@askexenow/exe-os 0.9.111 → 0.9.113

package/dist/lib/skill-learning.js

@@ -1,5 +1,11 @@
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
@@ -313,6 +319,394 @@ var init_config = __esm({
   }
 });
 
+// src/lib/runtime-table.ts
+var RUNTIME_TABLE, DEFAULT_RUNTIME;
+var init_runtime_table = __esm({
+  "src/lib/runtime-table.ts"() {
+    "use strict";
+    RUNTIME_TABLE = {
+      codex: {
+        binary: "codex",
+        launchMode: "interactive",
+        autoApproveFlag: "--dangerously-bypass-approvals-and-sandbox",
+        inlineFlag: "--no-alt-screen",
+        apiKeyEnv: "OPENAI_API_KEY",
+        defaultModel: "gpt-5.5"
+      },
+      opencode: {
+        binary: "opencode",
+        launchMode: "exec",
+        autoApproveFlag: "--dangerously-skip-permissions",
+        inlineFlag: "",
+        apiKeyEnv: "ANTHROPIC_API_KEY",
+        defaultModel: "anthropic/claude-sonnet-4-6"
+      }
+    };
+    DEFAULT_RUNTIME = "claude";
+  }
+});
+
+// src/lib/agent-config.ts
+var agent_config_exports = {};
+__export(agent_config_exports, {
+  AGENT_CONFIG_PATH: () => AGENT_CONFIG_PATH,
+  DEFAULT_MODELS: () => DEFAULT_MODELS,
+  KNOWN_RUNTIMES: () => KNOWN_RUNTIMES,
+  RUNTIME_LABELS: () => RUNTIME_LABELS,
+  clearAgentRuntime: () => clearAgentRuntime,
+  getAgentRuntime: () => getAgentRuntime,
+  loadAgentConfig: () => loadAgentConfig,
+  saveAgentConfig: () => saveAgentConfig,
+  setAgentMcps: () => setAgentMcps,
+  setAgentRuntime: () => setAgentRuntime
+});
+import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3 } from "fs";
+import path2 from "path";
+function loadAgentConfig() {
+  if (!existsSync3(AGENT_CONFIG_PATH)) return {};
+  try {
+    return JSON.parse(readFileSync2(AGENT_CONFIG_PATH, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveAgentConfig(config) {
+  const dir = path2.dirname(AGENT_CONFIG_PATH);
+  ensurePrivateDirSync(dir);
+  writeFileSync(AGENT_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  enforcePrivateFileSync(AGENT_CONFIG_PATH);
+}
+function getAgentRuntime(agentId) {
+  const config = loadAgentConfig();
+  const entry = config[agentId];
+  if (entry) return entry;
+  const orgDefault = config["default"];
+  if (orgDefault) return orgDefault;
+  return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
+}
+function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
+  const knownModels = KNOWN_RUNTIMES[runtime];
+  if (!knownModels) {
+    return {
+      ok: false,
+      error: `Unknown runtime "${runtime}". Valid: ${Object.keys(KNOWN_RUNTIMES).join(", ")}`
+    };
+  }
+  if (!knownModels.includes(model)) {
+    return {
+      ok: false,
+      error: `Unknown model "${model}" for runtime "${runtime}". Valid: ${knownModels.join(", ")}`
+    };
+  }
+  const config = loadAgentConfig();
+  const existing = config[agentId];
+  const entry = { runtime, model };
+  if (reasoning_effort) entry.reasoning_effort = reasoning_effort;
+  if (mcps !== void 0) {
+    entry.mcps = mcps.includes("exe-os") ? mcps : ["exe-os", ...mcps];
+  } else if (existing?.mcps) {
+    entry.mcps = existing.mcps;
+  }
+  config[agentId] = entry;
+  saveAgentConfig(config);
+  return { ok: true };
+}
+function setAgentMcps(agentId, mcps) {
+  const config = loadAgentConfig();
+  const existing = config[agentId] ?? getAgentRuntime(agentId);
+  existing.mcps = mcps.includes("exe-os") ? mcps : ["exe-os", ...mcps];
+  config[agentId] = existing;
+  saveAgentConfig(config);
+  return { ok: true };
+}
+function clearAgentRuntime(agentId) {
+  const config = loadAgentConfig();
+  delete config[agentId];
+  saveAgentConfig(config);
+}
+var AGENT_CONFIG_PATH, KNOWN_RUNTIMES, RUNTIME_LABELS, DEFAULT_MODELS;
+var init_agent_config = __esm({
+  "src/lib/agent-config.ts"() {
+    "use strict";
+    init_config();
+    init_runtime_table();
+    init_secure_files();
+    AGENT_CONFIG_PATH = path2.join(EXE_AI_DIR, "agent-config.json");
+    KNOWN_RUNTIMES = {
+      claude: ["claude-opus-4.6", "claude-opus-4", "claude-sonnet-4.6", "claude-sonnet-4", "claude-haiku-4.5"],
+      codex: ["gpt-5.4", "gpt-5.5", "gpt-5.3-codex-spark", "o3", "o4-mini"],
+      opencode: ["anthropic/claude-sonnet-4-6", "openai/gpt-5.4", "google/gemini-2.5-pro", "deepseek/deepseek-r3", "minimax/minimax-m2.5"]
+    };
+    RUNTIME_LABELS = {
+      claude: "Claude Code (Anthropic)",
+      codex: "Codex (OpenAI)",
+      opencode: "OpenCode (open source)"
+    };
+    DEFAULT_MODELS = {
+      claude: "claude-opus-4.6",
+      codex: RUNTIME_TABLE.codex?.defaultModel ?? "gpt-5.4",
+      opencode: RUNTIME_TABLE.opencode?.defaultModel ?? "anthropic/claude-sonnet-4-6"
+    };
+  }
+});
+
+// src/lib/employees.ts
+var employees_exports = {};
+__export(employees_exports, {
+  COORDINATOR_ROLE: () => COORDINATOR_ROLE,
+  DEFAULT_COORDINATOR_TEMPLATE_NAME: () => DEFAULT_COORDINATOR_TEMPLATE_NAME,
+  EMPLOYEES_PATH: () => EMPLOYEES_PATH,
+  addEmployee: () => addEmployee,
+  baseAgentName: () => baseAgentName,
+  canCoordinate: () => canCoordinate,
+  getCoordinatorEmployee: () => getCoordinatorEmployee,
+  getCoordinatorName: () => getCoordinatorName,
+  getEmployee: () => getEmployee,
+  getEmployeeByRole: () => getEmployeeByRole,
+  getEmployeeNamesByRole: () => getEmployeeNamesByRole,
+  hasRole: () => hasRole,
+  hireEmployee: () => hireEmployee,
+  isCoordinatorName: () => isCoordinatorName,
+  isCoordinatorRole: () => isCoordinatorRole,
+  isMultiInstance: () => isMultiInstance,
+  loadEmployees: () => loadEmployees,
+  loadEmployeesSync: () => loadEmployeesSync,
+  normalizeRole: () => normalizeRole,
+  normalizeRosterCase: () => normalizeRosterCase,
+  registerBinSymlinks: () => registerBinSymlinks,
+  saveEmployees: () => saveEmployees,
+  validateEmployeeName: () => validateEmployeeName
+});
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { existsSync as existsSync4, symlinkSync, readlinkSync, readFileSync as readFileSync3, renameSync as renameSync2, unlinkSync, writeFileSync as writeFileSync2 } from "fs";
+import { execSync } from "child_process";
+import path3 from "path";
+import os2 from "os";
+function normalizeRole(role) {
+  return (role ?? "").trim().toLowerCase();
+}
+function isCoordinatorRole(role) {
+  return normalizeRole(role) === normalizeRole(COORDINATOR_ROLE);
+}
+function getCoordinatorEmployee(employees) {
+  return employees.find((e) => isCoordinatorRole(e.role));
+}
+function getCoordinatorName(employees = loadEmployeesSync()) {
+  return getCoordinatorEmployee(employees)?.name ?? DEFAULT_COORDINATOR_TEMPLATE_NAME;
+}
+function isCoordinatorName(agentName, employees = loadEmployeesSync()) {
+  if (!agentName) return false;
+  return agentName.toLowerCase() === getCoordinatorName(employees).toLowerCase();
+}
+function canCoordinate(agentName, agentRole, employees = loadEmployeesSync()) {
+  return agentName === "default" || isCoordinatorRole(agentRole) || isCoordinatorName(agentName, employees);
+}
+function validateEmployeeName(name) {
+  if (!name) {
+    return { valid: false, error: "Name is required" };
+  }
+  if (name.length > 32) {
+    return { valid: false, error: "Name must be 32 characters or fewer" };
+  }
+  if (!/^[a-z][a-z0-9]*$/.test(name)) {
+    return {
+      valid: false,
+      error: "Name must start with a letter and contain only lowercase alphanumeric characters"
+    };
+  }
+  return { valid: true };
+}
+async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
+  if (!existsSync4(employeesPath)) {
+    return [];
+  }
+  const raw = await readFile2(employeesPath, "utf-8");
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return [];
+  }
+}
+async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
+  await mkdir2(path3.dirname(employeesPath), { recursive: true });
+  await writeFile2(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
+}
+function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
+  if (!existsSync4(employeesPath)) return [];
+  try {
+    return JSON.parse(readFileSync3(employeesPath, "utf-8"));
+  } catch {
+    return [];
+  }
+}
+function getEmployee(employees, name) {
+  return employees.find((e) => e.name.toLowerCase() === name.toLowerCase());
+}
+function getEmployeeByRole(employees, role) {
+  const lower = role.toLowerCase();
+  return employees.find((e) => e.role.toLowerCase() === lower);
+}
+function getEmployeeNamesByRole(employees, role) {
+  const lower = role.toLowerCase();
+  return employees.filter((e) => e.role.toLowerCase() === lower).map((e) => e.name);
+}
+function hasRole(agentName, role) {
+  const employees = loadEmployeesSync();
+  const emp = getEmployee(employees, agentName);
+  return emp ? emp.role.toLowerCase() === role.toLowerCase() : false;
+}
+function baseAgentName(name, employees) {
+  const match = name.match(/^([a-zA-Z]+)\d+$/);
+  if (!match) return name;
+  const base = match[1];
+  const roster = employees ?? loadEmployeesSync();
+  if (getEmployee(roster, base)) return base;
+  return name;
+}
+function isMultiInstance(agentName, employees) {
+  const roster = employees ?? loadEmployeesSync();
+  const emp = getEmployee(roster, agentName);
+  if (!emp) return false;
+  return MULTI_INSTANCE_ROLES.has(emp.role.toLowerCase());
+}
+function addEmployee(employees, employee) {
+  const { systemPrompt: _legacyPrompt, ...rest } = employee;
+  const normalized = { ...rest, name: employee.name.toLowerCase() };
+  if (employees.some((e) => e.name.toLowerCase() === normalized.name)) {
+    throw new Error(`Employee '${normalized.name}' already exists`);
+  }
+  return [...employees, normalized];
+}
+function appendToCoordinatorTeam(employee) {
+  const coordinator = getCoordinatorEmployee(loadEmployeesSync());
+  if (!coordinator) return;
+  const idPath = path3.join(IDENTITY_DIR, `${coordinator.name}.md`);
+  if (!existsSync4(idPath)) return;
+  const content = readFileSync3(idPath, "utf-8");
+  if (content.includes(`**${capitalize(employee.name)}`)) return;
+  const teamMatch = content.match(TEAM_SECTION_RE);
+  if (!teamMatch || teamMatch.index === void 0) return;
+  const afterTeam = content.slice(teamMatch.index + teamMatch[0].length);
+  const nextHeading = afterTeam.match(/\n## /);
+  const entry = `
+**${capitalize(employee.name)} (${employee.role}):** Newly hired. Update this description as the role develops.
+`;
+  let updated;
+  if (nextHeading && nextHeading.index !== void 0) {
+    const insertAt = teamMatch.index + teamMatch[0].length + nextHeading.index;
+    updated = content.slice(0, insertAt) + entry + content.slice(insertAt);
+  } else {
+    updated = content.trimEnd() + "\n" + entry;
+  }
+  writeFileSync2(idPath, updated, "utf-8");
+}
+function capitalize(s) {
+  return s.charAt(0).toUpperCase() + s.slice(1);
+}
+async function hireEmployee(employee) {
+  const employees = await loadEmployees();
+  const updated = addEmployee(employees, employee);
+  await saveEmployees(updated);
+  try {
+    appendToCoordinatorTeam(employee);
+  } catch {
+  }
+  try {
+    const { loadAgentConfig: loadAgentConfig2, saveAgentConfig: saveAgentConfig2 } = await Promise.resolve().then(() => (init_agent_config(), agent_config_exports));
+    const config = loadAgentConfig2();
+    const name = employee.name.toLowerCase();
+    if (!config[name] && config["default"]) {
+      config[name] = { ...config["default"] };
+      saveAgentConfig2(config);
+    }
+  } catch {
+  }
+  return updated;
+}
+async function normalizeRosterCase(rosterPath) {
+  const employees = await loadEmployees(rosterPath);
+  let changed = false;
+  for (const emp of employees) {
+    if (emp.name !== emp.name.toLowerCase()) {
+      const oldName = emp.name;
+      emp.name = emp.name.toLowerCase();
+      changed = true;
+      try {
+        const identityDir = path3.join(os2.homedir(), ".exe-os", "identity");
+        const oldPath = path3.join(identityDir, `${oldName}.md`);
+        const newPath = path3.join(identityDir, `${emp.name}.md`);
+        if (existsSync4(oldPath) && !existsSync4(newPath)) {
+          renameSync2(oldPath, newPath);
+        } else if (existsSync4(oldPath) && oldPath !== newPath) {
+          const content = readFileSync3(oldPath, "utf-8");
+          writeFileSync2(newPath, content, "utf-8");
+          if (oldPath.toLowerCase() !== newPath.toLowerCase()) {
+            unlinkSync(oldPath);
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  if (changed) {
+    await saveEmployees(employees, rosterPath);
+  }
+  return changed;
+}
+function findExeBin() {
+  try {
+    return execSync(process.platform === "win32" ? "where exe-os" : "which exe-os", { encoding: "utf8" }).trim();
+  } catch {
+    return null;
+  }
+}
+function registerBinSymlinks(name) {
+  const created = [];
+  const skipped = [];
+  const errors = [];
+  const exeBinPath = findExeBin();
+  if (!exeBinPath) {
+    errors.push("Could not find 'exe-os' in PATH");
+    return { created, skipped, errors };
+  }
+  const binDir = path3.dirname(exeBinPath);
+  let target;
+  try {
+    target = readlinkSync(exeBinPath);
+  } catch {
+    errors.push("Could not read 'exe' symlink");
+    return { created, skipped, errors };
+  }
+  for (const suffix of ["", "-opencode"]) {
+    const linkName = `${name}${suffix}`;
+    const linkPath = path3.join(binDir, linkName);
+    if (existsSync4(linkPath)) {
+      skipped.push(linkName);
+      continue;
+    }
+    try {
+      symlinkSync(target, linkPath);
+      created.push(linkName);
+    } catch (err) {
+      errors.push(`${linkName}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  return { created, skipped, errors };
+}
+var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, MULTI_INSTANCE_ROLES, IDENTITY_DIR, TEAM_SECTION_RE;
+var init_employees = __esm({
+  "src/lib/employees.ts"() {
+    "use strict";
+    init_config();
+    EMPLOYEES_PATH = path3.join(EXE_AI_DIR, "exe-employees.json");
+    DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
+    COORDINATOR_ROLE = "COO";
+    MULTI_INSTANCE_ROLES = /* @__PURE__ */ new Set(["principal engineer", "content production specialist", "staff code reviewer"]);
+    IDENTITY_DIR = path3.join(EXE_AI_DIR, "identity");
+    TEAM_SECTION_RE = /^## Team\b.*$/m;
+  }
+});
+
 // src/types/memory.ts
 var EMBEDDING_DIM;
 var init_memory = __esm({
@@ -324,8 +718,8 @@ var init_memory = __esm({
 
 // src/lib/daemon-auth.ts
 import crypto from "crypto";
-import path4 from "path";
-import { existsSync as existsSync5, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import path5 from "path";
+import { existsSync as existsSync6, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
 function normalizeToken(token) {
   if (!token) return null;
   const trimmed = token.trim();
@@ -333,8 +727,8 @@ function normalizeToken(token) {
 }
 function readDaemonToken() {
   try {
-    if (!existsSync5(DAEMON_TOKEN_PATH)) return null;
-    return normalizeToken(readFileSync3(DAEMON_TOKEN_PATH, "utf8"));
+    if (!existsSync6(DAEMON_TOKEN_PATH)) return null;
+    return normalizeToken(readFileSync4(DAEMON_TOKEN_PATH, "utf8"));
   } catch {
     return null;
   }
@@ -344,7 +738,7 @@ function ensureDaemonToken(seed) {
   if (existing) return existing;
   const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
   ensurePrivateDirSync(EXE_AI_DIR);
-  writeFileSync2(DAEMON_TOKEN_PATH, `${token}
+  writeFileSync3(DAEMON_TOKEN_PATH, `${token}
 `, "utf8");
   enforcePrivateFileSync(DAEMON_TOKEN_PATH);
   return token;
@@ -355,7 +749,7 @@ var init_daemon_auth = __esm({
     "use strict";
     init_config();
     init_secure_files();
-    DAEMON_TOKEN_PATH = path4.join(EXE_AI_DIR, "exed.token");
+    DAEMON_TOKEN_PATH = path5.join(EXE_AI_DIR, "exed.token");
   }
 });
 
@@ -364,8 +758,8 @@ import net from "net";
 import os4 from "os";
 import { spawn, execSync as execSync2 } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync6, unlinkSync as unlinkSync3, readFileSync as readFileSync4, openSync as openSync2, closeSync as closeSync2, statSync as statSync2 } from "fs";
-import path5 from "path";
+import { existsSync as existsSync7, unlinkSync as unlinkSync3, readFileSync as readFileSync5, openSync as openSync2, closeSync as closeSync2, statSync as statSync2 } from "fs";
+import path6 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
@@ -401,9 +795,9 @@ function isZombie(pid) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync6(PID_PATH)) {
+  if (existsSync7(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync5(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, 0);
@@ -428,11 +822,11 @@ function cleanupStaleFiles() {
   }
 }
 function findPackageRoot() {
-  let dir = path5.dirname(fileURLToPath(import.meta.url));
-  const { root } = path5.parse(dir);
+  let dir = path6.dirname(fileURLToPath(import.meta.url));
+  const { root } = path6.parse(dir);
   while (dir !== root) {
-    if (existsSync6(path5.join(dir, "package.json"))) return dir;
-    dir = path5.dirname(dir);
+    if (existsSync7(path6.join(dir, "package.json"))) return dir;
+    dir = path6.dirname(dir);
   }
   return null;
 }
@@ -450,8 +844,8 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path5.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync6(daemonPath)) {
+  const daemonPath = path6.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync7(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
@@ -460,7 +854,7 @@ function spawnDaemon() {
   const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path5.join(path5.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path6.join(path6.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync2(logPath, "a");
@@ -625,9 +1019,9 @@ function killAndRespawnDaemon() {
   }
   try {
     process.stderr.write("[exed-client] Killing daemon for restart...\n");
-    if (existsSync6(PID_PATH)) {
+    if (existsSync7(PID_PATH)) {
       try {
-        const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
+        const pid = parseInt(readFileSync5(PID_PATH, "utf8").trim(), 10);
         if (pid > 0) {
           try {
             process.kill(pid, "SIGKILL");
@@ -750,9 +1144,9 @@ var init_exe_daemon_client = __esm({
     "use strict";
     init_config();
     init_daemon_auth();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path5.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path5.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path5.join(EXE_AI_DIR, "exed-spawn.lock");
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path6.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path6.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path6.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
@@ -808,10 +1202,10 @@ async function disposeEmbedder() {
 async function embedDirect(text) {
   const llamaCpp = await import("node-llama-cpp");
   const { MODELS_DIR: MODELS_DIR2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-  const { existsSync: existsSync7 } = await import("fs");
-  const path6 = await import("path");
-  const modelPath = path6.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
-  if (!existsSync7(modelPath)) {
+  const { existsSync: existsSync9 } = await import("fs");
+  const path8 = await import("path");
+  const modelPath = path8.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
+  if (!existsSync9(modelPath)) {
     throw new Error(`Embedding model not found at ${modelPath}. Run '/exe-setup' to download it.`);
   }
   const llama = await llamaCpp.getLlama();
@@ -839,28 +1233,486 @@ var init_embedder = __esm({
   }
 });
 
+// src/lib/license.ts
+var license_exports = {};
+__export(license_exports, {
+  LICENSE_PUBLIC_KEY_PEM: () => LICENSE_PUBLIC_KEY_PEM,
+  PLAN_LIMITS: () => PLAN_LIMITS,
+  assertVpsLicense: () => assertVpsLicense,
+  checkLicense: () => checkLicense,
+  getCachedLicense: () => getCachedLicense,
+  isFeatureAllowed: () => isFeatureAllowed,
+  loadDeviceId: () => loadDeviceId,
+  loadLicense: () => loadLicense,
+  mirrorLicenseKey: () => mirrorLicenseKey,
+  readCachedLicenseToken: () => readCachedLicenseToken,
+  saveLicense: () => saveLicense,
+  startLicenseRevalidation: () => startLicenseRevalidation,
+  stopLicenseRevalidation: () => stopLicenseRevalidation,
+  validateLicense: () => validateLicense
+});
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, existsSync as existsSync8, mkdirSync as mkdirSync3 } from "fs";
+import { randomUUID as randomUUID2 } from "crypto";
+import { createRequire as createRequire2 } from "module";
+import { pathToFileURL as pathToFileURL2 } from "url";
+import os5 from "os";
+import path7 from "path";
+import { jwtVerify, importSPKI } from "jose";
+async function fetchRetry(url, init) {
+  try {
+    return await fetch(url, init);
+  } catch {
+    await new Promise((r) => setTimeout(r, RETRY_DELAY_MS));
+    return fetch(url, { ...init, signal: AbortSignal.timeout(1e4) });
+  }
+}
+function loadDeviceId() {
+  const deviceJsonPath = path7.join(EXE_AI_DIR, "device.json");
+  try {
+    if (existsSync8(deviceJsonPath)) {
+      const data = JSON.parse(readFileSync6(deviceJsonPath, "utf8"));
+      if (data.deviceId) return data.deviceId;
+    }
+  } catch {
+  }
+  try {
+    if (existsSync8(DEVICE_ID_PATH)) {
+      const id2 = readFileSync6(DEVICE_ID_PATH, "utf8").trim();
+      if (id2) return id2;
+    }
+  } catch {
+  }
+  const id = randomUUID2();
+  mkdirSync3(EXE_AI_DIR, { recursive: true });
+  writeFileSync4(DEVICE_ID_PATH, id, "utf8");
+  return id;
+}
+function loadLicense() {
+  try {
+    if (!existsSync8(LICENSE_PATH)) return null;
+    return readFileSync6(LICENSE_PATH, "utf8").trim();
+  } catch {
+    return null;
+  }
+}
+function saveLicense(apiKey) {
+  mkdirSync3(EXE_AI_DIR, { recursive: true });
+  writeFileSync4(LICENSE_PATH, apiKey.trim(), { encoding: "utf8", mode: 384 });
+}
+async function verifyLicenseJwt(token) {
+  try {
+    const key = await importSPKI(LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG);
+    const { payload } = await jwtVerify(token, key, {
+      algorithms: [LICENSE_JWT_ALG]
+    });
+    const plan = payload.plan ?? "free";
+    const email = payload.sub ?? "";
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan,
+      email,
+      expiresAt: payload.exp ? new Date(payload.exp * 1e3).toISOString() : null,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function getCachedLicense() {
+  try {
+    if (!existsSync8(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync6(CACHE_PATH, "utf8"));
+    if (!raw.token || typeof raw.token !== "string") return null;
+    return await verifyLicenseJwt(raw.token);
+  } catch {
+    return null;
+  }
+}
+function readCachedLicenseToken() {
+  try {
+    if (!existsSync8(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync6(CACHE_PATH, "utf8"));
+    return typeof raw.token === "string" ? raw.token : null;
+  } catch {
+    return null;
+  }
+}
+function getRawCachedPlan() {
+  try {
+    const token = readCachedLicenseToken();
+    if (!token) return null;
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+    const plan = payload.plan ?? "free";
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    process.stderr.write(
+      `[license] WARN: using unverified cached plan (API unreachable, JWT expired). Plan: ${plan}
+`
+    );
+    return {
+      valid: true,
+      plan,
+      email: payload.sub ?? "",
+      expiresAt: payload.exp ? new Date(payload.exp * 1e3).toISOString() : null,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+function cacheResponse(token) {
+  try {
+    writeFileSync4(CACHE_PATH, JSON.stringify({ token }), "utf8");
+  } catch {
+  }
+}
+function loadPrismaForLicense() {
+  if (_prismaFailed) return null;
+  const dbUrl = process.env.DATABASE_URL;
+  if (!dbUrl) {
+    const exeDbRoot = process.env.EXE_DB_ROOT ?? path7.join(os5.homedir(), "exe-db");
+    if (!existsSync8(path7.join(exeDbRoot, "package.json"))) {
+      _prismaFailed = true;
+      return null;
+    }
+  }
+  if (!_prismaPromise) {
+    _prismaPromise = (async () => {
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const mod2 = await import(pathToFileURL2(explicitPath).href);
+        const Ctor2 = mod2.PrismaClient ?? mod2.default?.PrismaClient;
+        if (!Ctor2) throw new Error(`No PrismaClient at ${explicitPath}`);
+        return new Ctor2();
+      }
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path7.join(os5.homedir(), "exe-db");
+      const req = createRequire2(path7.join(exeDbRoot, "package.json"));
+      const entry = req.resolve("@prisma/client");
+      const mod = await import(pathToFileURL2(entry).href);
+      const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+      if (!Ctor) throw new Error(`No PrismaClient in ${entry}`);
+      return new Ctor();
+    })().catch((err) => {
+      _prismaFailed = true;
+      _prismaPromise = null;
+      throw err;
+    });
+  }
+  return _prismaPromise;
+}
+async function validateViaPostgres(apiKey) {
+  const loader = loadPrismaForLicense();
+  if (!loader) return null;
+  try {
+    const prisma = await loader;
+    const rows = await prisma.$queryRawUnsafe(
+      `SELECT plan, email, status, device_limit, employee_limit, memory_limit, expires_at
+       FROM billing.licenses WHERE key = $1 LIMIT 1`,
+      apiKey
+    );
+    if (!rows || rows.length === 0) return null;
+    const row = rows[0];
+    if (row.status !== "active") return null;
+    if (row.expires_at && new Date(row.expires_at) < /* @__PURE__ */ new Date()) return null;
+    const plan = row.plan;
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan,
+      email: row.email,
+      expiresAt: row.expires_at ? new Date(row.expires_at).toISOString() : null,
+      deviceLimit: row.device_limit ?? limits.devices,
+      employeeLimit: row.employee_limit ?? limits.employees,
+      memoryLimit: row.memory_limit ?? limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateViaCFWorker(apiKey, deviceId) {
+  try {
+    const res = await fetchRetry(`${API_BASE}/auth/activate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ apiKey, deviceId }),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!res.ok) return null;
+    const data = await res.json();
+    if (data.error === "device_limit_exceeded") return null;
+    if (!data.valid) return null;
+    if (data.token) {
+      cacheResponse(data.token);
+      const verified = await verifyLicenseJwt(data.token);
+      if (verified) return verified;
+    }
+    const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: data.valid,
+      plan: data.plan,
+      email: data.email,
+      expiresAt: data.expiresAt,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateLicense(apiKey, deviceId) {
+  const did = deviceId ?? loadDeviceId();
+  const pgResult = await validateViaPostgres(apiKey);
+  if (pgResult) {
+    try {
+      writeFileSync4(CACHE_PATH, JSON.stringify({ pgLicense: pgResult, ts: Date.now() }), "utf8");
+    } catch {
+    }
+    return pgResult;
+  }
+  const cfResult = await validateViaCFWorker(apiKey, did);
+  if (cfResult) return cfResult;
+  const cached = await getCachedLicense();
+  if (cached) return cached;
+  try {
+    if (existsSync8(CACHE_PATH)) {
+      const raw = JSON.parse(readFileSync6(CACHE_PATH, "utf8"));
+      if (raw.pgLicense && raw.ts && Date.now() - raw.ts < 7 * 24 * 60 * 60 * 1e3) {
+        return raw.pgLicense;
+      }
+    }
+  } catch {
+  }
+  const rawFallback = getRawCachedPlan();
+  if (rawFallback) return rawFallback;
+  return { ...FREE_LICENSE, valid: false };
+}
+function getCacheAgeMs() {
+  try {
+    const { statSync: statSync3 } = __require("fs");
+    const s = statSync3(CACHE_PATH);
+    return Date.now() - s.mtimeMs;
+  } catch {
+    return Infinity;
+  }
+}
+async function checkLicense() {
+  let key = loadLicense();
+  if (!key) {
+    try {
+      const configPath = path7.join(EXE_AI_DIR, "config.json");
+      if (existsSync8(configPath)) {
+        const raw = JSON.parse(readFileSync6(configPath, "utf8"));
+        const cloud = raw.cloud;
+        if (cloud?.apiKey) {
+          key = cloud.apiKey;
+          saveLicense(key);
+        }
+      }
+    } catch {
+    }
+  }
+  if (!key) return FREE_LICENSE;
+  const cached = await getCachedLicense();
+  if (cached && getCacheAgeMs() < CACHE_MAX_AGE_MS) return cached;
+  const deviceId = loadDeviceId();
+  return validateLicense(key, deviceId);
+}
+function isFeatureAllowed(license, feature) {
+  switch (feature) {
+    case "cloud_sync":
+    case "external_agents":
+    case "wiki":
+      return license.plan !== "free";
+    case "unlimited_employees":
+      return license.plan === "team" || license.plan === "agency" || license.plan === "enterprise";
+  }
+}
+function mirrorLicenseKey(apiKey) {
+  const trimmed = apiKey.trim();
+  if (!trimmed) return;
+  saveLicense(trimmed);
+}
+async function assertVpsLicense(opts) {
+  const env = opts?.env ?? process.env;
+  const inProduction = env.NODE_ENV === "production";
+  if (!opts?.force && !inProduction) {
+    return { ...FREE_LICENSE, plan: "free" };
+  }
+  const envKey = env.EXE_LICENSE_KEY?.trim();
+  if (envKey) {
+    saveLicense(envKey);
+  }
+  const apiKey = envKey ?? loadLicense();
+  if (!apiKey) {
+    throw new Error(
+      "License required: set EXE_LICENSE_KEY env var with your exe_sk_* key. Purchase at https://askexe.com. This VPS image refuses to boot without a valid license."
+    );
+  }
+  const deviceId = loadDeviceId();
+  let backendResponse = null;
+  let explicitRejection = false;
+  let transientFailure = false;
+  try {
+    const res = await fetchRetry(`${API_BASE}/auth/activate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ apiKey, deviceId }),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (res.ok) {
+      backendResponse = await res.json();
+      if (!backendResponse.valid) explicitRejection = true;
+    } else if (res.status === 401 || res.status === 403) {
+      explicitRejection = true;
+    } else {
+      transientFailure = true;
+    }
+  } catch {
+    transientFailure = true;
+  }
+  if (backendResponse?.valid) {
+    if (backendResponse.token) {
+      cacheResponse(backendResponse.token);
+      const verified = await verifyLicenseJwt(backendResponse.token);
+      if (verified) return verified;
+    }
+    const limits = PLAN_LIMITS[backendResponse.plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan: backendResponse.plan,
+      email: backendResponse.email,
+      expiresAt: backendResponse.expiresAt,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  }
+  if (explicitRejection) {
+    throw new Error(
+      `License invalid or expired. Renew at https://askexe.com, then restart. Backend rejected key ending in ...${apiKey.slice(-4)}.`
+    );
+  }
+  if (!transientFailure) {
+    throw new Error(
+      "License validation failed: unknown backend state. Restore network connectivity to https://cloud.askexe.com and retry."
+    );
+  }
+  const fresh = await getCachedLicense();
+  if (fresh && fresh.valid) return fresh;
+  const graceDays = opts?.offlineGraceDays ?? 7;
+  const graceMs = graceDays * 24 * 60 * 60 * 1e3;
+  try {
+    const token = readCachedLicenseToken();
+    if (token) {
+      const payloadB64 = token.split(".")[1];
+      if (payloadB64) {
+        const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+        const expMs = (payload.exp ?? 0) * 1e3;
+        if (Date.now() < expMs + graceMs) {
+          const key = await importSPKI(LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG);
+          const { payload: verified } = await jwtVerify(token, key, {
+            algorithms: [LICENSE_JWT_ALG],
+            clockTolerance: graceDays * 24 * 60 * 60
+          });
+          const plan = verified.plan ?? "free";
+          const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+          return {
+            valid: true,
+            plan,
+            email: verified.sub ?? "",
+            expiresAt: verified.exp ? new Date(verified.exp * 1e3).toISOString() : null,
+            deviceLimit: limits.devices,
+            employeeLimit: limits.employees,
+            memoryLimit: limits.memories
+          };
+        }
+      }
+    }
+  } catch {
+  }
+  throw new Error(
+    `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://cloud.askexe.com and retry. This VPS image refuses to boot after the offline grace window.`
+  );
+}
+function startLicenseRevalidation(intervalMs = 36e5) {
+  if (_revalTimer) return;
+  _revalTimer = setInterval(async () => {
+    try {
+      const license = await checkLicense();
+      if (!license.valid) {
+        process.stderr.write("[exe-os] License expired or invalid \u2014 features may be restricted\n");
+      }
+    } catch {
+    }
+  }, intervalMs);
+  if (_revalTimer && typeof _revalTimer === "object" && "unref" in _revalTimer) {
+    _revalTimer.unref();
+  }
+}
+function stopLicenseRevalidation() {
+  if (_revalTimer) {
+    clearInterval(_revalTimer);
+    _revalTimer = null;
+  }
+}
+var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, _prismaPromise, _prismaFailed, CACHE_MAX_AGE_MS, _revalTimer;
+var init_license = __esm({
+  "src/lib/license.ts"() {
+    "use strict";
+    init_config();
+    LICENSE_PATH = path7.join(EXE_AI_DIR, "license.key");
+    CACHE_PATH = path7.join(EXE_AI_DIR, "license-cache.json");
+    DEVICE_ID_PATH = path7.join(EXE_AI_DIR, "device-id");
+    API_BASE = process.env.EXE_CLOUD_ENDPOINT ?? "https://cloud.askexe.com";
+    RETRY_DELAY_MS = 500;
+    LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
+4uj+UqeKCcvtgNHKmOK278HJaJcANe9xAeji8AFYu27q3WtzCi04pHudow==
+-----END PUBLIC KEY-----`;
+    LICENSE_JWT_ALG = "ES256";
+    PLAN_LIMITS = {
+      free: { devices: 1, employees: 1, memories: 5e3 },
+      pro: { devices: 3, employees: 5, memories: 1e5 },
+      team: { devices: 10, employees: 20, memories: 1e6 },
+      agency: { devices: 50, employees: 100, memories: 1e7 },
+      enterprise: { devices: -1, employees: -1, memories: -1 }
+    };
+    FREE_LICENSE = {
+      valid: true,
+      plan: "free",
+      email: "",
+      expiresAt: null,
+      deviceLimit: 1,
+      employeeLimit: 1,
+      memoryLimit: 5e3
+    };
+    _prismaPromise = null;
+    _prismaFailed = false;
+    CACHE_MAX_AGE_MS = 36e5;
+    _revalTimer = null;
+  }
+});
+
 // src/lib/skill-learning.ts
 import crypto3 from "crypto";
 
 // src/lib/database.ts
-import { chmodSync as chmodSync2, existsSync as existsSync4, statSync, copyFileSync, unlinkSync as unlinkSync2, openSync, closeSync, mkdirSync as mkdirSync2 } from "fs";
+import { chmodSync as chmodSync2, existsSync as existsSync5, statSync, copyFileSync, unlinkSync as unlinkSync2, openSync, closeSync, mkdirSync as mkdirSync2 } from "fs";
 import { createClient } from "@libsql/client";
 import { homedir } from "os";
 import { join } from "path";
-
-// src/lib/employees.ts
-init_config();
-import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
-import { execSync } from "child_process";
-import path2 from "path";
-import os2 from "os";
-var EMPLOYEES_PATH = path2.join(EXE_AI_DIR, "exe-employees.json");
-var IDENTITY_DIR = path2.join(EXE_AI_DIR, "identity");
+init_employees();
 
 // src/lib/database-adapter.ts
 import os3 from "os";
-import path3 from "path";
+import path4 from "path";
 import { createRequire } from "module";
 import { pathToFileURL } from "url";
 var BOOLEAN_COLUMNS_BY_TABLE = {
@@ -916,6 +1768,15 @@ function getClient() {
 // src/lib/behaviors.ts
 import crypto2 from "crypto";
 async function storeBehavior(opts) {
+  try {
+    const { loadEmployeesSync: loadEmployeesSync2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
+    const roster = loadEmployeesSync2();
+    if (roster.length > 0 && !roster.some((e) => e.name === opts.agentId)) {
+      throw new Error(`Agent "${opts.agentId}" not found in roster. Cannot store behavior for unregistered agent.`);
+    }
+  } catch (e) {
+    if (e instanceof Error && e.message.includes("not found in roster")) throw e;
+  }
   const client = getClient();
   const id = crypto2.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
@@ -926,10 +1787,18 @@ async function storeBehavior(opts) {
     vector = new Float32Array(vec);
   } catch {
   }
+  let createdByDevice = null;
+  try {
+    const { loadDeviceId: loadDeviceId2 } = await Promise.resolve().then(() => (init_license(), license_exports));
+    createdByDevice = loadDeviceId2() ?? null;
+  } catch {
+  }
+  const createdByAgent = process.env.AGENT_ID ?? null;
+  const sourceSessionId = process.env.CLAUDE_SESSION_ID ?? process.env.SESSION_ID ?? null;
   await client.execute({
-    sql: `INSERT INTO behaviors (id, agent_id, project_name, domain, priority, content, active, created_at, updated_at, vector)
-          VALUES (?, ?, ?, ?, ?, ?, 1, ?, ?, ?)`,
-    args: [id, opts.agentId, opts.projectName ?? null, opts.domain ?? null, opts.priority ?? "p1", opts.content, now, now, vector ? vector.buffer : null]
+    sql: `INSERT INTO behaviors (id, agent_id, project_name, domain, priority, content, active, created_at, updated_at, vector, created_by_agent, created_by_device, source_session_id)
+          VALUES (?, ?, ?, ?, ?, ?, 1, ?, ?, ?, ?, ?, ?)`,
+    args: [id, opts.agentId, opts.projectName ?? null, opts.domain ?? null, opts.priority ?? "p1", opts.content, now, now, vector ? vector.buffer : null, createdByAgent, createdByDevice, sourceSessionId]
   });
   return id;
 }