@askexenow/exe-os 0.9.111 → 0.9.113

package/dist/bin/exe-boot.js

@@ -331,11 +331,168 @@ var init_config = __esm({
   }
 });
 
+// src/lib/runtime-table.ts
+var RUNTIME_TABLE, DEFAULT_RUNTIME;
+var init_runtime_table = __esm({
+  "src/lib/runtime-table.ts"() {
+    "use strict";
+    RUNTIME_TABLE = {
+      codex: {
+        binary: "codex",
+        launchMode: "interactive",
+        autoApproveFlag: "--dangerously-bypass-approvals-and-sandbox",
+        inlineFlag: "--no-alt-screen",
+        apiKeyEnv: "OPENAI_API_KEY",
+        defaultModel: "gpt-5.5"
+      },
+      opencode: {
+        binary: "opencode",
+        launchMode: "exec",
+        autoApproveFlag: "--dangerously-skip-permissions",
+        inlineFlag: "",
+        apiKeyEnv: "ANTHROPIC_API_KEY",
+        defaultModel: "anthropic/claude-sonnet-4-6"
+      }
+    };
+    DEFAULT_RUNTIME = "claude";
+  }
+});
+
+// src/lib/agent-config.ts
+var agent_config_exports = {};
+__export(agent_config_exports, {
+  AGENT_CONFIG_PATH: () => AGENT_CONFIG_PATH,
+  DEFAULT_MODELS: () => DEFAULT_MODELS,
+  KNOWN_RUNTIMES: () => KNOWN_RUNTIMES,
+  RUNTIME_LABELS: () => RUNTIME_LABELS,
+  clearAgentRuntime: () => clearAgentRuntime,
+  getAgentRuntime: () => getAgentRuntime,
+  loadAgentConfig: () => loadAgentConfig,
+  saveAgentConfig: () => saveAgentConfig,
+  setAgentMcps: () => setAgentMcps,
+  setAgentRuntime: () => setAgentRuntime
+});
+import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3 } from "fs";
+import path2 from "path";
+function loadAgentConfig() {
+  if (!existsSync3(AGENT_CONFIG_PATH)) return {};
+  try {
+    return JSON.parse(readFileSync2(AGENT_CONFIG_PATH, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveAgentConfig(config) {
+  const dir = path2.dirname(AGENT_CONFIG_PATH);
+  ensurePrivateDirSync(dir);
+  writeFileSync(AGENT_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  enforcePrivateFileSync(AGENT_CONFIG_PATH);
+}
+function getAgentRuntime(agentId) {
+  const config = loadAgentConfig();
+  const entry = config[agentId];
+  if (entry) return entry;
+  const orgDefault = config["default"];
+  if (orgDefault) return orgDefault;
+  return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
+}
+function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
+  const knownModels = KNOWN_RUNTIMES[runtime];
+  if (!knownModels) {
+    return {
+      ok: false,
+      error: `Unknown runtime "${runtime}". Valid: ${Object.keys(KNOWN_RUNTIMES).join(", ")}`
+    };
+  }
+  if (!knownModels.includes(model)) {
+    return {
+      ok: false,
+      error: `Unknown model "${model}" for runtime "${runtime}". Valid: ${knownModels.join(", ")}`
+    };
+  }
+  const config = loadAgentConfig();
+  const existing = config[agentId];
+  const entry = { runtime, model };
+  if (reasoning_effort) entry.reasoning_effort = reasoning_effort;
+  if (mcps !== void 0) {
+    entry.mcps = mcps.includes("exe-os") ? mcps : ["exe-os", ...mcps];
+  } else if (existing?.mcps) {
+    entry.mcps = existing.mcps;
+  }
+  config[agentId] = entry;
+  saveAgentConfig(config);
+  return { ok: true };
+}
+function setAgentMcps(agentId, mcps) {
+  const config = loadAgentConfig();
+  const existing = config[agentId] ?? getAgentRuntime(agentId);
+  existing.mcps = mcps.includes("exe-os") ? mcps : ["exe-os", ...mcps];
+  config[agentId] = existing;
+  saveAgentConfig(config);
+  return { ok: true };
+}
+function clearAgentRuntime(agentId) {
+  const config = loadAgentConfig();
+  delete config[agentId];
+  saveAgentConfig(config);
+}
+var AGENT_CONFIG_PATH, KNOWN_RUNTIMES, RUNTIME_LABELS, DEFAULT_MODELS;
+var init_agent_config = __esm({
+  "src/lib/agent-config.ts"() {
+    "use strict";
+    init_config();
+    init_runtime_table();
+    init_secure_files();
+    AGENT_CONFIG_PATH = path2.join(EXE_AI_DIR, "agent-config.json");
+    KNOWN_RUNTIMES = {
+      claude: ["claude-opus-4.6", "claude-opus-4", "claude-sonnet-4.6", "claude-sonnet-4", "claude-haiku-4.5"],
+      codex: ["gpt-5.4", "gpt-5.5", "gpt-5.3-codex-spark", "o3", "o4-mini"],
+      opencode: ["anthropic/claude-sonnet-4-6", "openai/gpt-5.4", "google/gemini-2.5-pro", "deepseek/deepseek-r3", "minimax/minimax-m2.5"]
+    };
+    RUNTIME_LABELS = {
+      claude: "Claude Code (Anthropic)",
+      codex: "Codex (OpenAI)",
+      opencode: "OpenCode (open source)"
+    };
+    DEFAULT_MODELS = {
+      claude: "claude-opus-4.6",
+      codex: RUNTIME_TABLE.codex?.defaultModel ?? "gpt-5.4",
+      opencode: RUNTIME_TABLE.opencode?.defaultModel ?? "anthropic/claude-sonnet-4-6"
+    };
+  }
+});
+
 // src/lib/employees.ts
+var employees_exports = {};
+__export(employees_exports, {
+  COORDINATOR_ROLE: () => COORDINATOR_ROLE,
+  DEFAULT_COORDINATOR_TEMPLATE_NAME: () => DEFAULT_COORDINATOR_TEMPLATE_NAME,
+  EMPLOYEES_PATH: () => EMPLOYEES_PATH,
+  addEmployee: () => addEmployee,
+  baseAgentName: () => baseAgentName,
+  canCoordinate: () => canCoordinate,
+  getCoordinatorEmployee: () => getCoordinatorEmployee,
+  getCoordinatorName: () => getCoordinatorName,
+  getEmployee: () => getEmployee,
+  getEmployeeByRole: () => getEmployeeByRole,
+  getEmployeeNamesByRole: () => getEmployeeNamesByRole,
+  hasRole: () => hasRole,
+  hireEmployee: () => hireEmployee,
+  isCoordinatorName: () => isCoordinatorName,
+  isCoordinatorRole: () => isCoordinatorRole,
+  isMultiInstance: () => isMultiInstance,
+  loadEmployees: () => loadEmployees,
+  loadEmployeesSync: () => loadEmployeesSync,
+  normalizeRole: () => normalizeRole,
+  normalizeRosterCase: () => normalizeRosterCase,
+  registerBinSymlinks: () => registerBinSymlinks,
+  saveEmployees: () => saveEmployees,
+  validateEmployeeName: () => validateEmployeeName
+});
 import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
+import { existsSync as existsSync4, symlinkSync, readlinkSync, readFileSync as readFileSync3, renameSync as renameSync2, unlinkSync, writeFileSync as writeFileSync2 } from "fs";
 import { execSync } from "child_process";
-import path2 from "path";
+import path3 from "path";
 import os2 from "os";
 function normalizeRole(role) {
   return (role ?? "").trim().toLowerCase();
@@ -353,8 +510,26 @@ function isCoordinatorName(agentName, employees = loadEmployeesSync()) {
   if (!agentName) return false;
   return agentName.toLowerCase() === getCoordinatorName(employees).toLowerCase();
 }
+function canCoordinate(agentName, agentRole, employees = loadEmployeesSync()) {
+  return agentName === "default" || isCoordinatorRole(agentRole) || isCoordinatorName(agentName, employees);
+}
+function validateEmployeeName(name) {
+  if (!name) {
+    return { valid: false, error: "Name is required" };
+  }
+  if (name.length > 32) {
+    return { valid: false, error: "Name must be 32 characters or fewer" };
+  }
+  if (!/^[a-z][a-z0-9]*$/.test(name)) {
+    return {
+      valid: false,
+      error: "Name must start with a letter and contain only lowercase alphanumeric characters"
+    };
+  }
+  return { valid: true };
+}
 async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync3(employeesPath)) {
+  if (!existsSync4(employeesPath)) {
     return [];
   }
   const raw = await readFile2(employeesPath, "utf-8");
@@ -365,13 +540,13 @@ async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
   }
 }
 async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
-  await mkdir2(path2.dirname(employeesPath), { recursive: true });
+  await mkdir2(path3.dirname(employeesPath), { recursive: true });
   await writeFile2(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
 }
 function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync3(employeesPath)) return [];
+  if (!existsSync4(employeesPath)) return [];
   try {
-    return JSON.parse(readFileSync2(employeesPath, "utf-8"));
+    return JSON.parse(readFileSync3(employeesPath, "utf-8"));
   } catch {
     return [];
   }
@@ -379,6 +554,19 @@ function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
 function getEmployee(employees, name) {
   return employees.find((e) => e.name.toLowerCase() === name.toLowerCase());
 }
+function getEmployeeByRole(employees, role) {
+  const lower = role.toLowerCase();
+  return employees.find((e) => e.role.toLowerCase() === lower);
+}
+function getEmployeeNamesByRole(employees, role) {
+  const lower = role.toLowerCase();
+  return employees.filter((e) => e.role.toLowerCase() === lower).map((e) => e.name);
+}
+function hasRole(agentName, role) {
+  const employees = loadEmployeesSync();
+  const emp = getEmployee(employees, agentName);
+  return emp ? emp.role.toLowerCase() === role.toLowerCase() : false;
+}
 function baseAgentName(name, employees) {
   const match = name.match(/^([a-zA-Z]+)\d+$/);
   if (!match) return name;
@@ -393,6 +581,90 @@ function isMultiInstance(agentName, employees) {
   if (!emp) return false;
   return MULTI_INSTANCE_ROLES.has(emp.role.toLowerCase());
 }
+function addEmployee(employees, employee) {
+  const { systemPrompt: _legacyPrompt, ...rest } = employee;
+  const normalized = { ...rest, name: employee.name.toLowerCase() };
+  if (employees.some((e) => e.name.toLowerCase() === normalized.name)) {
+    throw new Error(`Employee '${normalized.name}' already exists`);
+  }
+  return [...employees, normalized];
+}
+function appendToCoordinatorTeam(employee) {
+  const coordinator = getCoordinatorEmployee(loadEmployeesSync());
+  if (!coordinator) return;
+  const idPath = path3.join(IDENTITY_DIR, `${coordinator.name}.md`);
+  if (!existsSync4(idPath)) return;
+  const content = readFileSync3(idPath, "utf-8");
+  if (content.includes(`**${capitalize(employee.name)}`)) return;
+  const teamMatch = content.match(TEAM_SECTION_RE);
+  if (!teamMatch || teamMatch.index === void 0) return;
+  const afterTeam = content.slice(teamMatch.index + teamMatch[0].length);
+  const nextHeading = afterTeam.match(/\n## /);
+  const entry = `
+**${capitalize(employee.name)} (${employee.role}):** Newly hired. Update this description as the role develops.
+`;
+  let updated;
+  if (nextHeading && nextHeading.index !== void 0) {
+    const insertAt = teamMatch.index + teamMatch[0].length + nextHeading.index;
+    updated = content.slice(0, insertAt) + entry + content.slice(insertAt);
+  } else {
+    updated = content.trimEnd() + "\n" + entry;
+  }
+  writeFileSync2(idPath, updated, "utf-8");
+}
+function capitalize(s) {
+  return s.charAt(0).toUpperCase() + s.slice(1);
+}
+async function hireEmployee(employee) {
+  const employees = await loadEmployees();
+  const updated = addEmployee(employees, employee);
+  await saveEmployees(updated);
+  try {
+    appendToCoordinatorTeam(employee);
+  } catch {
+  }
+  try {
+    const { loadAgentConfig: loadAgentConfig2, saveAgentConfig: saveAgentConfig2 } = await Promise.resolve().then(() => (init_agent_config(), agent_config_exports));
+    const config = loadAgentConfig2();
+    const name = employee.name.toLowerCase();
+    if (!config[name] && config["default"]) {
+      config[name] = { ...config["default"] };
+      saveAgentConfig2(config);
+    }
+  } catch {
+  }
+  return updated;
+}
+async function normalizeRosterCase(rosterPath) {
+  const employees = await loadEmployees(rosterPath);
+  let changed = false;
+  for (const emp of employees) {
+    if (emp.name !== emp.name.toLowerCase()) {
+      const oldName = emp.name;
+      emp.name = emp.name.toLowerCase();
+      changed = true;
+      try {
+        const identityDir = path3.join(os2.homedir(), ".exe-os", "identity");
+        const oldPath = path3.join(identityDir, `${oldName}.md`);
+        const newPath = path3.join(identityDir, `${emp.name}.md`);
+        if (existsSync4(oldPath) && !existsSync4(newPath)) {
+          renameSync2(oldPath, newPath);
+        } else if (existsSync4(oldPath) && oldPath !== newPath) {
+          const content = readFileSync3(oldPath, "utf-8");
+          writeFileSync2(newPath, content, "utf-8");
+          if (oldPath.toLowerCase() !== newPath.toLowerCase()) {
+            unlinkSync(oldPath);
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  if (changed) {
+    await saveEmployees(employees, rosterPath);
+  }
+  return changed;
+}
 function findExeBin() {
   try {
     return execSync(process.platform === "win32" ? "where exe-os" : "which exe-os", { encoding: "utf8" }).trim();
@@ -409,7 +681,7 @@ function registerBinSymlinks(name) {
     errors.push("Could not find 'exe-os' in PATH");
     return { created, skipped, errors };
   }
-  const binDir = path2.dirname(exeBinPath);
+  const binDir = path3.dirname(exeBinPath);
   let target;
   try {
     target = readlinkSync(exeBinPath);
@@ -419,8 +691,8 @@ function registerBinSymlinks(name) {
   }
   for (const suffix of ["", "-opencode"]) {
     const linkName = `${name}${suffix}`;
-    const linkPath = path2.join(binDir, linkName);
-    if (existsSync3(linkPath)) {
+    const linkPath = path3.join(binDir, linkName);
+    if (existsSync4(linkPath)) {
       skipped.push(linkName);
       continue;
     }
@@ -433,16 +705,17 @@ function registerBinSymlinks(name) {
   }
   return { created, skipped, errors };
 }
-var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, MULTI_INSTANCE_ROLES, IDENTITY_DIR;
+var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, MULTI_INSTANCE_ROLES, IDENTITY_DIR, TEAM_SECTION_RE;
 var init_employees = __esm({
   "src/lib/employees.ts"() {
     "use strict";
     init_config();
-    EMPLOYEES_PATH = path2.join(EXE_AI_DIR, "exe-employees.json");
+    EMPLOYEES_PATH = path3.join(EXE_AI_DIR, "exe-employees.json");
     DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
     COORDINATOR_ROLE = "COO";
     MULTI_INSTANCE_ROLES = /* @__PURE__ */ new Set(["principal engineer", "content production specialist", "staff code reviewer"]);
-    IDENTITY_DIR = path2.join(EXE_AI_DIR, "identity");
+    IDENTITY_DIR = path3.join(EXE_AI_DIR, "identity");
+    TEAM_SECTION_RE = /^## Team\b.*$/m;
   }
 });
 
@@ -503,7 +776,7 @@ var init_db_retry = __esm({
 
 // src/lib/database-adapter.ts
 import os3 from "os";
-import path3 from "path";
+import path4 from "path";
 import { createRequire } from "module";
 import { pathToFileURL } from "url";
 function quotedIdentifier(identifier) {
@@ -814,8 +1087,8 @@ async function loadPrismaClient() {
         }
         return new PrismaClient2();
       }
-      const exeDbRoot = process.env.EXE_DB_ROOT ?? path3.join(os3.homedir(), "exe-db");
-      const requireFromExeDb = createRequire(path3.join(exeDbRoot, "package.json"));
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path4.join(os3.homedir(), "exe-db");
+      const requireFromExeDb = createRequire(path4.join(exeDbRoot, "package.json"));
       const prismaEntry = requireFromExeDb.resolve("@prisma/client");
       const module = await import(pathToFileURL(prismaEntry).href);
       const PrismaClient = module.PrismaClient ?? module.default?.PrismaClient;
@@ -1096,8 +1369,8 @@ var init_memory = __esm({
 
 // src/lib/daemon-auth.ts
 import crypto from "crypto";
-import path4 from "path";
-import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import path5 from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
 function normalizeToken(token) {
   if (!token) return null;
   const trimmed = token.trim();
@@ -1105,8 +1378,8 @@ function normalizeToken(token) {
 }
 function readDaemonToken() {
   try {
-    if (!existsSync4(DAEMON_TOKEN_PATH)) return null;
-    return normalizeToken(readFileSync3(DAEMON_TOKEN_PATH, "utf8"));
+    if (!existsSync5(DAEMON_TOKEN_PATH)) return null;
+    return normalizeToken(readFileSync4(DAEMON_TOKEN_PATH, "utf8"));
   } catch {
     return null;
   }
@@ -1116,7 +1389,7 @@ function ensureDaemonToken(seed) {
   if (existing) return existing;
   const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
   ensurePrivateDirSync(EXE_AI_DIR);
-  writeFileSync2(DAEMON_TOKEN_PATH, `${token}
+  writeFileSync3(DAEMON_TOKEN_PATH, `${token}
 `, "utf8");
   enforcePrivateFileSync(DAEMON_TOKEN_PATH);
   return token;
@@ -1127,7 +1400,7 @@ var init_daemon_auth = __esm({
     "use strict";
     init_config();
     init_secure_files();
-    DAEMON_TOKEN_PATH = path4.join(EXE_AI_DIR, "exed.token");
+    DAEMON_TOKEN_PATH = path5.join(EXE_AI_DIR, "exed.token");
   }
 });
 
@@ -1136,8 +1409,8 @@ import net from "net";
 import os4 from "os";
 import { spawn, execSync as execSync2 } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync5, unlinkSync as unlinkSync2, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
-import path5 from "path";
+import { existsSync as existsSync6, unlinkSync as unlinkSync2, readFileSync as readFileSync5, openSync, closeSync, statSync } from "fs";
+import path6 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
@@ -1173,9 +1446,9 @@ function isZombie(pid) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync5(PID_PATH)) {
+  if (existsSync6(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync5(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, 0);
@@ -1200,11 +1473,11 @@ function cleanupStaleFiles() {
   }
 }
 function findPackageRoot() {
-  let dir = path5.dirname(fileURLToPath(import.meta.url));
-  const { root } = path5.parse(dir);
+  let dir = path6.dirname(fileURLToPath(import.meta.url));
+  const { root } = path6.parse(dir);
   while (dir !== root) {
-    if (existsSync5(path5.join(dir, "package.json"))) return dir;
-    dir = path5.dirname(dir);
+    if (existsSync6(path6.join(dir, "package.json"))) return dir;
+    dir = path6.dirname(dir);
   }
   return null;
 }
@@ -1222,8 +1495,8 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path5.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync5(daemonPath)) {
+  const daemonPath = path6.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync6(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
@@ -1232,7 +1505,7 @@ function spawnDaemon() {
   const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path5.join(path5.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path6.join(path6.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -1397,9 +1670,9 @@ function killAndRespawnDaemon() {
   }
   try {
     process.stderr.write("[exed-client] Killing daemon for restart...\n");
-    if (existsSync5(PID_PATH)) {
+    if (existsSync6(PID_PATH)) {
       try {
-        const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
+        const pid = parseInt(readFileSync5(PID_PATH, "utf8").trim(), 10);
         if (pid > 0) {
           try {
             process.kill(pid, "SIGKILL");
@@ -1525,9 +1798,9 @@ var init_exe_daemon_client = __esm({
     "use strict";
     init_config();
     init_daemon_auth();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path5.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path5.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path5.join(EXE_AI_DIR, "exed-spawn.lock");
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path6.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path6.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path6.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
@@ -1760,7 +2033,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
-import { chmodSync as chmodSync2, existsSync as existsSync6, statSync as statSync2, copyFileSync, unlinkSync as unlinkSync3, openSync as openSync2, closeSync as closeSync2, mkdirSync as mkdirSync2 } from "fs";
+import { chmodSync as chmodSync2, existsSync as existsSync7, statSync as statSync2, copyFileSync, unlinkSync as unlinkSync3, openSync as openSync2, closeSync as closeSync2, mkdirSync as mkdirSync2 } from "fs";
 import { createClient } from "@libsql/client";
 import { homedir } from "os";
 import { join } from "path";
@@ -1813,11 +2086,11 @@ function releaseDbLock() {
 }
 async function initDatabase(config) {
   acquireDbLock();
-  if (existsSync6(config.dbPath)) {
+  if (existsSync7(config.dbPath)) {
     const dbStat = statSync2(config.dbPath);
     if (dbStat.size === 0) {
       const walPath = config.dbPath + "-wal";
-      if (existsSync6(walPath) && statSync2(walPath).size > 0) {
+      if (existsSync7(walPath) && statSync2(walPath).size > 0) {
         const backupPath = config.dbPath + ".zeroed-" + Date.now();
         copyFileSync(config.dbPath, backupPath);
         unlinkSync3(config.dbPath);
@@ -2113,6 +2386,13 @@ async function ensureSchema() {
   } catch (e) {
     logCatchDebug("migration", e);
   }
+  for (const col of ["created_by_agent TEXT", "created_by_device TEXT", "source_session_id TEXT"]) {
+    try {
+      await client.execute({ sql: `ALTER TABLE behaviors ADD COLUMN ${col}`, args: [] });
+    } catch (e) {
+      logCatchDebug("migration", e);
+    }
+  }
   try {
     await client.execute({
       sql: `ALTER TABLE tasks ADD COLUMN blocked_by TEXT`,
@@ -3329,6 +3609,22 @@ async function ensureSchema() {
   } catch (e) {
     logCatchDebug("migration", e);
   }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN visibility TEXT DEFAULT 'private'`,
+      args: []
+    });
+  } catch (e) {
+    logCatchDebug("migration", e);
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN strength REAL DEFAULT 1.0`,
+      args: []
+    });
+  } catch (e) {
+    logCatchDebug("migration", e);
+  }
 }
 async function disposeDatabase() {
   if (_walCheckpointTimer) {
@@ -3431,11 +3727,17 @@ var init_platform_procedures = __esm({
         content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
       },
       {
-        title: "Customer orchestration maturity \u2014 recommend, never trap",
+        title: "Orchestration phase guidance \u2014 recommend, never trap",
         domain: "workflow",
         priority: "p1",
         content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
       },
+      {
+        title: "Routing slot vs display title \u2014 internal 'coo' is plumbing, not your name",
+        domain: "identity",
+        priority: "p0",
+        content: "These procedures reference 'COO' as a shorthand for the coordinator role. This is an INTERNAL routing slot used by exe-os code (chain-of-command checks, dispatch logic, session detection). It is NOT your display title. Your actual title comes from your identity file's `title:` field \u2014 that is what you use externally: introductions, sign-offs, team comms, and any user-facing text. If your identity says `title: AI Chief of Staff`, you are the AI Chief of Staff. The routing slot stays `role: coo` for code compatibility \u2014 never rename it, but also never introduce yourself as 'COO' unless your identity file explicitly says so. The founder chose your title; respect it."
+      },
       {
         title: "Single dispatch path \u2014 create_task only",
         domain: "workflow",
@@ -3469,6 +3771,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "NEVER: (1) Access the database directly \u2014 it's SQLCipher encrypted, always fails. Use MCP tools only. (2) Manually spawn tmux sessions \u2014 create_task handles it. (3) Run git checkout main \u2014 agents work in worktrees. (4) Modify another agent's in-progress task. (5) Push to remote \u2014 the COO reviews and pushes. (6) Skip update_task(done) \u2014 it's the ONLY way your work gets reviewed. (7) Run git init."
       },
+      {
+        title: "Destructive operations \u2014 mandatory reviewer gate",
+        domain: "security",
+        priority: "p0",
+        content: "Before ANY destructive operation (delete, remove, overwrite, drop, reset, force-push, truncate), you MUST: (1) Have your full task spec accessible \u2014 if you cannot read it, STOP and report to your reviewer. Never improvise destructive actions. (2) Confirm with your reviewer (assigned_by or COO) before executing. (3) If the task spec explicitly authorizes the operation, proceed \u2014 but log it. Violation = immediate task failure. This applies to ALL agents regardless of role."
+      },
       {
         title: "Customer patch triage \u2014 upstream bug vs customization",
         domain: "support",
@@ -3620,7 +3928,7 @@ var init_platform_procedures = __esm({
         title: "MCP tool dispatch \u2014 all tools use action parameter",
         domain: "tool-use",
         priority: "p0",
-        content: 'exe-os MCP tools come in two surfaces depending on EXE_MCP_TOOL_SURFACE config. Consolidated (19 tools): action-based dispatch \u2014 memory(action="recall"), task(action="create"), etc. Legacy (108 tools): one tool per operation \u2014 recall_my_memory, create_task, etc. Both surfaces have identical functionality. Use whichever tool names are available in your session. If you see domain tools (memory, task, config, etc.), use the action parameter. If you see specific tools (recall_my_memory, create_task, etc.), call them directly.'
+        content: 'exe-os MCP tools use consolidated action-based dispatch by default (19 tools). Call domain tools with an action parameter: memory(action="recall"), task(action="create"), config(action="list_employees"), etc. Legacy mode (108 separate tools like recall_my_memory, create_task) is still available via EXE_MCP_TOOL_SURFACE=legacy but will be removed in a future version. If you see specific tool names, call them directly \u2014 both surfaces are identical. Consolidated is the default and recommended surface.'
       },
       {
         title: "MCP tools \u2014 memory, decision, and search",
@@ -3753,15 +4061,15 @@ __export(keychain_exports, {
   setMasterKey: () => setMasterKey
 });
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync7, statSync as statSync3 } from "fs";
+import { existsSync as existsSync8, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
-import path6 from "path";
+import path7 from "path";
 import os5 from "os";
 function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path6.join(os5.homedir(), ".exe-os");
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path7.join(os5.homedir(), ".exe-os");
 }
 function getKeyPath() {
-  return path6.join(getKeyDir(), "master.key");
+  return path7.join(getKeyDir(), "master.key");
 }
 function nativeKeychainAllowed() {
   return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
@@ -3792,7 +4100,7 @@ function isRootOnlyTrustedServerKeyFile(keyPath) {
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+    return Boolean(exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep));
   } catch {
     return false;
   }
@@ -3989,7 +4297,7 @@ async function getMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (!existsSync7(keyPath)) {
+  if (!existsSync8(keyPath)) {
     process.stderr.write(
       `[keychain] Key not found at ${keyPath} (HOME=${os5.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
 `
@@ -4097,7 +4405,7 @@ async function getKeyStorageInfo() {
     }
   }
   const keyPath = getKeyPath();
-  if (!existsSync7(keyPath)) {
+  if (!existsSync8(keyPath)) {
     return {
       kind: "missing",
       secure: false,
@@ -4193,7 +4501,7 @@ async function deleteMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (existsSync7(keyPath)) {
+  if (existsSync8(keyPath)) {
     await unlink(keyPath);
   }
 }
@@ -4316,14 +4624,14 @@ __export(shard_manager_exports, {
   listShards: () => listShards,
   shardExists: () => shardExists
 });
-import path7 from "path";
-import { existsSync as existsSync8, mkdirSync as mkdirSync3, readdirSync, renameSync as renameSync3, statSync as statSync4 } from "fs";
+import path8 from "path";
+import { existsSync as existsSync9, mkdirSync as mkdirSync3, readdirSync, renameSync as renameSync3, statSync as statSync4 } from "fs";
 import { createClient as createClient2 } from "@libsql/client";
 function initShardManager(encryptionKey) {
   _encryptionKey = encryptionKey;
   _keyValidated = false;
   _keyValidationPromise = null;
-  if (!existsSync8(SHARDS_DIR)) {
+  if (!existsSync9(SHARDS_DIR)) {
     mkdirSync3(SHARDS_DIR, { recursive: true });
   }
   const existingShards = readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db"));
@@ -4344,7 +4652,7 @@ async function validateEncryptionKey() {
     return true;
   }
   for (const shardFile of existingShards.slice(0, 3)) {
-    const dbPath = path7.join(SHARDS_DIR, shardFile);
+    const dbPath = path8.join(SHARDS_DIR, shardFile);
     const testClient = createClient2({ url: `file:${dbPath}`, encryptionKey: _encryptionKey });
     try {
       await testClient.execute("SELECT COUNT(*) FROM sqlite_schema");
@@ -4387,7 +4695,7 @@ function getShardClient(projectName) {
   while (_shards.size >= MAX_OPEN_SHARDS) {
     evictLRU();
   }
-  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
+  const dbPath = path8.join(SHARDS_DIR, `${safeName}.db`);
   const client = createClient2({
     url: `file:${dbPath}`,
     encryptionKey: _encryptionKey
@@ -4398,13 +4706,13 @@ function getShardClient(projectName) {
 }
 function shardExists(projectName) {
   const safeName = safeShardName(projectName);
-  return existsSync8(path7.join(SHARDS_DIR, `${safeName}.db`));
+  return existsSync9(path8.join(SHARDS_DIR, `${safeName}.db`));
 }
 function safeShardName(projectName) {
   return projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
 }
 function listShards() {
-  if (!existsSync8(SHARDS_DIR)) return [];
+  if (!existsSync9(SHARDS_DIR)) return [];
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
 async function auditShardHealth(options = {}) {
@@ -4416,7 +4724,7 @@ async function auditShardHealth(options = {}) {
   const names = listShards();
   const shards = [];
   for (const name of names) {
-    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const dbPath = path8.join(SHARDS_DIR, `${name}.db`);
     const stat = statSync4(dbPath);
     const item = {
       name,
@@ -4451,7 +4759,7 @@ async function auditShardHealth(options = {}) {
         _shards.delete(name);
         _shardLastAccess.delete(name);
         const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        const archivedPath = path8.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
         renameSync3(dbPath, archivedPath);
         item.archivedPath = archivedPath;
       }
@@ -4679,11 +4987,11 @@ async function getReadyShardClient(projectName) {
     client.close();
     _shards.delete(safeName);
     _shardLastAccess.delete(safeName);
-    const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
-    if (existsSync8(dbPath)) {
+    const dbPath = path8.join(SHARDS_DIR, `${safeName}.db`);
+    if (existsSync9(dbPath)) {
       const stat = statSync4(dbPath);
       const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-      const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
+      const archivedPath = path8.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
       renameSync3(dbPath, archivedPath);
       process.stderr.write(
         `[shard-manager] Archived unreadable shard ${safeName}: ${archivedPath} (${stat.size} bytes, mtime ${stat.mtime.toISOString()})
@@ -4751,7 +5059,7 @@ var init_shard_manager = __esm({
   "src/lib/shard-manager.ts"() {
     "use strict";
     init_config();
-    SHARDS_DIR = path7.join(EXE_AI_DIR, "shards");
+    SHARDS_DIR = path8.join(EXE_AI_DIR, "shards");
     SHARD_IDLE_MS = 5 * 60 * 1e3;
     MAX_OPEN_SHARDS = 10;
     EVICTION_INTERVAL_MS = 60 * 1e3;
@@ -4880,13 +5188,13 @@ __export(session_registry_exports, {
   refreshSessionProject: () => refreshSessionProject,
   registerSession: () => registerSession
 });
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4, existsSync as existsSync9 } from "fs";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4, existsSync as existsSync10 } from "fs";
 import { execSync as execSync4 } from "child_process";
-import path8 from "path";
+import path9 from "path";
 import os6 from "os";
 function registerSession(entry) {
-  const dir = path8.dirname(REGISTRY_PATH);
-  if (!existsSync9(dir)) {
+  const dir = path9.dirname(REGISTRY_PATH);
+  if (!existsSync10(dir)) {
     mkdirSync4(dir, { recursive: true });
   }
   const sessions = listSessions();
@@ -4896,7 +5204,7 @@ function registerSession(entry) {
   } else {
     sessions.push(entry);
   }
-  writeFileSync3(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
+  writeFileSync4(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
 }
 function refreshSessionProject(windowName, projectDir) {
   const sessions = listSessions();
@@ -4904,13 +5212,13 @@ function refreshSessionProject(windowName, projectDir) {
   if (!entry || entry.projectDir === projectDir) return;
   entry.projectDir = projectDir;
   try {
-    writeFileSync3(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
+    writeFileSync4(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
   } catch {
   }
 }
 function listSessions() {
   try {
-    const raw = readFileSync5(REGISTRY_PATH, "utf8");
+    const raw = readFileSync6(REGISTRY_PATH, "utf8");
     return JSON.parse(raw);
   } catch {
     return [];
@@ -4931,7 +5239,7 @@ function pruneStaleSessions() {
   const alive = sessions.filter((s) => liveSet.has(s.windowName));
   const pruned = sessions.length - alive.length;
   if (pruned > 0) {
-    writeFileSync3(REGISTRY_PATH, JSON.stringify(alive, null, 2));
+    writeFileSync4(REGISTRY_PATH, JSON.stringify(alive, null, 2));
   }
   return pruned;
 }
@@ -4939,7 +5247,7 @@ var REGISTRY_PATH;
 var init_session_registry = __esm({
   "src/lib/session-registry.ts"() {
     "use strict";
-    REGISTRY_PATH = path8.join(os6.homedir(), ".exe-os", "session-registry.json");
+    REGISTRY_PATH = path9.join(os6.homedir(), ".exe-os", "session-registry.json");
   }
 });
 
@@ -5201,68 +5509,6 @@ var init_provider_table = __esm({
   }
 });
 
-// src/lib/runtime-table.ts
-var RUNTIME_TABLE, DEFAULT_RUNTIME;
-var init_runtime_table = __esm({
-  "src/lib/runtime-table.ts"() {
-    "use strict";
-    RUNTIME_TABLE = {
-      codex: {
-        binary: "codex",
-        launchMode: "interactive",
-        autoApproveFlag: "--dangerously-bypass-approvals-and-sandbox",
-        inlineFlag: "--no-alt-screen",
-        apiKeyEnv: "OPENAI_API_KEY",
-        defaultModel: "gpt-5.5"
-      },
-      opencode: {
-        binary: "opencode",
-        launchMode: "exec",
-        autoApproveFlag: "--dangerously-skip-permissions",
-        inlineFlag: "",
-        apiKeyEnv: "ANTHROPIC_API_KEY",
-        defaultModel: "anthropic/claude-sonnet-4-6"
-      }
-    };
-    DEFAULT_RUNTIME = "claude";
-  }
-});
-
-// src/lib/agent-config.ts
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, existsSync as existsSync10 } from "fs";
-import path9 from "path";
-function loadAgentConfig() {
-  if (!existsSync10(AGENT_CONFIG_PATH)) return {};
-  try {
-    return JSON.parse(readFileSync6(AGENT_CONFIG_PATH, "utf-8"));
-  } catch {
-    return {};
-  }
-}
-function getAgentRuntime(agentId) {
-  const config = loadAgentConfig();
-  const entry = config[agentId];
-  if (entry) return entry;
-  const orgDefault = config["default"];
-  if (orgDefault) return orgDefault;
-  return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
-}
-var AGENT_CONFIG_PATH, DEFAULT_MODELS;
-var init_agent_config = __esm({
-  "src/lib/agent-config.ts"() {
-    "use strict";
-    init_config();
-    init_runtime_table();
-    init_secure_files();
-    AGENT_CONFIG_PATH = path9.join(EXE_AI_DIR, "agent-config.json");
-    DEFAULT_MODELS = {
-      claude: "claude-opus-4.6",
-      codex: RUNTIME_TABLE.codex?.defaultModel ?? "gpt-5.4",
-      opencode: RUNTIME_TABLE.opencode?.defaultModel ?? "anthropic/claude-sonnet-4-6"
-    };
-  }
-});
-
 // src/lib/intercom-queue.ts
 var intercom_queue_exports = {};
 __export(intercom_queue_exports, {
@@ -5757,7 +6003,7 @@ async function assertVpsLicense(opts) {
   }
   if (!transientFailure) {
     throw new Error(
-      "License validation failed: unknown backend state. Restore network connectivity to https://askexe.com/cloud and retry."
+      "License validation failed: unknown backend state. Restore network connectivity to https://cloud.askexe.com and retry."
     );
   }
   const fresh = await getCachedLicense();
@@ -5794,7 +6040,7 @@ async function assertVpsLicense(opts) {
   } catch {
   }
   throw new Error(
-    `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://askexe.com/cloud and retry. This VPS image refuses to boot after the offline grace window.`
+    `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://cloud.askexe.com and retry. This VPS image refuses to boot after the offline grace window.`
   );
 }
 function startLicenseRevalidation(intervalMs = 36e5) {
@@ -5826,7 +6072,7 @@ var init_license = __esm({
     LICENSE_PATH = path11.join(EXE_AI_DIR, "license.key");
     CACHE_PATH = path11.join(EXE_AI_DIR, "license-cache.json");
     DEVICE_ID_PATH = path11.join(EXE_AI_DIR, "device-id");
-    API_BASE = process.env.EXE_CLOUD_ENDPOINT ?? "https://askexe.com/cloud";
+    API_BASE = process.env.EXE_CLOUD_ENDPOINT ?? "https://cloud.askexe.com";
     RETRY_DELAY_MS = 500;
     LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
@@ -6483,6 +6729,19 @@ async function resolveTask(client, identifier, scopeSession) {
     args: [identifier, ...scope.args]
   });
   if (result.rows.length === 1) return result.rows[0];
+  if (/^[a-f0-9]{7,12}$/i.test(identifier)) {
+    result = await client.execute({
+      sql: `SELECT * FROM tasks WHERE id LIKE ?`,
+      args: [`${identifier}%`]
+    });
+    if (result.rows.length === 1) return result.rows[0];
+    if (result.rows.length > 1) {
+      const matches = result.rows.map((r) => `${String(r.id)} "${String(r.title)}" (${String(r.status)})`).join(", ");
+      throw new Error(
+        `Multiple tasks match short-ID "${identifier}": ${matches}. Use a longer prefix to disambiguate.`
+      );
+    }
+  }
   result = await client.execute({
     sql: `SELECT * FROM tasks WHERE task_file LIKE ?${scope.sql}`,
     args: [`%${identifier}%`, ...scope.args]
@@ -7337,12 +7596,13 @@ async function cascadeUnblock(taskId, baseDir, now) {
           WHERE blocked_by = ? AND status = 'blocked'`,
     args: [now, taskId]
   });
-  if (baseDir && unblocked.rowsAffected > 0) {
-    const ubScope = sessionScopeFilter();
-    const unblockedRows = await client.execute({
-      sql: `SELECT task_file FROM tasks WHERE blocked_by IS NULL AND updated_at = ?${ubScope.sql}`,
-      args: [now, ...ubScope.args]
-    });
+  if (unblocked.rowsAffected === 0) return;
+  const ubScope = sessionScopeFilter();
+  const unblockedRows = await client.execute({
+    sql: `SELECT id, title, assigned_to, priority, task_file FROM tasks WHERE blocked_by IS NULL AND updated_at = ?${ubScope.sql}`,
+    args: [now, ...ubScope.args]
+  });
+  if (baseDir) {
     for (const ur of unblockedRows.rows) {
       try {
         const ubFile = path18.join(baseDir, String(ur.task_file));
@@ -7354,6 +7614,19 @@ async function cascadeUnblock(taskId, baseDir, now) {
       }
     }
   }
+  if (unblockedRows.rows.length > 0 && !process.env.VITEST) {
+    try {
+      const { queueIntercom: queueIntercom2 } = await Promise.resolve().then(() => (init_intercom_queue(), intercom_queue_exports));
+      const dispatched = /* @__PURE__ */ new Set();
+      for (const ur of unblockedRows.rows) {
+        const assignee = String(ur.assigned_to);
+        if (dispatched.has(assignee)) continue;
+        dispatched.add(assignee);
+        queueIntercom2(`${assignee}`, `unblocked: "${String(ur.title)}" is now ready`);
+      }
+    } catch {
+    }
+  }
 }
 async function findNextTask(assignedTo) {
   const client = getClient();
@@ -7563,6 +7836,15 @@ var init_embedder = __esm({
 // src/lib/behaviors.ts
 import crypto5 from "crypto";
 async function storeBehavior(opts) {
+  try {
+    const { loadEmployeesSync: loadEmployeesSync2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
+    const roster = loadEmployeesSync2();
+    if (roster.length > 0 && !roster.some((e) => e.name === opts.agentId)) {
+      throw new Error(`Agent "${opts.agentId}" not found in roster. Cannot store behavior for unregistered agent.`);
+    }
+  } catch (e) {
+    if (e instanceof Error && e.message.includes("not found in roster")) throw e;
+  }
   const client = getClient();
   const id = crypto5.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
@@ -7573,10 +7855,18 @@ async function storeBehavior(opts) {
     vector = new Float32Array(vec);
   } catch {
   }
+  let createdByDevice = null;
+  try {
+    const { loadDeviceId: loadDeviceId2 } = await Promise.resolve().then(() => (init_license(), license_exports));
+    createdByDevice = loadDeviceId2() ?? null;
+  } catch {
+  }
+  const createdByAgent = process.env.AGENT_ID ?? null;
+  const sourceSessionId = process.env.CLAUDE_SESSION_ID ?? process.env.SESSION_ID ?? null;
   await client.execute({
-    sql: `INSERT INTO behaviors (id, agent_id, project_name, domain, priority, content, active, created_at, updated_at, vector)
-          VALUES (?, ?, ?, ?, ?, ?, 1, ?, ?, ?)`,
-    args: [id, opts.agentId, opts.projectName ?? null, opts.domain ?? null, opts.priority ?? "p1", opts.content, now, now, vector ? vector.buffer : null]
+    sql: `INSERT INTO behaviors (id, agent_id, project_name, domain, priority, content, active, created_at, updated_at, vector, created_by_agent, created_by_device, source_session_id)
+          VALUES (?, ?, ?, ?, ?, ?, 1, ?, ?, ?, ?, ?, ?)`,
+    args: [id, opts.agentId, opts.projectName ?? null, opts.domain ?? null, opts.priority ?? "p1", opts.content, now, now, vector ? vector.buffer : null, createdByAgent, createdByDevice, sourceSessionId]
   });
   return id;
 }
@@ -8008,6 +8298,12 @@ async function updateTask(input) {
       }
     }
   }
+  if (input.status === "cancelled") {
+    try {
+      await cascadeUnblock(taskId, input.baseDir, now);
+    } catch {
+    }
+  }
   if ((input.status === "done" || input.status === "closed") && !isCoordinatorName(String(row.assigned_to)) && !process.env.VITEST) {
     Promise.resolve().then(() => (init_skill_learning(), skill_learning_exports)).then(
       ({ captureAndLearn: captureAndLearn2 }) => captureAndLearn2({
@@ -8539,11 +8835,12 @@ function getDispatchedBy(sessionKey) {
   }
 }
 function resolveExeSession() {
+  if (process.env.EXE_SESSION_NAME) {
+    const fromEnv = extractRootExe(process.env.EXE_SESSION_NAME) ?? process.env.EXE_SESSION_NAME;
+    if (fromEnv) return fromEnv;
+  }
   const mySession = getMySession();
   if (!mySession) {
-    if (process.env.EXE_SESSION_NAME) {
-      return extractRootExe(process.env.EXE_SESSION_NAME) ?? process.env.EXE_SESSION_NAME;
-    }
     return null;
   }
   const fromSessionName = extractRootExe(mySession);
@@ -8558,6 +8855,10 @@ function resolveExeSession() {
           `[tmux-routing] WARN: cache says "${fromCache}" but session name says "${fromSessionName}". Trusting session name.
 `
         );
+        try {
+          registerParentExe(key, fromSessionName);
+        } catch {
+        }
         candidate = fromSessionName;
       } else {
         candidate = fromCache;
@@ -10246,6 +10547,27 @@ async function cloudSync(config) {
       if (stmts.length > 0) await client.batch(stmts, "write");
       pulled = pullResult.records.length;
     } else {
+      try {
+        const incomingIds = pullResult.records.map((r) => sqlSafe(r.id));
+        if (incomingIds.length > 0) {
+          const ph = incomingIds.map(() => "?").join(",");
+          const existing = await client.execute({
+            sql: `SELECT id, version, timestamp FROM memories WHERE id IN (${ph})`,
+            args: incomingIds
+          });
+          const localMap = new Map(existing.rows.map((r) => [String(r.id), r]));
+          for (const rec of pullResult.records) {
+            const local = localMap.get(String(rec.id));
+            if (local && Number(local.version) > 0 && Number(local.version) !== Number(rec.version ?? 0)) {
+              process.stderr.write(
+                `[cloud-sync] CONFLICT: memory ${String(rec.id).slice(0, 8)} \u2014 local v${local.version} vs remote v${rec.version ?? 0}. Remote wins (LWW).
+`
+              );
+            }
+          }
+        }
+      } catch {
+      }
       const stmts = pullResult.records.map((rec) => ({
         sql: `INSERT OR REPLACE INTO memories
               (id, agent_id, agent_role, session_id, timestamp,
@@ -11593,9 +11915,23 @@ var PROCEDURES_MARKER = "EXE OS \u2014 VISION AND NON-NEGOTIABLE PRINCIPLES";
 function getSessionPrompt(storedPrompt) {
   const markerIndex = storedPrompt.indexOf(PROCEDURES_MARKER);
   const withoutProcedures = markerIndex >= 0 ? storedPrompt.slice(0, markerIndex).trimEnd() : storedPrompt;
+  let titlePrefix = "";
+  const frontmatterMatch = withoutProcedures.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (frontmatterMatch) {
+    const titleMatch = frontmatterMatch[1].match(/^title:\s*(.+)$/m);
+    const roleMatch = frontmatterMatch[1].match(/^role:\s*(.+)$/m);
+    if (titleMatch) {
+      const title = titleMatch[1].trim();
+      const role = roleMatch ? roleMatch[1].trim() : "";
+      if (title && role && title.toLowerCase() !== role.toLowerCase()) {
+        titlePrefix = `## Your Identity
+You are **${title}** (specialist). `;
+      }
+    }
+  }
   const rolePrompt = withoutProcedures.replace(/^---\r?\n[\s\S]*?\r?\n---\r?\n?/, "").replace(/<!--[\s\S]*?-->/g, "").trimStart();
   const globalBlock = getGlobalProceduresBlock();
-  return `${globalBlock}${rolePrompt}
+  return `${globalBlock}${titlePrefix}${rolePrompt}
 ${BASE_OPERATING_PROCEDURES}`;
 }
 
@@ -11802,7 +12138,20 @@ function buildActionRequired(data) {
   const blockedTasks = data.globalTasks.filter((t) => t.status === "blocked");
   if (blockedTasks.length > 0) {
     hasIssues = true;
-    lines.push(`  \u{1F534} ${blockedTasks.length} blocked task${blockedTasks.length === 1 ? "" : "s"} \u2014 needs your decision`);
+    const ESCALATION_MS = 48 * 60 * 60 * 1e3;
+    const stale = blockedTasks.filter((t) => {
+      if (!t.updatedAt) return false;
+      return Date.now() - new Date(t.updatedAt).getTime() > ESCALATION_MS;
+    });
+    if (stale.length > 0) {
+      lines.push(`  \u{1F534} ESCALATION: ${stale.length} task${stale.length === 1 ? "" : "s"} blocked >48h:`);
+      for (const t of stale) {
+        const ageH = Math.round((Date.now() - new Date(t.updatedAt).getTime()) / 36e5);
+        lines.push(`    - "${t.title}" (${t.assignedTo}) \u2014 blocked ${ageH}h`);
+      }
+    } else {
+      lines.push(`  \u{1F534} ${blockedTasks.length} blocked task${blockedTasks.length === 1 ? "" : "s"} \u2014 needs your decision`);
+    }
   }
   if (data.flaggedIssues.length > 0) {
     hasIssues = true;