const { cloudPullRoster: cloudPullRoster2 } = await Promise.resolve().then(() => (init_cloud_sync(), cloud_sync_exports));
+            initSyncCrypto2(key);
+            const result = await cloudPullRoster2({ apiKey, endpoint: cloudEndpoint });
+            if (result.added > 0) {
+              log(`Pulled ${result.added} employee(s) from Exe Cloud.`);
+              pairingRosterPulled = true;
+            }
+          } catch {
+            log("Could not pull roster from cloud \u2014 you can set up employees manually.");
+          }
+        } else {
+          log("No API key provided \u2014 cloud sync will need to be configured later.");
+          log("Run /exe-cloud after setup to connect.");
+        }
+        log("");
+      } catch (err) {
+        log(`Key import failed: ${err instanceof Error ? err.message : String(err)}`);
+        log("Check your phrase and try again, or choose option 1 for a fresh install.");
+        rl.close();
+        return;
+      }
     }
     const state = loadSetupState();
     if (state.completedSteps.length > 0) {
       log(`Resuming setup from step ${Math.max(...state.completedSteps) + 1}...`);
     }
-    if (existsSync12(LEGACY_LANCE_PATH)) {
+    if (existsSync14(LEGACY_LANCE_PATH)) {
       log("\u26A0 Found v1.0 LanceDB at ~/.exe-os/local.lance");
       log("  v1.1 uses libSQL (SQLite). Your existing memories are not automatically migrated.");
       log("  The old directory will not be modified or deleted.");
@@ -5936,7 +7147,7 @@ async function runSetupWizard(opts = {}) {
         log("Encryption key already exists \u2014 skipping generation.");
       } else {
         log("Generating 256-bit encryption key...");
-        const key = crypto3.randomBytes(32);
+        const key = crypto4.randomBytes(32);
         await setMasterKey(key);
         log("Encryption key generated and stored securely.");
       }
@@ -5947,7 +7158,15 @@ async function runSetupWizard(opts = {}) {
     }
     log("");
     let cloudConfig;
-    if (!state.completedSteps.includes(2)) {
+    if (isPairing) {
+      const pairingConfig = await loadConfig();
+      if (pairingConfig.cloud?.apiKey) {
+        cloudConfig = pairingConfig.cloud;
+        log("Cloud sync: using shared API key from pairing.");
+      }
+      state.completedSteps.push(2);
+      saveSetupState(state);
+    } else if (!state.completedSteps.includes(2)) {
       log("Exe Cloud: your memories are end-to-end encrypted, compressed, and");
       log("backed up on Exe Cloud. Free for all plans. We can't read your data \u2014");
       log("only your encryption key can decrypt it.");
@@ -6028,10 +7247,10 @@ async function runSetupWizard(opts = {}) {
       await saveConfig(config);
       log("");
       try {
-        const claudeJsonPath = path13.join(os5.homedir(), ".claude.json");
+        const claudeJsonPath = path15.join(os5.homedir(), ".claude.json");
         let claudeJson = {};
         try {
-          claudeJson = JSON.parse(readFileSync8(claudeJsonPath, "utf8"));
+          claudeJson = JSON.parse(readFileSync10(claudeJsonPath, "utf8"));
         } catch {
         }
         if (!claudeJson.projects) claudeJson.projects = {};
@@ -6040,7 +7259,7 @@ async function runSetupWizard(opts = {}) {
           if (!projects[dir]) projects[dir] = {};
           projects[dir].hasTrustDialogAccepted = true;
         }
-        writeFileSync5(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
+        writeFileSync7(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
       } catch {
       }
       state.completedSteps.push(5);
@@ -6066,7 +7285,34 @@ async function runSetupWizard(opts = {}) {
     } = await Promise.resolve().then(() => (init_license(), license_exports));
     const createdEmployees = [];
     let cooName = "exe";
-    if (!state.completedSteps.includes(6)) {
+    if (pairingRosterPulled) {
+      const roster = await loadEmployees2(EMPLOYEES_PATH2).catch(() => []);
+      const existingCoo = roster.find((e) => e.role === "COO");
+      if (existingCoo) {
+        cooName = existingCoo.name;
+        log(`Team synced from cloud. COO: ${cooName}`);
+        const teamList = roster.map((e) => `${e.name} (${e.role})`).join(", ");
+        log(`Team: ${teamList}`);
+        createdEmployees.push(...roster.map((e) => ({ name: e.name, role: e.role })));
+      }
+      for (const emp of roster) {
+        registerBinSymlinks2(emp.name);
+      }
+      try {
+        const { generateSessionWrappers: generateSessionWrappers2 } = await Promise.resolve().then(() => (init_session_wrappers(), session_wrappers_exports));
+        const pkgRoot = findPackageRoot2();
+        if (pkgRoot) {
+          const wrapResult = generateSessionWrappers2(pkgRoot);
+          if (wrapResult.created > 0) {
+            log(`Session shortcuts generated: ${roster.map((e) => `${e.name}1`).join(", ")}, ...`);
+          }
+        }
+      } catch {
+      }
+      state.completedSteps.push(6, 7, 8);
+      saveSetupState(state);
+      log("");
+    } else if (!state.completedSteps.includes(6)) {
       log("=== Your Team ===");
       log("");
       log("Every install starts with a COO \u2014 your right-hand operator.");
@@ -6092,9 +7338,9 @@ async function runSetupWizard(opts = {}) {
       const cooIdentityContent = getIdentityTemplate("coo");
       if (cooIdentityContent) {
         const cooIdPath = identityPath2(cooName);
-        mkdirSync6(path13.dirname(cooIdPath), { recursive: true });
+        mkdirSync8(path15.dirname(cooIdPath), { recursive: true });
         const replaced = cooIdentityContent.replace(/agent_id:\s*exe/g, `agent_id: ${cooName}`).replace(/\$\{agent_id\}/g, cooName);
-        writeFileSync5(cooIdPath, replaced, "utf-8");
+        writeFileSync7(cooIdPath, replaced, "utf-8");
       }
       registerBinSymlinks2(cooName);
       createdEmployees.push({ name: cooName, role: "COO" });
@@ -6193,9 +7439,9 @@ async function runSetupWizard(opts = {}) {
           const ctoIdentityContent = getIdentityTemplate("cto");
           if (ctoIdentityContent) {
             const ctoIdPath = identityPath2(ctoName);
-            mkdirSync6(path13.dirname(ctoIdPath), { recursive: true });
+            mkdirSync8(path15.dirname(ctoIdPath), { recursive: true });
             const replaced = ctoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${ctoName}`).replace(/\$\{agent_id\}/g, ctoName);
-            writeFileSync5(ctoIdPath, replaced, "utf-8");
+            writeFileSync7(ctoIdPath, replaced, "utf-8");
           }
           registerBinSymlinks2(ctoName);
           createdEmployees.push({ name: ctoName, role: "CTO" });
@@ -6221,9 +7467,9 @@ async function runSetupWizard(opts = {}) {
           const cmoIdentityContent = getIdentityTemplate("cmo");
           if (cmoIdentityContent) {
             const cmoIdPath = identityPath2(cmoName);
-            mkdirSync6(path13.dirname(cmoIdPath), { recursive: true });
+            mkdirSync8(path15.dirname(cmoIdPath), { recursive: true });
             const replaced = cmoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${cmoName}`).replace(/\$\{agent_id\}/g, cmoName);
-            writeFileSync5(cmoIdPath, replaced, "utf-8");
+            writeFileSync7(cmoIdPath, replaced, "utf-8");
           }
           registerBinSymlinks2(cmoName);
           createdEmployees.push({ name: cmoName, role: "CMO" });
@@ -6236,11 +7482,24 @@ async function runSetupWizard(opts = {}) {
     } else {
       log("Step 8 already complete \u2014 skipping.");
     }
+    if (!pairingRosterPulled) {
+      try {
+        const { generateSessionWrappers: generateSessionWrappers2 } = await Promise.resolve().then(() => (init_session_wrappers(), session_wrappers_exports));
+        const pkgRoot = findPackageRoot2();
+        if (pkgRoot) {
+          const wrapResult = generateSessionWrappers2(pkgRoot);
+          if (wrapResult.created > 0) {
+            log(`Session shortcuts generated (${cooName}1, ${cooName}2, ...)`);
+          }
+        }
+      } catch {
+      }
+    }
     clearSetupState();
     log("=== Two Ways to Work ===");
     log("");
     log("  1. Claude Code mode");
-    log(`     Type \`${cooName}\` in your terminal. Works with your Claude Code subscription.`);
+    log(`     Type \`${cooName}1\` in your project folder. Works with your Claude Code subscription.`);
     log("     Best for developers who live in the terminal.");
     log("");
     log("  2. Dashboard mode");
@@ -6250,8 +7509,6 @@ async function runSetupWizard(opts = {}) {
     log("  Both modes share the same memory, employees, and data.");
     log("  You can switch anytime.");
     log("");
-    log("  For Claude Code mode, run: exe-os claude");
-    log("");
     log("=== Setup Complete ===");
     log("Database: " + config.dbPath);
     if (cloudConfig) {
@@ -6267,7 +7524,7 @@ async function runSetupWizard(opts = {}) {
       log("Team: " + createdEmployees.map((e) => `${e.name} (${e.role})`).join(", "));
     }
     log("");
-    log(`Type \`${cooName}\` to start (Claude Code) or \`exe-os\` for dashboard.`);
+    log(`Type \`${cooName}1\` to start (Claude Code) or \`exe-os\` for dashboard.`);
     log("");
   } finally {
     rl.close();
@@ -6280,17 +7537,17 @@ var init_setup_wizard = __esm({
     init_config();
     init_keychain();
     init_model_downloader();
-    SETUP_STATE_PATH = path13.join(os5.homedir(), ".exe-os", "setup-state.json");
+    SETUP_STATE_PATH = path15.join(os5.homedir(), ".exe-os", "setup-state.json");
   }
 });
 
 // src/lib/update-check.ts
 import { execSync as execSync4 } from "child_process";
-import { readFileSync as readFileSync9 } from "fs";
-import path14 from "path";
+import { readFileSync as readFileSync11 } from "fs";
+import path16 from "path";
 function getLocalVersion(packageRoot) {
-  const pkgPath = path14.join(packageRoot, "package.json");
-  const pkg = JSON.parse(readFileSync9(pkgPath, "utf-8"));
+  const pkgPath = path16.join(packageRoot, "package.json");
+  const pkg = JSON.parse(readFileSync11(pkgPath, "utf-8"));
   return pkg.version;
 }
 function getRemoteVersion() {
@@ -7925,7 +9182,7 @@ var init_yoga_wasm_base64_esm = __esm({
 });
 
 // node_modules/yoga-layout/dist/src/generated/YGEnums.js
-var Align, BoxSizing, Dimension, Direction, Display, Edge, Errata, ExperimentalFeature, FlexDirection, Gutter, Justify, LogLevel, MeasureMode, NodeType, Overflow, PositionType, Unit, Wrap, constants, YGEnums_default;
+var Align, BoxSizing, Dimension, Direction, Display, Edge, Errata, ExperimentalFeature, FlexDirection, Gutter, Justify, LogLevel, MeasureMode, NodeType, Overflow, PositionType, Unit, Wrap, constants2, YGEnums_default;
 var init_YGEnums = __esm({
   "node_modules/yoga-layout/dist/src/generated/YGEnums.js"() {
     "use strict";
@@ -8055,7 +9312,7 @@ var init_YGEnums = __esm({
       Wrap2[Wrap2["WrapReverse"] = 2] = "WrapReverse";
       return Wrap2;
     })({});
-    constants = {
+    constants2 = {
       ALIGN_AUTO: Align.Auto,
       ALIGN_FLEX_START: Align.FlexStart,
       ALIGN_CENTER: Align.Center,
@@ -8129,7 +9386,7 @@ var init_YGEnums = __esm({
       WRAP_WRAP: Wrap.Wrap,
       WRAP_WRAP_REVERSE: Wrap.WrapReverse
     };
-    YGEnums_default = constants;
+    YGEnums_default = constants2;
   }
 });
 
@@ -10813,8 +12070,8 @@ var init_ErrorOverview = __esm({
     "use strict";
     init_Box();
     init_Text();
-    cleanupPath = (path34) => {
-      return path34?.replace(`file://${cwd()}/`, "");
+    cleanupPath = (path36) => {
+      return path36?.replace(`file://${cwd()}/`, "");
     };
     stackUtils = new StackUtils({
       cwd: cwd(),
@@ -12843,14 +14100,14 @@ __export(session_registry_exports, {
   pruneStaleSessions: () => pruneStaleSessions,
   registerSession: () => registerSession
 });
-import { readFileSync as readFileSync11, writeFileSync as writeFileSync6, mkdirSync as mkdirSync7, existsSync as existsSync14 } from "fs";
+import { readFileSync as readFileSync13, writeFileSync as writeFileSync8, mkdirSync as mkdirSync9, existsSync as existsSync16 } from "fs";
 import { execSync as execSync6 } from "child_process";
-import path15 from "path";
+import path17 from "path";
 import os6 from "os";
 function registerSession(entry) {
-  const dir = path15.dirname(REGISTRY_PATH);
-  if (!existsSync14(dir)) {
-    mkdirSync7(dir, { recursive: true });
+  const dir = path17.dirname(REGISTRY_PATH);
+  if (!existsSync16(dir)) {
+    mkdirSync9(dir, { recursive: true });
   }
   const sessions = listSessions();
   const idx = sessions.findIndex((s) => s.windowName === entry.windowName);
@@ -12859,11 +14116,11 @@ function registerSession(entry) {
   } else {
     sessions.push(entry);
   }
-  writeFileSync6(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
+  writeFileSync8(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
 }
 function listSessions() {
   try {
-    const raw = readFileSync11(REGISTRY_PATH, "utf8");
+    const raw = readFileSync13(REGISTRY_PATH, "utf8");
     return JSON.parse(raw);
   } catch {
     return [];
@@ -12884,7 +14141,7 @@ function pruneStaleSessions() {
   const alive = sessions.filter((s) => liveSet.has(s.windowName));
   const pruned = sessions.length - alive.length;
   if (pruned > 0) {
-    writeFileSync6(REGISTRY_PATH, JSON.stringify(alive, null, 2));
+    writeFileSync8(REGISTRY_PATH, JSON.stringify(alive, null, 2));
   }
   return pruned;
 }
@@ -12892,7 +14149,7 @@ var REGISTRY_PATH;
 var init_session_registry = __esm({
   "src/lib/session-registry.ts"() {
     "use strict";
-    REGISTRY_PATH = path15.join(os6.homedir(), ".exe-os", "session-registry.json");
+    REGISTRY_PATH = path17.join(os6.homedir(), ".exe-os", "session-registry.json");
   }
 });
 
@@ -13097,17 +14354,17 @@ var init_provider_table = __esm({
 });
 
 // src/lib/intercom-queue.ts
-import { readFileSync as readFileSync12, writeFileSync as writeFileSync7, renameSync as renameSync4, existsSync as existsSync15, mkdirSync as mkdirSync8 } from "fs";
-import path16 from "path";
+import { readFileSync as readFileSync14, writeFileSync as writeFileSync9, renameSync as renameSync4, existsSync as existsSync17, mkdirSync as mkdirSync10 } from "fs";
+import path18 from "path";
 import os7 from "os";
 function ensureDir2() {
-  const dir = path16.dirname(QUEUE_PATH);
-  if (!existsSync15(dir)) mkdirSync8(dir, { recursive: true });
+  const dir = path18.dirname(QUEUE_PATH);
+  if (!existsSync17(dir)) mkdirSync10(dir, { recursive: true });
 }
 function readQueue() {
   try {
-    if (!existsSync15(QUEUE_PATH)) return [];
-    return JSON.parse(readFileSync12(QUEUE_PATH, "utf8"));
+    if (!existsSync17(QUEUE_PATH)) return [];
+    return JSON.parse(readFileSync14(QUEUE_PATH, "utf8"));
   } catch {
     return [];
   }
@@ -13115,7 +14372,7 @@ function readQueue() {
 function writeQueue(queue) {
   ensureDir2();
   const tmp = `${QUEUE_PATH}.tmp`;
-  writeFileSync7(tmp, JSON.stringify(queue, null, 2));
+  writeFileSync9(tmp, JSON.stringify(queue, null, 2));
   renameSync4(tmp, QUEUE_PATH);
 }
 function queueIntercom(targetSession, reason) {
@@ -13139,19 +14396,19 @@ var QUEUE_PATH, TTL_MS, INTERCOM_LOG;
 var init_intercom_queue = __esm({
   "src/lib/intercom-queue.ts"() {
     "use strict";
-    QUEUE_PATH = path16.join(os7.homedir(), ".exe-os", "intercom-queue.json");
+    QUEUE_PATH = path18.join(os7.homedir(), ".exe-os", "intercom-queue.json");
     TTL_MS = 60 * 60 * 1e3;
-    INTERCOM_LOG = path16.join(os7.homedir(), ".exe-os", "intercom.log");
+    INTERCOM_LOG = path18.join(os7.homedir(), ".exe-os", "intercom.log");
   }
 });
 
 // src/lib/plan-limits.ts
-import { readFileSync as readFileSync13, existsSync as existsSync16 } from "fs";
-import path17 from "path";
+import { readFileSync as readFileSync15, existsSync as existsSync18 } from "fs";
+import path19 from "path";
 function getLicenseSync() {
   try {
-    if (!existsSync16(CACHE_PATH2)) return freeLicense();
-    const raw = JSON.parse(readFileSync13(CACHE_PATH2, "utf8"));
+    if (!existsSync18(CACHE_PATH2)) return freeLicense();
+    const raw = JSON.parse(readFileSync15(CACHE_PATH2, "utf8"));
     if (!raw.token || typeof raw.token !== "string") return freeLicense();
     const parts = raw.token.split(".");
     if (parts.length !== 3) return freeLicense();
@@ -13189,8 +14446,8 @@ function assertEmployeeLimitSync(rosterPath) {
   const filePath = rosterPath ?? EMPLOYEES_PATH;
   let count = 0;
   try {
-    if (existsSync16(filePath)) {
-      const raw = readFileSync13(filePath, "utf8");
+    if (existsSync18(filePath)) {
+      const raw = readFileSync15(filePath, "utf8");
       const employees = JSON.parse(raw);
       count = Array.isArray(employees) ? employees.length : 0;
     }
@@ -13219,25 +14476,25 @@ var init_plan_limits = __esm({
         this.name = "PlanLimitError";
       }
     };
-    CACHE_PATH2 = path17.join(EXE_AI_DIR, "license-cache.json");
+    CACHE_PATH2 = path19.join(EXE_AI_DIR, "license-cache.json");
   }
 });
 
 // src/lib/notifications.ts
-import crypto4 from "crypto";
-import path18 from "path";
+import crypto5 from "crypto";
+import path20 from "path";
 import os8 from "os";
 import {
-  readFileSync as readFileSync14,
-  readdirSync as readdirSync3,
-  unlinkSync as unlinkSync5,
-  existsSync as existsSync17,
+  readFileSync as readFileSync16,
+  readdirSync as readdirSync5,
+  unlinkSync as unlinkSync7,
+  existsSync as existsSync19,
   rmdirSync
 } from "fs";
 async function writeNotification(notification) {
   try {
     const client = getClient();
-    const id = crypto4.randomUUID();
+    const id = crypto5.randomUUID();
     const now = (/* @__PURE__ */ new Date()).toISOString();
     await client.execute({
       sql: `INSERT INTO notifications (id, agent_id, agent_role, event, project, summary, task_file, read, created_at)
@@ -13276,7 +14533,7 @@ var init_notifications = __esm({
 });
 
 // src/lib/session-kill-telemetry.ts
-import crypto5 from "crypto";
+import crypto6 from "crypto";
 async function recordSessionKill(input) {
   try {
     const client = getClient();
@@ -13286,7 +14543,7 @@ async function recordSessionKill(input) {
                ticks_idle, estimated_tokens_saved)
             VALUES (?, ?, ?, ?, ?, ?, ?)`,
       args: [
-        crypto5.randomUUID(),
+        crypto6.randomUUID(),
         input.sessionName,
         input.agentId,
         (/* @__PURE__ */ new Date()).toISOString(),
@@ -13325,11 +14582,11 @@ __export(tasks_crud_exports, {
   updateTaskStatus: () => updateTaskStatus,
   writeCheckpoint: () => writeCheckpoint
 });
-import crypto6 from "crypto";
-import path19 from "path";
+import crypto7 from "crypto";
+import path21 from "path";
 import { execSync as execSync9 } from "child_process";
 import { mkdir as mkdir6, writeFile as writeFile5, appendFile } from "fs/promises";
-import { existsSync as existsSync18, readFileSync as readFileSync15 } from "fs";
+import { existsSync as existsSync20, readFileSync as readFileSync17 } from "fs";
 async function writeCheckpoint(input) {
   const client = getClient();
   const row = await resolveTask(client, input.taskId);
@@ -13416,7 +14673,7 @@ async function resolveTask(client, identifier, scopeSession) {
 }
 async function createTaskCore(input) {
   const client = getClient();
-  const id = crypto6.randomUUID();
+  const id = crypto7.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const slug = slugify(input.title);
   const taskFile = input.taskFile ?? `exe/${input.assignedTo}/${slug}.md`;
@@ -13461,8 +14718,8 @@ async function createTaskCore(input) {
   }
   if (input.baseDir) {
     try {
-      await mkdir6(path19.join(input.baseDir, "exe", "output"), { recursive: true });
-      await mkdir6(path19.join(input.baseDir, "exe", "research"), { recursive: true });
+      await mkdir6(path21.join(input.baseDir, "exe", "output"), { recursive: true });
+      await mkdir6(path21.join(input.baseDir, "exe", "research"), { recursive: true });
       await ensureArchitectureDoc(input.baseDir, input.projectName);
       await ensureGitignoreExe(input.baseDir);
     } catch {
@@ -13682,9 +14939,9 @@ async function deleteTaskCore(taskId, _baseDir) {
   return { taskFile, assignedTo, assignedBy, taskSlug };
 }
 async function ensureArchitectureDoc(baseDir, projectName) {
-  const archPath = path19.join(baseDir, "exe", "ARCHITECTURE.md");
+  const archPath = path21.join(baseDir, "exe", "ARCHITECTURE.md");
   try {
-    if (existsSync18(archPath)) return;
+    if (existsSync20(archPath)) return;
     const template = [
       `# ${projectName} \u2014 System Architecture`,
       "",
@@ -13717,10 +14974,10 @@ async function ensureArchitectureDoc(baseDir, projectName) {
   }
 }
 async function ensureGitignoreExe(baseDir) {
-  const gitignorePath = path19.join(baseDir, ".gitignore");
+  const gitignorePath = path21.join(baseDir, ".gitignore");
   try {
-    if (existsSync18(gitignorePath)) {
-      const content = readFileSync15(gitignorePath, "utf-8");
+    if (existsSync20(gitignorePath)) {
+      const content = readFileSync17(gitignorePath, "utf-8");
       if (/^\/?exe\/?$/m.test(content)) return;
       await appendFile(gitignorePath, "\n# Employee task assignments (private)\n/exe/\n");
     } else {
@@ -13741,8 +14998,8 @@ var init_tasks_crud = __esm({
 });
 
 // src/lib/tasks-review.ts
-import path20 from "path";
-import { existsSync as existsSync19, readdirSync as readdirSync4, unlinkSync as unlinkSync6 } from "fs";
+import path22 from "path";
+import { existsSync as existsSync21, readdirSync as readdirSync6, unlinkSync as unlinkSync8 } from "fs";
 async function countPendingReviews(sessionScope) {
   const client = getClient();
   if (sessionScope) {
@@ -13923,11 +15180,11 @@ async function cleanupReviewFile(row, taskFile, _baseDir) {
     );
   }
   try {
-    const cacheDir = path20.join(EXE_AI_DIR, "session-cache");
-    if (existsSync19(cacheDir)) {
-      for (const f of readdirSync4(cacheDir)) {
+    const cacheDir = path22.join(EXE_AI_DIR, "session-cache");
+    if (existsSync21(cacheDir)) {
+      for (const f of readdirSync6(cacheDir)) {
         if (f.startsWith("review-notified-")) {
-          unlinkSync6(path20.join(cacheDir, f));
+          unlinkSync8(path22.join(cacheDir, f));
         }
       }
     }
@@ -13948,7 +15205,7 @@ var init_tasks_review = __esm({
 });
 
 // src/lib/tasks-chain.ts
-import path21 from "path";
+import path23 from "path";
 import { readFile as readFile5, writeFile as writeFile6 } from "fs/promises";
 async function cascadeUnblock(taskId, baseDir, now) {
   const client = getClient();
@@ -13965,7 +15222,7 @@ async function cascadeUnblock(taskId, baseDir, now) {
     });
     for (const ur of unblockedRows.rows) {
       try {
-        const ubFile = path21.join(baseDir, String(ur.task_file));
+        const ubFile = path23.join(baseDir, String(ur.task_file));
         let ubContent = await readFile5(ubFile, "utf-8");
         ubContent = ubContent.replace(/\*\*Status:\*\* blocked/, "**Status:** open");
         ubContent = ubContent.replace(/\n\*\*Blocked by:\*\*.*\n/, "\n");
@@ -14034,7 +15291,7 @@ var init_tasks_chain = __esm({
 
 // src/lib/project-name.ts
 import { execSync as execSync10 } from "child_process";
-import path22 from "path";
+import path24 from "path";
 function getProjectName(cwd2) {
   const dir = cwd2 ?? process.cwd();
   if (_cached2 && _cachedCwd === dir) return _cached2;
@@ -14047,7 +15304,7 @@ function getProjectName(cwd2) {
         timeout: 2e3,
         stdio: ["pipe", "pipe", "pipe"]
       }).trim();
-      repoRoot = path22.dirname(gitCommonDir);
+      repoRoot = path24.dirname(gitCommonDir);
     } catch {
       repoRoot = execSync10("git rev-parse --show-toplevel", {
         cwd: dir,
@@ -14056,11 +15313,11 @@ function getProjectName(cwd2) {
         stdio: ["pipe", "pipe", "pipe"]
       }).trim();
     }
-    _cached2 = path22.basename(repoRoot);
+    _cached2 = path24.basename(repoRoot);
     _cachedCwd = dir;
     return _cached2;
   } catch {
-    _cached2 = path22.basename(dir);
+    _cached2 = path24.basename(dir);
     _cachedCwd = dir;
     return _cached2;
   }
@@ -14202,10 +15459,10 @@ var init_tasks_notify = __esm({
 });
 
 // src/lib/behaviors.ts
-import crypto7 from "crypto";
+import crypto8 from "crypto";
 async function storeBehavior(opts) {
   const client = getClient();
-  const id = crypto7.randomUUID();
+  const id = crypto8.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   await client.execute({
     sql: `INSERT INTO behaviors (id, agent_id, project_name, domain, priority, content, active, created_at, updated_at)
@@ -14234,7 +15491,7 @@ __export(skill_learning_exports, {
   storeTrajectory: () => storeTrajectory,
   sweepTrajectories: () => sweepTrajectories
 });
-import crypto8 from "crypto";
+import crypto9 from "crypto";
 async function extractTrajectory(taskId, agentId) {
   const client = getClient();
   const result = await client.execute({
@@ -14263,11 +15520,11 @@ async function extractTrajectory(taskId, agentId) {
   return signature;
 }
 function hashSignature(signature) {
-  return crypto8.createHash("sha256").update(signature.join("|")).digest("hex").slice(0, 16);
+  return crypto9.createHash("sha256").update(signature.join("|")).digest("hex").slice(0, 16);
 }
 async function storeTrajectory(opts) {
   const client = getClient();
-  const id = crypto8.randomUUID();
+  const id = crypto9.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const signatureHash = hashSignature(opts.signature);
   await client.execute({
@@ -14532,8 +15789,8 @@ __export(tasks_exports, {
   updateTaskStatus: () => updateTaskStatus,
   writeCheckpoint: () => writeCheckpoint
 });
-import path23 from "path";
-import { writeFileSync as writeFileSync8, mkdirSync as mkdirSync9, unlinkSync as unlinkSync7 } from "fs";
+import path25 from "path";
+import { writeFileSync as writeFileSync10, mkdirSync as mkdirSync11, unlinkSync as unlinkSync9 } from "fs";
 async function createTask(input) {
   const result = await createTaskCore(input);
   if (!input.skipDispatch && result.status !== "blocked" && !process.env.VITEST) {
@@ -14552,14 +15809,14 @@ async function updateTask(input) {
   const { row, taskFile, now, taskId } = await updateTaskStatus(input);
   try {
     const agent = String(row.assigned_to);
-    const cacheDir = path23.join(EXE_AI_DIR, "session-cache");
-    const cachePath = path23.join(cacheDir, `current-task-${agent}.json`);
+    const cacheDir = path25.join(EXE_AI_DIR, "session-cache");
+    const cachePath = path25.join(cacheDir, `current-task-${agent}.json`);
     if (input.status === "in_progress") {
-      mkdirSync9(cacheDir, { recursive: true });
-      writeFileSync8(cachePath, JSON.stringify({ taskId, title: String(row.title) }));
+      mkdirSync11(cacheDir, { recursive: true });
+      writeFileSync10(cachePath, JSON.stringify({ taskId, title: String(row.title) }));
     } else if (input.status === "done" || input.status === "blocked" || input.status === "cancelled") {
       try {
-        unlinkSync7(cachePath);
+        unlinkSync9(cachePath);
       } catch {
       }
     }
@@ -15001,13 +16258,13 @@ __export(tmux_routing_exports, {
   verifyPaneAtCapacity: () => verifyPaneAtCapacity
 });
 import { execFileSync as execFileSync3, execSync as execSync11 } from "child_process";
-import { readFileSync as readFileSync16, writeFileSync as writeFileSync9, mkdirSync as mkdirSync10, existsSync as existsSync20, appendFileSync } from "fs";
-import path24 from "path";
+import { readFileSync as readFileSync18, writeFileSync as writeFileSync11, mkdirSync as mkdirSync12, existsSync as existsSync22, appendFileSync as appendFileSync2 } from "fs";
+import path26 from "path";
 import os9 from "os";
 import { fileURLToPath as fileURLToPath4 } from "url";
-import { unlinkSync as unlinkSync8 } from "fs";
+import { unlinkSync as unlinkSync10 } from "fs";
 function spawnLockPath(sessionName) {
-  return path24.join(SPAWN_LOCK_DIR, `${sessionName}.lock`);
+  return path26.join(SPAWN_LOCK_DIR, `${sessionName}.lock`);
 }
 function isProcessAlive(pid) {
   try {
@@ -15018,13 +16275,13 @@ function isProcessAlive(pid) {
   }
 }
 function acquireSpawnLock2(sessionName) {
-  if (!existsSync20(SPAWN_LOCK_DIR)) {
-    mkdirSync10(SPAWN_LOCK_DIR, { recursive: true });
+  if (!existsSync22(SPAWN_LOCK_DIR)) {
+    mkdirSync12(SPAWN_LOCK_DIR, { recursive: true });
   }
   const lockFile = spawnLockPath(sessionName);
-  if (existsSync20(lockFile)) {
+  if (existsSync22(lockFile)) {
     try {
-      const lock = JSON.parse(readFileSync16(lockFile, "utf8"));
+      const lock = JSON.parse(readFileSync18(lockFile, "utf8"));
       const age = Date.now() - lock.timestamp;
       if (isProcessAlive(lock.pid) && age < 6e4) {
         return false;
@@ -15032,25 +16289,25 @@ function acquireSpawnLock2(sessionName) {
     } catch {
     }
   }
-  writeFileSync9(lockFile, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
+  writeFileSync11(lockFile, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
   return true;
 }
 function releaseSpawnLock2(sessionName) {
   try {
-    unlinkSync8(spawnLockPath(sessionName));
+    unlinkSync10(spawnLockPath(sessionName));
   } catch {
   }
 }
 function resolveBehaviorsExporterScript() {
   try {
     const thisFile = fileURLToPath4(import.meta.url);
-    const scriptPath = path24.join(
-      path24.dirname(thisFile),
+    const scriptPath = path26.join(
+      path26.dirname(thisFile),
       "..",
       "bin",
       "exe-export-behaviors.js"
     );
-    return existsSync20(scriptPath) ? scriptPath : null;
+    return existsSync22(scriptPath) ? scriptPath : null;
   } catch {
     return null;
   }
@@ -15114,12 +16371,12 @@ function extractRootExe(name) {
   return match?.[1] ?? null;
 }
 function registerParentExe(sessionKey, parentExe, dispatchedBy) {
-  if (!existsSync20(SESSION_CACHE)) {
-    mkdirSync10(SESSION_CACHE, { recursive: true });
+  if (!existsSync22(SESSION_CACHE)) {
+    mkdirSync12(SESSION_CACHE, { recursive: true });
   }
   const rootExe = extractRootExe(parentExe) ?? parentExe;
-  const filePath = path24.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`);
-  writeFileSync9(filePath, JSON.stringify({
+  const filePath = path26.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`);
+  writeFileSync11(filePath, JSON.stringify({
     parentExe: rootExe,
     dispatchedBy: dispatchedBy || rootExe,
     registeredAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -15127,7 +16384,7 @@ function registerParentExe(sessionKey, parentExe, dispatchedBy) {
 }
 function getParentExe(sessionKey) {
   try {
-    const data = JSON.parse(readFileSync16(path24.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
+    const data = JSON.parse(readFileSync18(path26.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
     return data.parentExe || null;
   } catch {
     return null;
@@ -15135,8 +16392,8 @@ function getParentExe(sessionKey) {
 }
 function getDispatchedBy(sessionKey) {
   try {
-    const data = JSON.parse(readFileSync16(
-      path24.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`),
+    const data = JSON.parse(readFileSync18(
+      path26.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`),
       "utf8"
     ));
     return data.dispatchedBy ?? data.parentExe ?? null;
@@ -15197,16 +16454,16 @@ async function verifyPaneAtCapacity(sessionName) {
 }
 function readDebounceState() {
   try {
-    if (!existsSync20(DEBOUNCE_FILE)) return {};
-    return JSON.parse(readFileSync16(DEBOUNCE_FILE, "utf8"));
+    if (!existsSync22(DEBOUNCE_FILE)) return {};
+    return JSON.parse(readFileSync18(DEBOUNCE_FILE, "utf8"));
   } catch {
     return {};
   }
 }
 function writeDebounceState(state) {
   try {
-    if (!existsSync20(SESSION_CACHE)) mkdirSync10(SESSION_CACHE, { recursive: true });
-    writeFileSync9(DEBOUNCE_FILE, JSON.stringify(state));
+    if (!existsSync22(SESSION_CACHE)) mkdirSync12(SESSION_CACHE, { recursive: true });
+    writeFileSync11(DEBOUNCE_FILE, JSON.stringify(state));
   } catch {
   }
 }
@@ -15230,7 +16487,7 @@ function logIntercom(msg) {
   process.stderr.write(`[intercom] ${msg}
 `);
   try {
-    appendFileSync(INTERCOM_LOG2, line);
+    appendFileSync2(INTERCOM_LOG2, line);
   } catch {
   }
 }
@@ -15395,26 +16652,26 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   const transport = getTransport();
   const sessionName = employeeSessionName(employeeName, exeSession, opts?.instance);
   const instanceLabel = opts?.instance != null && opts.instance > 0 ? `${employeeName}${opts.instance}` : employeeName;
-  const logDir = path24.join(os9.homedir(), ".exe-os", "session-logs");
-  const logFile = path24.join(logDir, `${instanceLabel}-${Date.now()}.log`);
-  if (!existsSync20(logDir)) {
-    mkdirSync10(logDir, { recursive: true });
+  const logDir = path26.join(os9.homedir(), ".exe-os", "session-logs");
+  const logFile = path26.join(logDir, `${instanceLabel}-${Date.now()}.log`);
+  if (!existsSync22(logDir)) {
+    mkdirSync12(logDir, { recursive: true });
   }
   transport.kill(sessionName);
   let cleanupSuffix = "";
   try {
     const thisFile = fileURLToPath4(import.meta.url);
-    const cleanupScript = path24.join(path24.dirname(thisFile), "..", "bin", "exe-session-cleanup.js");
-    if (existsSync20(cleanupScript)) {
+    const cleanupScript = path26.join(path26.dirname(thisFile), "..", "bin", "exe-session-cleanup.js");
+    if (existsSync22(cleanupScript)) {
       cleanupSuffix = `; ${process.execPath} "${cleanupScript}" "${employeeName}" "${exeSession}"`;
     }
   } catch {
   }
   try {
-    const claudeJsonPath = path24.join(os9.homedir(), ".claude.json");
+    const claudeJsonPath = path26.join(os9.homedir(), ".claude.json");
     let claudeJson = {};
     try {
-      claudeJson = JSON.parse(readFileSync16(claudeJsonPath, "utf8"));
+      claudeJson = JSON.parse(readFileSync18(claudeJsonPath, "utf8"));
     } catch {
     }
     if (!claudeJson.projects) claudeJson.projects = {};
@@ -15422,17 +16679,17 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     const trustDir = opts?.cwd ?? projectDir;
     if (!projects[trustDir]) projects[trustDir] = {};
     projects[trustDir].hasTrustDialogAccepted = true;
-    writeFileSync9(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
+    writeFileSync11(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
   } catch {
   }
   try {
-    const settingsDir = path24.join(os9.homedir(), ".claude", "projects");
+    const settingsDir = path26.join(os9.homedir(), ".claude", "projects");
     const normalizedKey = (opts?.cwd ?? projectDir).replace(/\//g, "-").replace(/^-/, "");
-    const projSettingsDir = path24.join(settingsDir, normalizedKey);
-    const settingsPath = path24.join(projSettingsDir, "settings.json");
+    const projSettingsDir = path26.join(settingsDir, normalizedKey);
+    const settingsPath = path26.join(projSettingsDir, "settings.json");
     let settings = {};
     try {
-      settings = JSON.parse(readFileSync16(settingsPath, "utf8"));
+      settings = JSON.parse(readFileSync18(settingsPath, "utf8"));
     } catch {
     }
     const perms = settings.permissions ?? {};
@@ -15460,8 +16717,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     if (changed) {
       perms.allow = allow;
       settings.permissions = perms;
-      mkdirSync10(projSettingsDir, { recursive: true });
-      writeFileSync9(settingsPath, JSON.stringify(settings, null, 2) + "\n");
+      mkdirSync12(projSettingsDir, { recursive: true });
+      writeFileSync11(settingsPath, JSON.stringify(settings, null, 2) + "\n");
     }
   } catch {
   }
@@ -15473,7 +16730,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   let behaviorsFlag = "";
   let legacyFallbackWarned = false;
   if (!useExeAgent && !useBinSymlink) {
-    const identityPath2 = path24.join(
+    const identityPath2 = path26.join(
       os9.homedir(),
       ".exe-os",
       "identity",
@@ -15483,13 +16740,13 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     const hasAgentFlag = claudeSupportsAgentFlag();
     if (hasAgentFlag) {
       identityFlag = ` --agent ${employeeName}`;
-    } else if (existsSync20(identityPath2)) {
+    } else if (existsSync22(identityPath2)) {
       identityFlag = ` --append-system-prompt-file ${identityPath2}`;
       legacyFallbackWarned = true;
     }
     const behaviorsFile = exportBehaviorsSync(
       employeeName,
-      path24.basename(spawnCwd),
+      path26.basename(spawnCwd),
       sessionName
     );
     if (behaviorsFile) {
@@ -15504,16 +16761,16 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   let sessionContextFlag = "";
   try {
-    const ctxDir = path24.join(os9.homedir(), ".exe-os", "session-cache");
-    mkdirSync10(ctxDir, { recursive: true });
-    const ctxFile = path24.join(ctxDir, `session-context-${sessionName}.md`);
+    const ctxDir = path26.join(os9.homedir(), ".exe-os", "session-cache");
+    mkdirSync12(ctxDir, { recursive: true });
+    const ctxFile = path26.join(ctxDir, `session-context-${sessionName}.md`);
     const ctxContent = [
       `## Session Context`,
       `You are running in tmux session: ${sessionName}.`,
       `Your parent exe session is ${exeSession}.`,
       `Your employees (if any) use the -${exeSession} suffix (e.g., tom-${exeSession}).`
     ].join("\n");
-    writeFileSync9(ctxFile, ctxContent);
+    writeFileSync11(ctxFile, ctxContent);
     sessionContextFlag = ` --append-system-prompt-file ${ctxFile}`;
   } catch {
   }
@@ -15551,8 +16808,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   transport.pipeLog(sessionName, logFile);
   try {
     const mySession = getMySession();
-    const dispatchInfo = path24.join(SESSION_CACHE, `dispatch-info-${sessionName}.json`);
-    writeFileSync9(dispatchInfo, JSON.stringify({
+    const dispatchInfo = path26.join(SESSION_CACHE, `dispatch-info-${sessionName}.json`);
+    writeFileSync11(dispatchInfo, JSON.stringify({
       dispatchedBy: mySession,
       rootExe: exeSession,
       provider: useBinSymlink ? ccProvider : useExeAgent ? opts.provider : "anthropic",
@@ -15615,14 +16872,14 @@ var init_tmux_routing = __esm({
     init_provider_table();
     init_intercom_queue();
     init_plan_limits();
-    SPAWN_LOCK_DIR = path24.join(os9.homedir(), ".exe-os", "spawn-locks");
-    SESSION_CACHE = path24.join(os9.homedir(), ".exe-os", "session-cache");
+    SPAWN_LOCK_DIR = path26.join(os9.homedir(), ".exe-os", "spawn-locks");
+    SESSION_CACHE = path26.join(os9.homedir(), ".exe-os", "session-cache");
     BEHAVIORS_EXPORT_TIMEOUT_MS = 1e4;
     VALID_SESSION_NAME = /^[a-z]+\d*-[a-zA-Z0-9_]+$/;
     VERIFY_PANE_LINES = 200;
     INTERCOM_DEBOUNCE_MS = 3e4;
-    INTERCOM_LOG2 = path24.join(os9.homedir(), ".exe-os", "intercom.log");
-    DEBOUNCE_FILE = path24.join(SESSION_CACHE, "intercom-debounce.json");
+    INTERCOM_LOG2 = path26.join(os9.homedir(), ".exe-os", "intercom.log");
+    DEBOUNCE_FILE = path26.join(SESSION_CACHE, "intercom-debounce.json");
     DEBOUNCE_CLEANUP_AGE_MS = 5 * 60 * 1e3;
     BUSY_PATTERN = /[✻✽✶✳·].*…|Running…/;
   }
@@ -16043,11 +17300,11 @@ function Footer() {
       } catch {
       }
       try {
-        const { existsSync: existsSync22 } = await import("fs");
+        const { existsSync: existsSync24 } = await import("fs");
         const { join } = await import("path");
         const home = process.env.HOME ?? "";
         const pidPath = join(home, ".exe-os", "exed.pid");
-        setDaemon(existsSync22(pidPath) ? "running" : "stopped");
+        setDaemon(existsSync24(pidPath) ? "running" : "stopped");
       } catch {
         setDaemon("unknown");
       }
@@ -18078,10 +19335,10 @@ var init_hooks = __esm({
 });
 
 // src/runtime/safety-checks.ts
-import path25 from "path";
+import path27 from "path";
 import os10 from "os";
 function checkPathSafety(filePath) {
-  const resolved = path25.resolve(filePath);
+  const resolved = path27.resolve(filePath);
   for (const { pattern, reason } of BYPASS_IMMUNE_PATTERNS) {
     const matches = typeof pattern === "function" ? pattern(resolved) : pattern.test(resolved);
     if (matches) {
@@ -18091,7 +19348,7 @@ function checkPathSafety(filePath) {
   return { safe: true, bypassImmune: true };
 }
 function checkReadPathSafety(filePath) {
-  const resolved = path25.resolve(filePath);
+  const resolved = path27.resolve(filePath);
   const credPatterns = BYPASS_IMMUNE_PATTERNS.filter(
     (p) => typeof p.pattern !== "function" && (p.reason.includes("secrets") || p.reason.includes("Private key") || p.reason.includes("Credential"))
   );
@@ -18117,11 +19374,11 @@ var init_safety_checks = __esm({
         reason: "Git config can set hooks and command execution"
       },
       {
-        pattern: (p) => p.startsWith(path25.join(HOME, ".claude")),
+        pattern: (p) => p.startsWith(path27.join(HOME, ".claude")),
         reason: "Claude configuration files are protected"
       },
       {
-        pattern: (p) => p.startsWith(path25.join(HOME, ".exe-os")),
+        pattern: (p) => p.startsWith(path27.join(HOME, ".exe-os")),
         reason: "exe-os configuration files are protected"
       },
       {
@@ -18138,7 +19395,7 @@ var init_safety_checks = __esm({
       },
       {
         pattern: (p) => {
-          const name = path25.basename(p);
+          const name = path27.basename(p);
           return [".bashrc", ".zshrc", ".profile", ".bash_profile", ".zprofile", ".zshenv"].includes(name);
         },
         reason: "Shell configuration files can execute arbitrary code on login"
@@ -18165,7 +19422,7 @@ __export(file_read_exports, {
   FileReadTool: () => FileReadTool
 });
 import fs3 from "fs/promises";
-import path26 from "path";
+import path28 from "path";
 import { z } from "zod";
 function isBinary(buf) {
   for (let i = 0; i < buf.length; i++) {
@@ -18201,7 +19458,7 @@ var init_file_read = __esm({
         return { behavior: "allow" };
       },
       async call(input, context) {
-        const filePath = path26.isAbsolute(input.file_path) ? input.file_path : path26.resolve(context.cwd, input.file_path);
+        const filePath = path28.isAbsolute(input.file_path) ? input.file_path : path28.resolve(context.cwd, input.file_path);
         let stat2;
         try {
           stat2 = await fs3.stat(filePath);
@@ -18241,7 +19498,7 @@ __export(glob_exports, {
   GlobTool: () => GlobTool
 });
 import fs4 from "fs/promises";
-import path27 from "path";
+import path29 from "path";
 import { z as z2 } from "zod";
 async function walkDir(dir, maxDepth = 10) {
   const results = [];
@@ -18257,7 +19514,7 @@ async function walkDir(dir, maxDepth = 10) {
       if (entry.isDirectory() && (entry.name === "node_modules" || entry.name === ".git")) {
         continue;
       }
-      const fullPath = path27.join(current, entry.name);
+      const fullPath = path29.join(current, entry.name);
       if (entry.isDirectory()) {
         await walk(fullPath, depth + 1);
       } else {
@@ -18291,11 +19548,11 @@ var init_glob = __esm({
       inputSchema: inputSchema2,
       isReadOnly: true,
       async call(input, context) {
-        const baseDir = input.path ? path27.isAbsolute(input.path) ? input.path : path27.resolve(context.cwd, input.path) : context.cwd;
+        const baseDir = input.path ? path29.isAbsolute(input.path) ? input.path : path29.resolve(context.cwd, input.path) : context.cwd;
         try {
           const entries = await walkDir(baseDir);
           const matched = entries.filter(
-            (e) => simpleGlobMatch(path27.relative(baseDir, e.path), input.pattern)
+            (e) => simpleGlobMatch(path29.relative(baseDir, e.path), input.pattern)
           );
           matched.sort((a, b) => b.mtime - a.mtime);
           if (matched.length === 0) {
@@ -18321,7 +19578,7 @@ __export(grep_exports, {
 });
 import { spawn as spawn2 } from "child_process";
 import fs5 from "fs/promises";
-import path28 from "path";
+import path30 from "path";
 import { z as z3 } from "zod";
 function runRipgrep(input, searchPath, context) {
   return new Promise((resolve, reject) => {
@@ -18375,7 +19632,7 @@ async function nodeGrep(input, searchPath) {
     }
     for (const entry of entries) {
       if (entry.name === "node_modules" || entry.name === ".git") continue;
-      const fullPath = path28.join(dir, entry.name);
+      const fullPath = path30.join(dir, entry.name);
       if (entry.isDirectory()) {
         await walk(fullPath);
       } else {
@@ -18421,7 +19678,7 @@ var init_grep = __esm({
       inputSchema: inputSchema3,
       isReadOnly: true,
       async call(input, context) {
-        const searchPath = input.path ? path28.isAbsolute(input.path) ? input.path : path28.resolve(context.cwd, input.path) : context.cwd;
+        const searchPath = input.path ? path30.isAbsolute(input.path) ? input.path : path30.resolve(context.cwd, input.path) : context.cwd;
         try {
           const result = await runRipgrep(input, searchPath, context);
           return result;
@@ -18446,7 +19703,7 @@ __export(file_write_exports, {
   FileWriteTool: () => FileWriteTool
 });
 import fs6 from "fs/promises";
-import path29 from "path";
+import path31 from "path";
 import { z as z4 } from "zod";
 var inputSchema4, FileWriteTool;
 var init_file_write = __esm({
@@ -18474,8 +19731,8 @@ var init_file_write = __esm({
         return { behavior: "allow" };
       },
       async call(input, context) {
-        const filePath = path29.isAbsolute(input.file_path) ? input.file_path : path29.resolve(context.cwd, input.file_path);
-        const dir = path29.dirname(filePath);
+        const filePath = path31.isAbsolute(input.file_path) ? input.file_path : path31.resolve(context.cwd, input.file_path);
+        const dir = path31.dirname(filePath);
         await fs6.mkdir(dir, { recursive: true });
         await fs6.writeFile(filePath, input.content, "utf-8");
         return {
@@ -18493,7 +19750,7 @@ __export(file_edit_exports, {
   FileEditTool: () => FileEditTool
 });
 import fs7 from "fs/promises";
-import path30 from "path";
+import path32 from "path";
 import { z as z5 } from "zod";
 function countOccurrences(haystack, needle) {
   let count = 0;
@@ -18534,7 +19791,7 @@ var init_file_edit = __esm({
         return { behavior: "allow" };
       },
       async call(input, context) {
-        const filePath = path30.isAbsolute(input.file_path) ? input.file_path : path30.resolve(context.cwd, input.file_path);
+        const filePath = path32.isAbsolute(input.file_path) ? input.file_path : path32.resolve(context.cwd, input.file_path);
         let content;
         try {
           content = await fs7.readFile(filePath, "utf-8");
@@ -18776,8 +20033,8 @@ var init_bash = __esm({
 // src/tui/views/CommandCenter.tsx
 import { useState as useState6, useEffect as useEffect8, useMemo as useMemo4, useCallback as useCallback4, useRef as useRef4 } from "react";
 import TextInput from "ink-text-input";
-import path31 from "path";
-import { homedir as homedir3 } from "os";
+import path33 from "path";
+import { homedir as homedir5 } from "os";
 import { Fragment as Fragment2, jsx as jsx7, jsxs as jsxs5 } from "react/jsx-runtime";
 function CommandCenterView({
   onSelectProject,
@@ -18811,15 +20068,15 @@ function CommandCenterView({
         const { createPermissionsFromPreset: createPermissionsFromPreset2, EMPLOYEE_PERMISSIONS: EMPLOYEE_PERMISSIONS2 } = await Promise.resolve().then(() => (init_permissions(), permissions_exports));
         const { getPresetByRole: getPresetByRole2 } = await Promise.resolve().then(() => (init_permission_presets(), permission_presets_exports));
         const { createDefaultHooks: createDefaultHooks2 } = await Promise.resolve().then(() => (init_hooks(), hooks_exports));
-        const { readFileSync: readFileSync18, existsSync: existsSync22 } = await import("fs");
+        const { readFileSync: readFileSync20, existsSync: existsSync24 } = await import("fs");
         const { join } = await import("path");
-        const { homedir: homedir5 } = await import("os");
-        const configPath = join(homedir5(), ".exe-os", "config.json");
+        const { homedir: homedir7 } = await import("os");
+        const configPath = join(homedir7(), ".exe-os", "config.json");
         let failoverChain = ["anthropic", "opencode", "gemini", "openai"];
         let providerConfigs = {};
-        if (existsSync22(configPath)) {
+        if (existsSync24(configPath)) {
           try {
-            const raw = JSON.parse(readFileSync18(configPath, "utf8"));
+            const raw = JSON.parse(readFileSync20(configPath, "utf8"));
             if (Array.isArray(raw.failoverChain)) failoverChain = raw.failoverChain;
             if (raw.providers && typeof raw.providers === "object") {
               providerConfigs = raw.providers;
@@ -18877,10 +20134,10 @@ function CommandCenterView({
         registry.register(BashTool2);
         let agentRole = "CTO";
         try {
-          const markerDir = join(homedir5(), ".exe-os", "session-cache");
+          const markerDir = join(homedir7(), ".exe-os", "session-cache");
           const agentFiles = (await import("fs")).readdirSync(markerDir).filter((f) => f.startsWith("active-agent-"));
           for (const f of agentFiles) {
-            const data = JSON.parse(readFileSync18(join(markerDir, f), "utf8"));
+            const data = JSON.parse(readFileSync20(join(markerDir, f), "utf8"));
             if (data.agentRole) {
               agentRole = data.agentRole;
               break;
@@ -19017,7 +20274,7 @@ function CommandCenterView({
       const demoEntries = DEMO_PROJECTS.map((p) => ({
         projectName: p.projectName,
         exeSession: p.exeSession,
-        projectDir: path31.join(homedir3(), p.projectName),
+        projectDir: path33.join(homedir5(), p.projectName),
         employeeCount: p.employees.length,
         activeCount: p.employees.filter((e) => e.status === "active").length,
         memoryCount: p.employees.length * 4e3,
@@ -19055,7 +20312,7 @@ function CommandCenterView({
         const { listSessions: listSessions2 } = await Promise.resolve().then(() => (init_session_registry(), session_registry_exports));
         const { listTmuxSessions: listTmuxSessions2, inTmux: inTmux2 } = await Promise.resolve().then(() => (init_tmux_status(), tmux_status_exports));
         const { loadEmployees: loadEmployees2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
-        const { existsSync: existsSync22 } = await import("fs");
+        const { existsSync: existsSync24 } = await import("fs");
         const { join } = await import("path");
         const client = getClient2();
         if (!client) {
@@ -19124,7 +20381,7 @@ function CommandCenterView({
           }
           const memoryCount = memoryCounts.get(name) ?? 0;
           const openTaskCount = openTaskCounts.get(name) ?? 0;
-          const hasGit = projectDir ? existsSync22(join(projectDir, ".git")) : false;
+          const hasGit = projectDir ? existsSync24(join(projectDir, ".git")) : false;
           const type = hasGit ? "code" : memoryCount > 0 ? "code" : "automation";
           projectList.push({
             projectName: name,
@@ -19149,7 +20406,7 @@ function CommandCenterView({
         setHealth((h) => ({ ...h, memories: Number(totalResult.rows[0]?.cnt ?? 0) }));
         try {
           const pidPath = join(process.env.HOME ?? "", ".exe-os", "exed.pid");
-          setHealth((h) => ({ ...h, daemon: existsSync22(pidPath) ? "running" : "stopped" }));
+          setHealth((h) => ({ ...h, daemon: existsSync24(pidPath) ? "running" : "stopped" }));
         } catch {
         }
         const activityResult = await client.execute(
@@ -20010,8 +21267,8 @@ var init_useOrchestrator = __esm({
 
 // src/tui/views/Sessions.tsx
 import React19, { useState as useState9, useEffect as useEffect11, useCallback as useCallback6 } from "react";
-import path32 from "path";
-import { homedir as homedir4 } from "os";
+import path34 from "path";
+import { homedir as homedir6 } from "os";
 import { jsx as jsx9, jsxs as jsxs7 } from "react/jsx-runtime";
 function SessionsView({
   initialProject,
@@ -20045,7 +21302,7 @@ function SessionsView({
     if (demo) {
       setProjects(DEMO_PROJECTS.map((p) => ({
         ...p,
-        projectDir: path32.join(homedir4(), p.projectName),
+        projectDir: path34.join(homedir6(), p.projectName),
         employees: p.employees.map((e) => ({ ...e, attached: e.status === "active" }))
       })));
       return;
@@ -20804,16 +22061,16 @@ __export(ws_auth_exports, {
   deriveWsAuthToken: () => deriveWsAuthToken,
   hashAuthToken: () => hashAuthToken
 });
-import crypto9 from "crypto";
+import crypto10 from "crypto";
 function deriveWsAuthToken(masterKey) {
-  return Buffer.from(crypto9.hkdfSync("sha256", masterKey, "", WS_AUTH_HKDF_INFO, 32));
+  return Buffer.from(crypto10.hkdfSync("sha256", masterKey, "", WS_AUTH_HKDF_INFO, 32));
 }
 function deriveOrgId(masterKey) {
-  const raw = Buffer.from(crypto9.hkdfSync("sha256", masterKey, "", ORG_ID_HKDF_INFO, 32));
-  return crypto9.createHash("sha256").update(raw).digest("hex").slice(0, 32);
+  const raw = Buffer.from(crypto10.hkdfSync("sha256", masterKey, "", ORG_ID_HKDF_INFO, 32));
+  return crypto10.createHash("sha256").update(raw).digest("hex").slice(0, 32);
 }
 function hashAuthToken(token) {
-  return crypto9.createHash("sha256").update(token).digest("hex");
+  return crypto10.createHash("sha256").update(token).digest("hex");
 }
 var WS_AUTH_HKDF_INFO, ORG_ID_HKDF_INFO;
 var init_ws_auth = __esm({
@@ -21017,7 +22274,7 @@ function assertSecureWsUrl(url) {
         `Malformed WebSocket URL rejected: "${url}".`
       );
     }
-    if (LOCALHOST_PATTERNS.test(parsed.hostname)) return;
+    if (LOCALHOST_PATTERNS2.test(parsed.hostname)) return;
     throw new Error(
       `Insecure WebSocket URL rejected: "${url}". Use wss:// for remote hosts. Plain ws:// is only allowed for localhost.`
     );
@@ -21026,7 +22283,7 @@ function assertSecureWsUrl(url) {
 function isGatewayEvent(msg) {
   return typeof msg.type === "string" && GATEWAY_EVENT_TYPES.has(msg.type);
 }
-var MIN_RECONNECT_MS, MAX_RECONNECT_MS, AUTH_RESPONSE_TIMEOUT_MS, DEFAULT_CHANNELS, GATEWAY_EVENT_TYPES, LOCALHOST_PATTERNS;
+var MIN_RECONNECT_MS, MAX_RECONNECT_MS, AUTH_RESPONSE_TIMEOUT_MS, DEFAULT_CHANNELS, GATEWAY_EVENT_TYPES, LOCALHOST_PATTERNS2;
 var init_gateway_client = __esm({
   "src/lib/gateway-client.ts"() {
     "use strict";
@@ -21042,7 +22299,7 @@ var init_gateway_client = __esm({
       "health",
       "escalation"
     ]);
-    LOCALHOST_PATTERNS = /^(localhost|127\.0\.0\.1|\[::1\])$/i;
+    LOCALHOST_PATTERNS2 = /^(localhost|127\.0\.0\.1|\[::1\])$/i;
   }
 });
 
@@ -21173,12 +22430,12 @@ async function loadGatewayConfig() {
     state.running = false;
   }
   try {
-    const { existsSync: existsSync22, readFileSync: readFileSync18 } = await import("fs");
+    const { existsSync: existsSync24, readFileSync: readFileSync20 } = await import("fs");
     const { join } = await import("path");
     const home = process.env.HOME ?? "";
     const configPath = join(home, ".exe-os", "gateway.json");
-    if (existsSync22(configPath)) {
-      const raw = JSON.parse(readFileSync18(configPath, "utf8"));
+    if (existsSync24(configPath)) {
+      const raw = JSON.parse(readFileSync20(configPath, "utf8"));
       state.port = raw.port ?? 3100;
       state.gatewayUrl = raw.gatewayUrl ?? "";
       if (raw.adapters) {
@@ -21801,12 +23058,12 @@ function TeamView({ onBack, onViewSessions }) {
         setMembers(teamData);
         setDbError(null);
         try {
-          const { existsSync: existsSync22, readFileSync: readFileSync18 } = await import("fs");
+          const { existsSync: existsSync24, readFileSync: readFileSync20 } = await import("fs");
           const { join } = await import("path");
           const home = process.env.HOME ?? "";
           const gatewayConfig = join(home, ".exe-os", "gateway.json");
-          if (existsSync22(gatewayConfig)) {
-            const raw = JSON.parse(readFileSync18(gatewayConfig, "utf8"));
+          if (existsSync24(gatewayConfig)) {
+            const raw = JSON.parse(readFileSync20(gatewayConfig, "utf8"));
             if (raw.agents && raw.agents.length > 0) {
               setExternals(raw.agents.map((a) => ({
                 name: a.name,
@@ -21987,8 +23244,8 @@ __export(wiki_client_exports, {
   listDocuments: () => listDocuments,
   listWorkspaces: () => listWorkspaces
 });
-async function wikiFetch(config, path34, method = "GET", body) {
-  const url = `${config.baseUrl}/api/v1${path34}`;
+async function wikiFetch(config, path36, method = "GET", body) {
+  const url = `${config.baseUrl}/api/v1${path36}`;
   const headers = {
     Authorization: `Bearer ${config.apiKey}`,
     "Content-Type": "application/json"
@@ -22021,7 +23278,7 @@ async function wikiFetch(config, path34, method = "GET", body) {
       }
     }
     if (!response.ok) {
-      throw new Error(`Wiki API ${method} ${path34}: ${response.status} ${response.statusText}`);
+      throw new Error(`Wiki API ${method} ${path36}: ${response.status} ${response.statusText}`);
     }
     return response.json();
   } finally {
@@ -22631,12 +23888,12 @@ function SettingsView({ onBack }) {
     }
     setProviders(providerList);
     try {
-      const { existsSync: existsSync22 } = await import("fs");
+      const { existsSync: existsSync24 } = await import("fs");
       const { join } = await import("path");
       const { loadConfig: loadConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
       const cfg = await loadConfig2();
       const home = process.env.HOME ?? "";
-      const hasKey = existsSync22(join(home, ".exe-os", "master.key"));
+      const hasKey = existsSync24(join(home, ".exe-os", "master.key"));
       if (cfg.cloud) {
         setCloud({
           configured: true,
@@ -22649,22 +23906,22 @@ function SettingsView({ onBack }) {
       const pidPath = join(home, ".exe-os", "exed.pid");
       let daemon = "unknown";
       try {
-        daemon = existsSync22(pidPath) ? "running" : "stopped";
+        daemon = existsSync24(pidPath) ? "running" : "stopped";
       } catch {
       }
       let version = "unknown";
       try {
-        const { readFileSync: readFileSync18 } = await import("fs");
+        const { readFileSync: readFileSync20 } = await import("fs");
         const { createRequire } = await import("module");
         const require2 = createRequire(import.meta.url);
         const pkgPath = require2.resolve("@askexenow/exe-os/package.json");
-        const pkg = JSON.parse(readFileSync18(pkgPath, "utf8"));
+        const pkg = JSON.parse(readFileSync20(pkgPath, "utf8"));
         version = pkg.version;
       } catch {
         try {
-          const { readFileSync: readFileSync18 } = await import("fs");
+          const { readFileSync: readFileSync20 } = await import("fs");
           const { join: joinPath } = await import("path");
-          const pkg = JSON.parse(readFileSync18(joinPath(process.cwd(), "package.json"), "utf8"));
+          const pkg = JSON.parse(readFileSync20(joinPath(process.cwd(), "package.json"), "utf8"));
           version = pkg.version;
         } catch {
         }
@@ -23271,8 +24528,8 @@ Unhandled rejection: ${reason}
 });
 
 // src/bin/cli.ts
-import { existsSync as existsSync21, readFileSync as readFileSync17, writeFileSync as writeFileSync10, readdirSync as readdirSync5, rmSync } from "fs";
-import path33 from "path";
+import { existsSync as existsSync23, readFileSync as readFileSync19, writeFileSync as writeFileSync12, readdirSync as readdirSync7, rmSync } from "fs";
+import path35 from "path";
 import os11 from "os";
 var args = process.argv.slice(2);
 if (args.includes("--global")) {
@@ -23336,11 +24593,11 @@ if (args.includes("--global")) {
   });
   await init_App2().then(() => App_exports);
 } else {
-  const claudeDir = path33.join(os11.homedir(), ".claude");
-  const settingsPath = path33.join(claudeDir, "settings.json");
-  const hasClaudeCode = existsSync21(settingsPath) && (() => {
+  const claudeDir = path35.join(os11.homedir(), ".claude");
+  const settingsPath = path35.join(claudeDir, "settings.json");
+  const hasClaudeCode = existsSync23(settingsPath) && (() => {
     try {
-      const raw = readFileSync17(settingsPath, "utf8");
+      const raw = readFileSync19(settingsPath, "utf8");
       return raw.includes("exe-os") || raw.includes("exe-mem");
     } catch {
       return false;
@@ -23379,14 +24636,14 @@ async function runClaudeInstall() {
   }
 }
 async function runClaudeCheck() {
-  const claudeDir = path33.join(os11.homedir(), ".claude");
-  const settingsPath = path33.join(claudeDir, "settings.json");
-  const claudeJsonPath = path33.join(os11.homedir(), ".claude.json");
+  const claudeDir = path35.join(os11.homedir(), ".claude");
+  const settingsPath = path35.join(claudeDir, "settings.json");
+  const claudeJsonPath = path35.join(os11.homedir(), ".claude.json");
   let ok = true;
-  if (existsSync21(settingsPath)) {
+  if (existsSync23(settingsPath)) {
     let settings;
     try {
-      settings = JSON.parse(readFileSync17(settingsPath, "utf8"));
+      settings = JSON.parse(readFileSync19(settingsPath, "utf8"));
     } catch {
       console.log("\x1B[31m\u2717\x1B[0m settings.json is malformed (invalid JSON)");
       ok = false;
@@ -23412,10 +24669,10 @@ async function runClaudeCheck() {
     console.log("\x1B[31m\u2717\x1B[0m settings.json not found");
     ok = false;
   }
-  if (existsSync21(claudeJsonPath)) {
+  if (existsSync23(claudeJsonPath)) {
     let claudeJson;
     try {
-      claudeJson = JSON.parse(readFileSync17(claudeJsonPath, "utf8"));
+      claudeJson = JSON.parse(readFileSync19(claudeJsonPath, "utf8"));
     } catch {
       console.log("\x1B[31m\u2717\x1B[0m claude.json is malformed (invalid JSON)");
       ok = false;
@@ -23434,8 +24691,8 @@ async function runClaudeCheck() {
     console.log("\x1B[31m\u2717\x1B[0m claude.json not found");
     ok = false;
   }
-  const skillsDir = path33.join(claudeDir, "skills");
-  if (existsSync21(skillsDir)) {
+  const skillsDir = path35.join(claudeDir, "skills");
+  if (existsSync23(skillsDir)) {
     console.log("\x1B[32m\u2713\x1B[0m Slash skills directory exists");
   } else {
     console.log("\x1B[31m\u2717\x1B[0m Slash skills directory missing");
@@ -23452,16 +24709,16 @@ async function runClaudeUninstall(flags = []) {
   const dryRun = flags.includes("--dry-run");
   const purge = flags.includes("--purge");
   const homeDir = os11.homedir();
-  const claudeDir = path33.join(homeDir, ".claude");
-  const settingsPath = path33.join(claudeDir, "settings.json");
-  const claudeJsonPath = path33.join(homeDir, ".claude.json");
-  const exeOsDir = path33.join(homeDir, ".exe-os");
+  const claudeDir = path35.join(homeDir, ".claude");
+  const settingsPath = path35.join(claudeDir, "settings.json");
+  const claudeJsonPath = path35.join(homeDir, ".claude.json");
+  const exeOsDir = path35.join(homeDir, ".exe-os");
   let removed = 0;
   const log = (msg) => console.log(dryRun ? `[dry-run] ${msg}` : msg);
   let settings = {};
-  if (existsSync21(settingsPath)) {
+  if (existsSync23(settingsPath)) {
     try {
-      settings = JSON.parse(readFileSync17(settingsPath, "utf8"));
+      settings = JSON.parse(readFileSync19(settingsPath, "utf8"));
     } catch {
       console.error("Your ~/.claude/settings.json appears malformed.");
       if (purge) {
@@ -23499,15 +24756,15 @@ async function runClaudeUninstall(flags = []) {
         permCount = before - settings.permissions.allow.length;
       }
       if (!dryRun) {
-        writeFileSync10(settingsPath, JSON.stringify(settings, null, 2) + "\n");
+        writeFileSync12(settingsPath, JSON.stringify(settings, null, 2) + "\n");
       }
       log("\u2713 Removed exe-os hooks from settings.json");
       if (permCount > 0) log(`\u2713 Removed ${permCount} MCP permission entries`);
       removed++;
     }
   }
-  if (existsSync21(claudeJsonPath)) {
-    const raw = readFileSync17(claudeJsonPath, "utf8");
+  if (existsSync23(claudeJsonPath)) {
+    const raw = readFileSync19(claudeJsonPath, "utf8");
     if (raw.length > 1e6) {
       console.error("claude.json exceeds 1 MB \u2014 skipping parse.");
     } else {
@@ -23528,7 +24785,7 @@ async function runClaudeUninstall(flags = []) {
         }
         if (removedMcp) {
           if (!dryRun) {
-            writeFileSync10(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
+            writeFileSync12(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
           }
           log("\u2713 Removed exe-os MCP server from claude.json");
           removed++;
@@ -23536,14 +24793,14 @@ async function runClaudeUninstall(flags = []) {
       }
     }
   }
-  const skillsDir = path33.join(claudeDir, "skills");
-  if (existsSync21(skillsDir)) {
+  const skillsDir = path35.join(claudeDir, "skills");
+  if (existsSync23(skillsDir)) {
     let skillCount = 0;
     try {
-      const entries = readdirSync5(skillsDir);
+      const entries = readdirSync7(skillsDir);
       for (const entry of entries) {
         if (entry.startsWith("exe")) {
-          const fullPath = path33.join(skillsDir, entry);
+          const fullPath = path35.join(skillsDir, entry);
           if (!dryRun) rmSync(fullPath, { recursive: true, force: true });
           skillCount++;
         }
@@ -23555,30 +24812,30 @@ async function runClaudeUninstall(flags = []) {
       removed++;
     }
   }
-  const claudeMdPath = path33.join(claudeDir, "CLAUDE.md");
-  if (existsSync21(claudeMdPath)) {
-    const content = readFileSync17(claudeMdPath, "utf8");
+  const claudeMdPath = path35.join(claudeDir, "CLAUDE.md");
+  if (existsSync23(claudeMdPath)) {
+    const content = readFileSync19(claudeMdPath, "utf8");
     const startMarker = "<!-- exe-os:orchestration-start -->";
     const endMarker = "<!-- exe-os:orchestration-end -->";
     const startIdx = content.indexOf(startMarker);
     const endIdx = content.indexOf(endMarker);
     if (startIdx !== -1 && endIdx !== -1) {
       const cleaned = (content.slice(0, startIdx) + content.slice(endIdx + endMarker.length)).replace(/\n{3,}/g, "\n\n").trim() + "\n";
-      if (!dryRun) writeFileSync10(claudeMdPath, cleaned);
+      if (!dryRun) writeFileSync12(claudeMdPath, cleaned);
       log("\u2713 Removed orchestration block from CLAUDE.md");
       removed++;
     }
   }
-  const agentsDir = path33.join(claudeDir, "agents");
-  if (existsSync21(agentsDir)) {
+  const agentsDir = path35.join(claudeDir, "agents");
+  if (existsSync23(agentsDir)) {
     let agentCount = 0;
     try {
-      const entries = readdirSync5(agentsDir).filter((f) => f.endsWith(".md"));
+      const entries = readdirSync7(agentsDir).filter((f) => f.endsWith(".md"));
       let knownNames = /* @__PURE__ */ new Set();
-      const rosterPath = path33.join(exeOsDir, "exe-employees.json");
-      if (existsSync21(rosterPath)) {
+      const rosterPath = path35.join(exeOsDir, "exe-employees.json");
+      if (existsSync23(rosterPath)) {
         try {
-          const roster = JSON.parse(readFileSync17(rosterPath, "utf8"));
+          const roster = JSON.parse(readFileSync19(rosterPath, "utf8"));
           knownNames = new Set(roster.map((e) => e.name));
         } catch {
         }
@@ -23586,7 +24843,7 @@ async function runClaudeUninstall(flags = []) {
       for (const entry of entries) {
         const name = entry.replace(/\.md$/, "");
         if (knownNames.has(name)) {
-          if (!dryRun) rmSync(path33.join(agentsDir, entry), { force: true });
+          if (!dryRun) rmSync(path35.join(agentsDir, entry), { force: true });
           agentCount++;
         }
       }
@@ -23597,16 +24854,16 @@ async function runClaudeUninstall(flags = []) {
       removed++;
     }
   }
-  const projectsDir = path33.join(claudeDir, "projects");
-  if (existsSync21(projectsDir)) {
+  const projectsDir = path35.join(claudeDir, "projects");
+  if (existsSync23(projectsDir)) {
     let projectCount = 0;
     try {
-      const projects = readdirSync5(projectsDir);
+      const projects = readdirSync7(projectsDir);
       for (const proj of projects) {
-        const projSettings = path33.join(projectsDir, proj, "settings.json");
-        if (!existsSync21(projSettings)) continue;
+        const projSettings = path35.join(projectsDir, proj, "settings.json");
+        if (!existsSync23(projSettings)) continue;
         try {
-          const pSettings = JSON.parse(readFileSync17(projSettings, "utf8"));
+          const pSettings = JSON.parse(readFileSync19(projSettings, "utf8"));
           let changed = false;
           if (Array.isArray(pSettings.permissions?.allow)) {
             const before = pSettings.permissions.allow.length;
@@ -23616,7 +24873,7 @@ async function runClaudeUninstall(flags = []) {
             if (pSettings.permissions.allow.length < before) changed = true;
           }
           if (changed && !dryRun) {
-            writeFileSync10(projSettings, JSON.stringify(pSettings, null, 2) + "\n");
+            writeFileSync12(projSettings, JSON.stringify(pSettings, null, 2) + "\n");
           }
           if (changed) projectCount++;
         } catch {
@@ -23640,16 +24897,16 @@ async function runClaudeUninstall(flags = []) {
     };
     const exeBinPath = findExeBin3();
     if (!exeBinPath) throw new Error("exe-os not found in PATH");
-    const binDir = path33.dirname(exeBinPath);
+    const binDir = path35.dirname(exeBinPath);
     let symlinkCount = 0;
-    const rosterPath = path33.join(exeOsDir, "exe-employees.json");
-    if (existsSync21(rosterPath)) {
-      const roster = JSON.parse(readFileSync17(rosterPath, "utf8"));
+    const rosterPath = path35.join(exeOsDir, "exe-employees.json");
+    if (existsSync23(rosterPath)) {
+      const roster = JSON.parse(readFileSync19(rosterPath, "utf8"));
       for (const emp of roster) {
         if (emp.name === "exe") continue;
         for (const suffix of ["", "-opencode"]) {
-          const linkPath = path33.join(binDir, `${emp.name}${suffix}`);
-          if (existsSync21(linkPath)) {
+          const linkPath = path35.join(binDir, `${emp.name}${suffix}`);
+          if (existsSync23(linkPath)) {
             if (!dryRun) rmSync(linkPath, { force: true });
             symlinkCount++;
           }
@@ -23662,7 +24919,7 @@ async function runClaudeUninstall(flags = []) {
     }
   } catch {
   }
-  if (purge && existsSync21(exeOsDir)) {
+  if (purge && existsSync23(exeOsDir)) {
     if (!dryRun) {
       process.stdout.write("\x1B[33m\u26A0 This will delete all memories, identities, and agent data.\x1B[0m\n");
       process.stdout.write("  Removing ~/.exe-os...\n");
@@ -23687,7 +24944,7 @@ async function checkForUpdateOnBoot() {
     const config = await loadConfig2();
     if (!config.autoUpdate.checkOnBoot) return;
     const { checkForUpdate: checkForUpdate2 } = await Promise.resolve().then(() => (init_update(), update_exports));
-    const packageRoot = path33.resolve(
+    const packageRoot = path35.resolve(
       new URL("../..", import.meta.url).pathname
     );
     const result = checkForUpdate2(packageRoot);
@@ -23746,7 +25003,7 @@ async function runActivate(key) {
       const idTemplate = getIdentityTemplate(identityKey);
       if (idTemplate) {
         const idPath = identityPath2(name);
-        const dir = path33.dirname(idPath);
+        const dir = path35.dirname(idPath);
         if (!fs8.existsSync(dir)) fs8.mkdirSync(dir, { recursive: true });
         fs8.writeFileSync(idPath, idTemplate.replace(/^agent_id: \w+/m, `agent_id: ${name}`), "utf-8");
       }