@askexenow/exe-os 0.9.112 → 0.9.113

package/dist/bin/exe-boot.js

@@ -331,11 +331,168 @@ var init_config = __esm({
   }
 });
 
+// src/lib/runtime-table.ts
+var RUNTIME_TABLE, DEFAULT_RUNTIME;
+var init_runtime_table = __esm({
+  "src/lib/runtime-table.ts"() {
+    "use strict";
+    RUNTIME_TABLE = {
+      codex: {
+        binary: "codex",
+        launchMode: "interactive",
+        autoApproveFlag: "--dangerously-bypass-approvals-and-sandbox",
+        inlineFlag: "--no-alt-screen",
+        apiKeyEnv: "OPENAI_API_KEY",
+        defaultModel: "gpt-5.5"
+      },
+      opencode: {
+        binary: "opencode",
+        launchMode: "exec",
+        autoApproveFlag: "--dangerously-skip-permissions",
+        inlineFlag: "",
+        apiKeyEnv: "ANTHROPIC_API_KEY",
+        defaultModel: "anthropic/claude-sonnet-4-6"
+      }
+    };
+    DEFAULT_RUNTIME = "claude";
+  }
+});
+
+// src/lib/agent-config.ts
+var agent_config_exports = {};
+__export(agent_config_exports, {
+  AGENT_CONFIG_PATH: () => AGENT_CONFIG_PATH,
+  DEFAULT_MODELS: () => DEFAULT_MODELS,
+  KNOWN_RUNTIMES: () => KNOWN_RUNTIMES,
+  RUNTIME_LABELS: () => RUNTIME_LABELS,
+  clearAgentRuntime: () => clearAgentRuntime,
+  getAgentRuntime: () => getAgentRuntime,
+  loadAgentConfig: () => loadAgentConfig,
+  saveAgentConfig: () => saveAgentConfig,
+  setAgentMcps: () => setAgentMcps,
+  setAgentRuntime: () => setAgentRuntime
+});
+import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3 } from "fs";
+import path2 from "path";
+function loadAgentConfig() {
+  if (!existsSync3(AGENT_CONFIG_PATH)) return {};
+  try {
+    return JSON.parse(readFileSync2(AGENT_CONFIG_PATH, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveAgentConfig(config) {
+  const dir = path2.dirname(AGENT_CONFIG_PATH);
+  ensurePrivateDirSync(dir);
+  writeFileSync(AGENT_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  enforcePrivateFileSync(AGENT_CONFIG_PATH);
+}
+function getAgentRuntime(agentId) {
+  const config = loadAgentConfig();
+  const entry = config[agentId];
+  if (entry) return entry;
+  const orgDefault = config["default"];
+  if (orgDefault) return orgDefault;
+  return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
+}
+function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
+  const knownModels = KNOWN_RUNTIMES[runtime];
+  if (!knownModels) {
+    return {
+      ok: false,
+      error: `Unknown runtime "${runtime}". Valid: ${Object.keys(KNOWN_RUNTIMES).join(", ")}`
+    };
+  }
+  if (!knownModels.includes(model)) {
+    return {
+      ok: false,
+      error: `Unknown model "${model}" for runtime "${runtime}". Valid: ${knownModels.join(", ")}`
+    };
+  }
+  const config = loadAgentConfig();
+  const existing = config[agentId];
+  const entry = { runtime, model };
+  if (reasoning_effort) entry.reasoning_effort = reasoning_effort;
+  if (mcps !== void 0) {
+    entry.mcps = mcps.includes("exe-os") ? mcps : ["exe-os", ...mcps];
+  } else if (existing?.mcps) {
+    entry.mcps = existing.mcps;
+  }
+  config[agentId] = entry;
+  saveAgentConfig(config);
+  return { ok: true };
+}
+function setAgentMcps(agentId, mcps) {
+  const config = loadAgentConfig();
+  const existing = config[agentId] ?? getAgentRuntime(agentId);
+  existing.mcps = mcps.includes("exe-os") ? mcps : ["exe-os", ...mcps];
+  config[agentId] = existing;
+  saveAgentConfig(config);
+  return { ok: true };
+}
+function clearAgentRuntime(agentId) {
+  const config = loadAgentConfig();
+  delete config[agentId];
+  saveAgentConfig(config);
+}
+var AGENT_CONFIG_PATH, KNOWN_RUNTIMES, RUNTIME_LABELS, DEFAULT_MODELS;
+var init_agent_config = __esm({
+  "src/lib/agent-config.ts"() {
+    "use strict";
+    init_config();
+    init_runtime_table();
+    init_secure_files();
+    AGENT_CONFIG_PATH = path2.join(EXE_AI_DIR, "agent-config.json");
+    KNOWN_RUNTIMES = {
+      claude: ["claude-opus-4.6", "claude-opus-4", "claude-sonnet-4.6", "claude-sonnet-4", "claude-haiku-4.5"],
+      codex: ["gpt-5.4", "gpt-5.5", "gpt-5.3-codex-spark", "o3", "o4-mini"],
+      opencode: ["anthropic/claude-sonnet-4-6", "openai/gpt-5.4", "google/gemini-2.5-pro", "deepseek/deepseek-r3", "minimax/minimax-m2.5"]
+    };
+    RUNTIME_LABELS = {
+      claude: "Claude Code (Anthropic)",
+      codex: "Codex (OpenAI)",
+      opencode: "OpenCode (open source)"
+    };
+    DEFAULT_MODELS = {
+      claude: "claude-opus-4.6",
+      codex: RUNTIME_TABLE.codex?.defaultModel ?? "gpt-5.4",
+      opencode: RUNTIME_TABLE.opencode?.defaultModel ?? "anthropic/claude-sonnet-4-6"
+    };
+  }
+});
+
 // src/lib/employees.ts
+var employees_exports = {};
+__export(employees_exports, {
+  COORDINATOR_ROLE: () => COORDINATOR_ROLE,
+  DEFAULT_COORDINATOR_TEMPLATE_NAME: () => DEFAULT_COORDINATOR_TEMPLATE_NAME,
+  EMPLOYEES_PATH: () => EMPLOYEES_PATH,
+  addEmployee: () => addEmployee,
+  baseAgentName: () => baseAgentName,
+  canCoordinate: () => canCoordinate,
+  getCoordinatorEmployee: () => getCoordinatorEmployee,
+  getCoordinatorName: () => getCoordinatorName,
+  getEmployee: () => getEmployee,
+  getEmployeeByRole: () => getEmployeeByRole,
+  getEmployeeNamesByRole: () => getEmployeeNamesByRole,
+  hasRole: () => hasRole,
+  hireEmployee: () => hireEmployee,
+  isCoordinatorName: () => isCoordinatorName,
+  isCoordinatorRole: () => isCoordinatorRole,
+  isMultiInstance: () => isMultiInstance,
+  loadEmployees: () => loadEmployees,
+  loadEmployeesSync: () => loadEmployeesSync,
+  normalizeRole: () => normalizeRole,
+  normalizeRosterCase: () => normalizeRosterCase,
+  registerBinSymlinks: () => registerBinSymlinks,
+  saveEmployees: () => saveEmployees,
+  validateEmployeeName: () => validateEmployeeName
+});
 import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
+import { existsSync as existsSync4, symlinkSync, readlinkSync, readFileSync as readFileSync3, renameSync as renameSync2, unlinkSync, writeFileSync as writeFileSync2 } from "fs";
 import { execSync } from "child_process";
-import path2 from "path";
+import path3 from "path";
 import os2 from "os";
 function normalizeRole(role) {
   return (role ?? "").trim().toLowerCase();
@@ -353,8 +510,26 @@ function isCoordinatorName(agentName, employees = loadEmployeesSync()) {
   if (!agentName) return false;
   return agentName.toLowerCase() === getCoordinatorName(employees).toLowerCase();
 }
+function canCoordinate(agentName, agentRole, employees = loadEmployeesSync()) {
+  return agentName === "default" || isCoordinatorRole(agentRole) || isCoordinatorName(agentName, employees);
+}
+function validateEmployeeName(name) {
+  if (!name) {
+    return { valid: false, error: "Name is required" };
+  }
+  if (name.length > 32) {
+    return { valid: false, error: "Name must be 32 characters or fewer" };
+  }
+  if (!/^[a-z][a-z0-9]*$/.test(name)) {
+    return {
+      valid: false,
+      error: "Name must start with a letter and contain only lowercase alphanumeric characters"
+    };
+  }
+  return { valid: true };
+}
 async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync3(employeesPath)) {
+  if (!existsSync4(employeesPath)) {
     return [];
   }
   const raw = await readFile2(employeesPath, "utf-8");
@@ -365,13 +540,13 @@ async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
   }
 }
 async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
-  await mkdir2(path2.dirname(employeesPath), { recursive: true });
+  await mkdir2(path3.dirname(employeesPath), { recursive: true });
   await writeFile2(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
 }
 function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync3(employeesPath)) return [];
+  if (!existsSync4(employeesPath)) return [];
   try {
-    return JSON.parse(readFileSync2(employeesPath, "utf-8"));
+    return JSON.parse(readFileSync3(employeesPath, "utf-8"));
   } catch {
     return [];
   }
@@ -379,6 +554,19 @@ function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
 function getEmployee(employees, name) {
   return employees.find((e) => e.name.toLowerCase() === name.toLowerCase());
 }
+function getEmployeeByRole(employees, role) {
+  const lower = role.toLowerCase();
+  return employees.find((e) => e.role.toLowerCase() === lower);
+}
+function getEmployeeNamesByRole(employees, role) {
+  const lower = role.toLowerCase();
+  return employees.filter((e) => e.role.toLowerCase() === lower).map((e) => e.name);
+}
+function hasRole(agentName, role) {
+  const employees = loadEmployeesSync();
+  const emp = getEmployee(employees, agentName);
+  return emp ? emp.role.toLowerCase() === role.toLowerCase() : false;
+}
 function baseAgentName(name, employees) {
   const match = name.match(/^([a-zA-Z]+)\d+$/);
   if (!match) return name;
@@ -393,6 +581,90 @@ function isMultiInstance(agentName, employees) {
   if (!emp) return false;
   return MULTI_INSTANCE_ROLES.has(emp.role.toLowerCase());
 }
+function addEmployee(employees, employee) {
+  const { systemPrompt: _legacyPrompt, ...rest } = employee;
+  const normalized = { ...rest, name: employee.name.toLowerCase() };
+  if (employees.some((e) => e.name.toLowerCase() === normalized.name)) {
+    throw new Error(`Employee '${normalized.name}' already exists`);
+  }
+  return [...employees, normalized];
+}
+function appendToCoordinatorTeam(employee) {
+  const coordinator = getCoordinatorEmployee(loadEmployeesSync());
+  if (!coordinator) return;
+  const idPath = path3.join(IDENTITY_DIR, `${coordinator.name}.md`);
+  if (!existsSync4(idPath)) return;
+  const content = readFileSync3(idPath, "utf-8");
+  if (content.includes(`**${capitalize(employee.name)}`)) return;
+  const teamMatch = content.match(TEAM_SECTION_RE);
+  if (!teamMatch || teamMatch.index === void 0) return;
+  const afterTeam = content.slice(teamMatch.index + teamMatch[0].length);
+  const nextHeading = afterTeam.match(/\n## /);
+  const entry = `
+**${capitalize(employee.name)} (${employee.role}):** Newly hired. Update this description as the role develops.
+`;
+  let updated;
+  if (nextHeading && nextHeading.index !== void 0) {
+    const insertAt = teamMatch.index + teamMatch[0].length + nextHeading.index;
+    updated = content.slice(0, insertAt) + entry + content.slice(insertAt);
+  } else {
+    updated = content.trimEnd() + "\n" + entry;
+  }
+  writeFileSync2(idPath, updated, "utf-8");
+}
+function capitalize(s) {
+  return s.charAt(0).toUpperCase() + s.slice(1);
+}
+async function hireEmployee(employee) {
+  const employees = await loadEmployees();
+  const updated = addEmployee(employees, employee);
+  await saveEmployees(updated);
+  try {
+    appendToCoordinatorTeam(employee);
+  } catch {
+  }
+  try {
+    const { loadAgentConfig: loadAgentConfig2, saveAgentConfig: saveAgentConfig2 } = await Promise.resolve().then(() => (init_agent_config(), agent_config_exports));
+    const config = loadAgentConfig2();
+    const name = employee.name.toLowerCase();
+    if (!config[name] && config["default"]) {
+      config[name] = { ...config["default"] };
+      saveAgentConfig2(config);
+    }
+  } catch {
+  }
+  return updated;
+}
+async function normalizeRosterCase(rosterPath) {
+  const employees = await loadEmployees(rosterPath);
+  let changed = false;
+  for (const emp of employees) {
+    if (emp.name !== emp.name.toLowerCase()) {
+      const oldName = emp.name;
+      emp.name = emp.name.toLowerCase();
+      changed = true;
+      try {
+        const identityDir = path3.join(os2.homedir(), ".exe-os", "identity");
+        const oldPath = path3.join(identityDir, `${oldName}.md`);
+        const newPath = path3.join(identityDir, `${emp.name}.md`);
+        if (existsSync4(oldPath) && !existsSync4(newPath)) {
+          renameSync2(oldPath, newPath);
+        } else if (existsSync4(oldPath) && oldPath !== newPath) {
+          const content = readFileSync3(oldPath, "utf-8");
+          writeFileSync2(newPath, content, "utf-8");
+          if (oldPath.toLowerCase() !== newPath.toLowerCase()) {
+            unlinkSync(oldPath);
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  if (changed) {
+    await saveEmployees(employees, rosterPath);
+  }
+  return changed;
+}
 function findExeBin() {
   try {
     return execSync(process.platform === "win32" ? "where exe-os" : "which exe-os", { encoding: "utf8" }).trim();
@@ -409,7 +681,7 @@ function registerBinSymlinks(name) {
     errors.push("Could not find 'exe-os' in PATH");
     return { created, skipped, errors };
   }
-  const binDir = path2.dirname(exeBinPath);
+  const binDir = path3.dirname(exeBinPath);
   let target;
   try {
     target = readlinkSync(exeBinPath);
@@ -419,8 +691,8 @@ function registerBinSymlinks(name) {
   }
   for (const suffix of ["", "-opencode"]) {
     const linkName = `${name}${suffix}`;
-    const linkPath = path2.join(binDir, linkName);
-    if (existsSync3(linkPath)) {
+    const linkPath = path3.join(binDir, linkName);
+    if (existsSync4(linkPath)) {
       skipped.push(linkName);
       continue;
     }
@@ -433,16 +705,17 @@ function registerBinSymlinks(name) {
   }
   return { created, skipped, errors };
 }
-var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, MULTI_INSTANCE_ROLES, IDENTITY_DIR;
+var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, MULTI_INSTANCE_ROLES, IDENTITY_DIR, TEAM_SECTION_RE;
 var init_employees = __esm({
   "src/lib/employees.ts"() {
     "use strict";
     init_config();
-    EMPLOYEES_PATH = path2.join(EXE_AI_DIR, "exe-employees.json");
+    EMPLOYEES_PATH = path3.join(EXE_AI_DIR, "exe-employees.json");
     DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
     COORDINATOR_ROLE = "COO";
     MULTI_INSTANCE_ROLES = /* @__PURE__ */ new Set(["principal engineer", "content production specialist", "staff code reviewer"]);
-    IDENTITY_DIR = path2.join(EXE_AI_DIR, "identity");
+    IDENTITY_DIR = path3.join(EXE_AI_DIR, "identity");
+    TEAM_SECTION_RE = /^## Team\b.*$/m;
   }
 });
 
@@ -503,7 +776,7 @@ var init_db_retry = __esm({
 
 // src/lib/database-adapter.ts
 import os3 from "os";
-import path3 from "path";
+import path4 from "path";
 import { createRequire } from "module";
 import { pathToFileURL } from "url";
 function quotedIdentifier(identifier) {
@@ -814,8 +1087,8 @@ async function loadPrismaClient() {
         }
         return new PrismaClient2();
       }
-      const exeDbRoot = process.env.EXE_DB_ROOT ?? path3.join(os3.homedir(), "exe-db");
-      const requireFromExeDb = createRequire(path3.join(exeDbRoot, "package.json"));
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path4.join(os3.homedir(), "exe-db");
+      const requireFromExeDb = createRequire(path4.join(exeDbRoot, "package.json"));
       const prismaEntry = requireFromExeDb.resolve("@prisma/client");
       const module = await import(pathToFileURL(prismaEntry).href);
       const PrismaClient = module.PrismaClient ?? module.default?.PrismaClient;
@@ -1096,8 +1369,8 @@ var init_memory = __esm({
 
 // src/lib/daemon-auth.ts
 import crypto from "crypto";
-import path4 from "path";
-import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import path5 from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
 function normalizeToken(token) {
   if (!token) return null;
   const trimmed = token.trim();
@@ -1105,8 +1378,8 @@ function normalizeToken(token) {
 }
 function readDaemonToken() {
   try {
-    if (!existsSync4(DAEMON_TOKEN_PATH)) return null;
-    return normalizeToken(readFileSync3(DAEMON_TOKEN_PATH, "utf8"));
+    if (!existsSync5(DAEMON_TOKEN_PATH)) return null;
+    return normalizeToken(readFileSync4(DAEMON_TOKEN_PATH, "utf8"));
   } catch {
     return null;
   }
@@ -1116,7 +1389,7 @@ function ensureDaemonToken(seed) {
   if (existing) return existing;
   const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
   ensurePrivateDirSync(EXE_AI_DIR);
-  writeFileSync2(DAEMON_TOKEN_PATH, `${token}
+  writeFileSync3(DAEMON_TOKEN_PATH, `${token}
 `, "utf8");
   enforcePrivateFileSync(DAEMON_TOKEN_PATH);
   return token;
@@ -1127,7 +1400,7 @@ var init_daemon_auth = __esm({
     "use strict";
     init_config();
     init_secure_files();
-    DAEMON_TOKEN_PATH = path4.join(EXE_AI_DIR, "exed.token");
+    DAEMON_TOKEN_PATH = path5.join(EXE_AI_DIR, "exed.token");
   }
 });
 
@@ -1136,8 +1409,8 @@ import net from "net";
 import os4 from "os";
 import { spawn, execSync as execSync2 } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync5, unlinkSync as unlinkSync2, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
-import path5 from "path";
+import { existsSync as existsSync6, unlinkSync as unlinkSync2, readFileSync as readFileSync5, openSync, closeSync, statSync } from "fs";
+import path6 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
@@ -1173,9 +1446,9 @@ function isZombie(pid) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync5(PID_PATH)) {
+  if (existsSync6(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync5(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, 0);
@@ -1200,11 +1473,11 @@ function cleanupStaleFiles() {
   }
 }
 function findPackageRoot() {
-  let dir = path5.dirname(fileURLToPath(import.meta.url));
-  const { root } = path5.parse(dir);
+  let dir = path6.dirname(fileURLToPath(import.meta.url));
+  const { root } = path6.parse(dir);
   while (dir !== root) {
-    if (existsSync5(path5.join(dir, "package.json"))) return dir;
-    dir = path5.dirname(dir);
+    if (existsSync6(path6.join(dir, "package.json"))) return dir;
+    dir = path6.dirname(dir);
   }
   return null;
 }
@@ -1222,8 +1495,8 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path5.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync5(daemonPath)) {
+  const daemonPath = path6.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync6(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
@@ -1232,7 +1505,7 @@ function spawnDaemon() {
   const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path5.join(path5.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path6.join(path6.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -1397,9 +1670,9 @@ function killAndRespawnDaemon() {
   }
   try {
     process.stderr.write("[exed-client] Killing daemon for restart...\n");
-    if (existsSync5(PID_PATH)) {
+    if (existsSync6(PID_PATH)) {
       try {
-        const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
+        const pid = parseInt(readFileSync5(PID_PATH, "utf8").trim(), 10);
         if (pid > 0) {
           try {
             process.kill(pid, "SIGKILL");
@@ -1525,9 +1798,9 @@ var init_exe_daemon_client = __esm({
     "use strict";
     init_config();
     init_daemon_auth();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path5.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path5.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path5.join(EXE_AI_DIR, "exed-spawn.lock");
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path6.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path6.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path6.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
@@ -1760,7 +2033,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
-import { chmodSync as chmodSync2, existsSync as existsSync6, statSync as statSync2, copyFileSync, unlinkSync as unlinkSync3, openSync as openSync2, closeSync as closeSync2, mkdirSync as mkdirSync2 } from "fs";
+import { chmodSync as chmodSync2, existsSync as existsSync7, statSync as statSync2, copyFileSync, unlinkSync as unlinkSync3, openSync as openSync2, closeSync as closeSync2, mkdirSync as mkdirSync2 } from "fs";
 import { createClient } from "@libsql/client";
 import { homedir } from "os";
 import { join } from "path";
@@ -1813,11 +2086,11 @@ function releaseDbLock() {
 }
 async function initDatabase(config) {
   acquireDbLock();
-  if (existsSync6(config.dbPath)) {
+  if (existsSync7(config.dbPath)) {
     const dbStat = statSync2(config.dbPath);
     if (dbStat.size === 0) {
       const walPath = config.dbPath + "-wal";
-      if (existsSync6(walPath) && statSync2(walPath).size > 0) {
+      if (existsSync7(walPath) && statSync2(walPath).size > 0) {
         const backupPath = config.dbPath + ".zeroed-" + Date.now();
         copyFileSync(config.dbPath, backupPath);
         unlinkSync3(config.dbPath);
@@ -3336,6 +3609,22 @@ async function ensureSchema() {
   } catch (e) {
     logCatchDebug("migration", e);
   }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN visibility TEXT DEFAULT 'private'`,
+      args: []
+    });
+  } catch (e) {
+    logCatchDebug("migration", e);
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN strength REAL DEFAULT 1.0`,
+      args: []
+    });
+  } catch (e) {
+    logCatchDebug("migration", e);
+  }
 }
 async function disposeDatabase() {
   if (_walCheckpointTimer) {
@@ -3438,11 +3727,17 @@ var init_platform_procedures = __esm({
         content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
       },
       {
-        title: "Customer orchestration maturity \u2014 recommend, never trap",
+        title: "Orchestration phase guidance \u2014 recommend, never trap",
         domain: "workflow",
         priority: "p1",
         content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
       },
+      {
+        title: "Routing slot vs display title \u2014 internal 'coo' is plumbing, not your name",
+        domain: "identity",
+        priority: "p0",
+        content: "These procedures reference 'COO' as a shorthand for the coordinator role. This is an INTERNAL routing slot used by exe-os code (chain-of-command checks, dispatch logic, session detection). It is NOT your display title. Your actual title comes from your identity file's `title:` field \u2014 that is what you use externally: introductions, sign-offs, team comms, and any user-facing text. If your identity says `title: AI Chief of Staff`, you are the AI Chief of Staff. The routing slot stays `role: coo` for code compatibility \u2014 never rename it, but also never introduce yourself as 'COO' unless your identity file explicitly says so. The founder chose your title; respect it."
+      },
       {
         title: "Single dispatch path \u2014 create_task only",
         domain: "workflow",
@@ -3476,6 +3771,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "NEVER: (1) Access the database directly \u2014 it's SQLCipher encrypted, always fails. Use MCP tools only. (2) Manually spawn tmux sessions \u2014 create_task handles it. (3) Run git checkout main \u2014 agents work in worktrees. (4) Modify another agent's in-progress task. (5) Push to remote \u2014 the COO reviews and pushes. (6) Skip update_task(done) \u2014 it's the ONLY way your work gets reviewed. (7) Run git init."
       },
+      {
+        title: "Destructive operations \u2014 mandatory reviewer gate",
+        domain: "security",
+        priority: "p0",
+        content: "Before ANY destructive operation (delete, remove, overwrite, drop, reset, force-push, truncate), you MUST: (1) Have your full task spec accessible \u2014 if you cannot read it, STOP and report to your reviewer. Never improvise destructive actions. (2) Confirm with your reviewer (assigned_by or COO) before executing. (3) If the task spec explicitly authorizes the operation, proceed \u2014 but log it. Violation = immediate task failure. This applies to ALL agents regardless of role."
+      },
       {
         title: "Customer patch triage \u2014 upstream bug vs customization",
         domain: "support",
@@ -3760,15 +4061,15 @@ __export(keychain_exports, {
   setMasterKey: () => setMasterKey
 });
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync7, statSync as statSync3 } from "fs";
+import { existsSync as existsSync8, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
-import path6 from "path";
+import path7 from "path";
 import os5 from "os";
 function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path6.join(os5.homedir(), ".exe-os");
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path7.join(os5.homedir(), ".exe-os");
 }
 function getKeyPath() {
-  return path6.join(getKeyDir(), "master.key");
+  return path7.join(getKeyDir(), "master.key");
 }
 function nativeKeychainAllowed() {
   return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
@@ -3799,7 +4100,7 @@ function isRootOnlyTrustedServerKeyFile(keyPath) {
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+    return Boolean(exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep));
   } catch {
     return false;
   }
@@ -3996,7 +4297,7 @@ async function getMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (!existsSync7(keyPath)) {
+  if (!existsSync8(keyPath)) {
     process.stderr.write(
       `[keychain] Key not found at ${keyPath} (HOME=${os5.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
 `
@@ -4104,7 +4405,7 @@ async function getKeyStorageInfo() {
     }
   }
   const keyPath = getKeyPath();
-  if (!existsSync7(keyPath)) {
+  if (!existsSync8(keyPath)) {
     return {
       kind: "missing",
       secure: false,
@@ -4200,7 +4501,7 @@ async function deleteMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (existsSync7(keyPath)) {
+  if (existsSync8(keyPath)) {
     await unlink(keyPath);
   }
 }
@@ -4323,14 +4624,14 @@ __export(shard_manager_exports, {
   listShards: () => listShards,
   shardExists: () => shardExists
 });
-import path7 from "path";
-import { existsSync as existsSync8, mkdirSync as mkdirSync3, readdirSync, renameSync as renameSync3, statSync as statSync4 } from "fs";
+import path8 from "path";
+import { existsSync as existsSync9, mkdirSync as mkdirSync3, readdirSync, renameSync as renameSync3, statSync as statSync4 } from "fs";
 import { createClient as createClient2 } from "@libsql/client";
 function initShardManager(encryptionKey) {
   _encryptionKey = encryptionKey;
   _keyValidated = false;
   _keyValidationPromise = null;
-  if (!existsSync8(SHARDS_DIR)) {
+  if (!existsSync9(SHARDS_DIR)) {
     mkdirSync3(SHARDS_DIR, { recursive: true });
   }
   const existingShards = readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db"));
@@ -4351,7 +4652,7 @@ async function validateEncryptionKey() {
     return true;
   }
   for (const shardFile of existingShards.slice(0, 3)) {
-    const dbPath = path7.join(SHARDS_DIR, shardFile);
+    const dbPath = path8.join(SHARDS_DIR, shardFile);
     const testClient = createClient2({ url: `file:${dbPath}`, encryptionKey: _encryptionKey });
     try {
       await testClient.execute("SELECT COUNT(*) FROM sqlite_schema");
@@ -4394,7 +4695,7 @@ function getShardClient(projectName) {
   while (_shards.size >= MAX_OPEN_SHARDS) {
     evictLRU();
   }
-  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
+  const dbPath = path8.join(SHARDS_DIR, `${safeName}.db`);
   const client = createClient2({
     url: `file:${dbPath}`,
     encryptionKey: _encryptionKey
@@ -4405,13 +4706,13 @@ function getShardClient(projectName) {
 }
 function shardExists(projectName) {
   const safeName = safeShardName(projectName);
-  return existsSync8(path7.join(SHARDS_DIR, `${safeName}.db`));
+  return existsSync9(path8.join(SHARDS_DIR, `${safeName}.db`));
 }
 function safeShardName(projectName) {
   return projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
 }
 function listShards() {
-  if (!existsSync8(SHARDS_DIR)) return [];
+  if (!existsSync9(SHARDS_DIR)) return [];
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
 async function auditShardHealth(options = {}) {
@@ -4423,7 +4724,7 @@ async function auditShardHealth(options = {}) {
   const names = listShards();
   const shards = [];
   for (const name of names) {
-    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const dbPath = path8.join(SHARDS_DIR, `${name}.db`);
     const stat = statSync4(dbPath);
     const item = {
       name,
@@ -4458,7 +4759,7 @@ async function auditShardHealth(options = {}) {
         _shards.delete(name);
         _shardLastAccess.delete(name);
         const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        const archivedPath = path8.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
         renameSync3(dbPath, archivedPath);
         item.archivedPath = archivedPath;
       }
@@ -4686,11 +4987,11 @@ async function getReadyShardClient(projectName) {
     client.close();
     _shards.delete(safeName);
     _shardLastAccess.delete(safeName);
-    const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
-    if (existsSync8(dbPath)) {
+    const dbPath = path8.join(SHARDS_DIR, `${safeName}.db`);
+    if (existsSync9(dbPath)) {
       const stat = statSync4(dbPath);
       const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-      const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
+      const archivedPath = path8.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
       renameSync3(dbPath, archivedPath);
       process.stderr.write(
         `[shard-manager] Archived unreadable shard ${safeName}: ${archivedPath} (${stat.size} bytes, mtime ${stat.mtime.toISOString()})
@@ -4758,7 +5059,7 @@ var init_shard_manager = __esm({
   "src/lib/shard-manager.ts"() {
     "use strict";
     init_config();
-    SHARDS_DIR = path7.join(EXE_AI_DIR, "shards");
+    SHARDS_DIR = path8.join(EXE_AI_DIR, "shards");
     SHARD_IDLE_MS = 5 * 60 * 1e3;
     MAX_OPEN_SHARDS = 10;
     EVICTION_INTERVAL_MS = 60 * 1e3;
@@ -4887,13 +5188,13 @@ __export(session_registry_exports, {
   refreshSessionProject: () => refreshSessionProject,
   registerSession: () => registerSession
 });
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4, existsSync as existsSync9 } from "fs";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4, existsSync as existsSync10 } from "fs";
 import { execSync as execSync4 } from "child_process";
-import path8 from "path";
+import path9 from "path";
 import os6 from "os";
 function registerSession(entry) {
-  const dir = path8.dirname(REGISTRY_PATH);
-  if (!existsSync9(dir)) {
+  const dir = path9.dirname(REGISTRY_PATH);
+  if (!existsSync10(dir)) {
     mkdirSync4(dir, { recursive: true });
   }
   const sessions = listSessions();
@@ -4903,7 +5204,7 @@ function registerSession(entry) {
   } else {
     sessions.push(entry);
   }
-  writeFileSync3(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
+  writeFileSync4(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
 }
 function refreshSessionProject(windowName, projectDir) {
   const sessions = listSessions();
@@ -4911,13 +5212,13 @@ function refreshSessionProject(windowName, projectDir) {
   if (!entry || entry.projectDir === projectDir) return;
   entry.projectDir = projectDir;
   try {
-    writeFileSync3(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
+    writeFileSync4(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
   } catch {
   }
 }
 function listSessions() {
   try {
-    const raw = readFileSync5(REGISTRY_PATH, "utf8");
+    const raw = readFileSync6(REGISTRY_PATH, "utf8");
     return JSON.parse(raw);
   } catch {
     return [];
@@ -4938,7 +5239,7 @@ function pruneStaleSessions() {
   const alive = sessions.filter((s) => liveSet.has(s.windowName));
   const pruned = sessions.length - alive.length;
   if (pruned > 0) {
-    writeFileSync3(REGISTRY_PATH, JSON.stringify(alive, null, 2));
+    writeFileSync4(REGISTRY_PATH, JSON.stringify(alive, null, 2));
   }
   return pruned;
 }
@@ -4946,7 +5247,7 @@ var REGISTRY_PATH;
 var init_session_registry = __esm({
   "src/lib/session-registry.ts"() {
     "use strict";
-    REGISTRY_PATH = path8.join(os6.homedir(), ".exe-os", "session-registry.json");
+    REGISTRY_PATH = path9.join(os6.homedir(), ".exe-os", "session-registry.json");
   }
 });
 
@@ -5208,68 +5509,6 @@ var init_provider_table = __esm({
   }
 });
 
-// src/lib/runtime-table.ts
-var RUNTIME_TABLE, DEFAULT_RUNTIME;
-var init_runtime_table = __esm({
-  "src/lib/runtime-table.ts"() {
-    "use strict";
-    RUNTIME_TABLE = {
-      codex: {
-        binary: "codex",
-        launchMode: "interactive",
-        autoApproveFlag: "--dangerously-bypass-approvals-and-sandbox",
-        inlineFlag: "--no-alt-screen",
-        apiKeyEnv: "OPENAI_API_KEY",
-        defaultModel: "gpt-5.5"
-      },
-      opencode: {
-        binary: "opencode",
-        launchMode: "exec",
-        autoApproveFlag: "--dangerously-skip-permissions",
-        inlineFlag: "",
-        apiKeyEnv: "ANTHROPIC_API_KEY",
-        defaultModel: "anthropic/claude-sonnet-4-6"
-      }
-    };
-    DEFAULT_RUNTIME = "claude";
-  }
-});
-
-// src/lib/agent-config.ts
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, existsSync as existsSync10 } from "fs";
-import path9 from "path";
-function loadAgentConfig() {
-  if (!existsSync10(AGENT_CONFIG_PATH)) return {};
-  try {
-    return JSON.parse(readFileSync6(AGENT_CONFIG_PATH, "utf-8"));
-  } catch {
-    return {};
-  }
-}
-function getAgentRuntime(agentId) {
-  const config = loadAgentConfig();
-  const entry = config[agentId];
-  if (entry) return entry;
-  const orgDefault = config["default"];
-  if (orgDefault) return orgDefault;
-  return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
-}
-var AGENT_CONFIG_PATH, DEFAULT_MODELS;
-var init_agent_config = __esm({
-  "src/lib/agent-config.ts"() {
-    "use strict";
-    init_config();
-    init_runtime_table();
-    init_secure_files();
-    AGENT_CONFIG_PATH = path9.join(EXE_AI_DIR, "agent-config.json");
-    DEFAULT_MODELS = {
-      claude: "claude-opus-4.6",
-      codex: RUNTIME_TABLE.codex?.defaultModel ?? "gpt-5.4",
-      opencode: RUNTIME_TABLE.opencode?.defaultModel ?? "anthropic/claude-sonnet-4-6"
-    };
-  }
-});
-
 // src/lib/intercom-queue.ts
 var intercom_queue_exports = {};
 __export(intercom_queue_exports, {
@@ -5764,7 +6003,7 @@ async function assertVpsLicense(opts) {
   }
   if (!transientFailure) {
     throw new Error(
-      "License validation failed: unknown backend state. Restore network connectivity to https://askexe.com/cloud and retry."
+      "License validation failed: unknown backend state. Restore network connectivity to https://cloud.askexe.com and retry."
     );
   }
   const fresh = await getCachedLicense();
@@ -5801,7 +6040,7 @@ async function assertVpsLicense(opts) {
   } catch {
   }
   throw new Error(
-    `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://askexe.com/cloud and retry. This VPS image refuses to boot after the offline grace window.`
+    `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://cloud.askexe.com and retry. This VPS image refuses to boot after the offline grace window.`
   );
 }
 function startLicenseRevalidation(intervalMs = 36e5) {
@@ -5833,7 +6072,7 @@ var init_license = __esm({
     LICENSE_PATH = path11.join(EXE_AI_DIR, "license.key");
     CACHE_PATH = path11.join(EXE_AI_DIR, "license-cache.json");
     DEVICE_ID_PATH = path11.join(EXE_AI_DIR, "device-id");
-    API_BASE = process.env.EXE_CLOUD_ENDPOINT ?? "https://askexe.com/cloud";
+    API_BASE = process.env.EXE_CLOUD_ENDPOINT ?? "https://cloud.askexe.com";
     RETRY_DELAY_MS = 500;
     LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
@@ -6490,6 +6729,19 @@ async function resolveTask(client, identifier, scopeSession) {
     args: [identifier, ...scope.args]
   });
   if (result.rows.length === 1) return result.rows[0];
+  if (/^[a-f0-9]{7,12}$/i.test(identifier)) {
+    result = await client.execute({
+      sql: `SELECT * FROM tasks WHERE id LIKE ?`,
+      args: [`${identifier}%`]
+    });
+    if (result.rows.length === 1) return result.rows[0];
+    if (result.rows.length > 1) {
+      const matches = result.rows.map((r) => `${String(r.id)} "${String(r.title)}" (${String(r.status)})`).join(", ");
+      throw new Error(
+        `Multiple tasks match short-ID "${identifier}": ${matches}. Use a longer prefix to disambiguate.`
+      );
+    }
+  }
   result = await client.execute({
     sql: `SELECT * FROM tasks WHERE task_file LIKE ?${scope.sql}`,
     args: [`%${identifier}%`, ...scope.args]
@@ -7344,12 +7596,13 @@ async function cascadeUnblock(taskId, baseDir, now) {
           WHERE blocked_by = ? AND status = 'blocked'`,
     args: [now, taskId]
   });
-  if (baseDir && unblocked.rowsAffected > 0) {
-    const ubScope = sessionScopeFilter();
-    const unblockedRows = await client.execute({
-      sql: `SELECT task_file FROM tasks WHERE blocked_by IS NULL AND updated_at = ?${ubScope.sql}`,
-      args: [now, ...ubScope.args]
-    });
+  if (unblocked.rowsAffected === 0) return;
+  const ubScope = sessionScopeFilter();
+  const unblockedRows = await client.execute({
+    sql: `SELECT id, title, assigned_to, priority, task_file FROM tasks WHERE blocked_by IS NULL AND updated_at = ?${ubScope.sql}`,
+    args: [now, ...ubScope.args]
+  });
+  if (baseDir) {
     for (const ur of unblockedRows.rows) {
       try {
         const ubFile = path18.join(baseDir, String(ur.task_file));
@@ -7361,6 +7614,19 @@ async function cascadeUnblock(taskId, baseDir, now) {
       }
     }
   }
+  if (unblockedRows.rows.length > 0 && !process.env.VITEST) {
+    try {
+      const { queueIntercom: queueIntercom2 } = await Promise.resolve().then(() => (init_intercom_queue(), intercom_queue_exports));
+      const dispatched = /* @__PURE__ */ new Set();
+      for (const ur of unblockedRows.rows) {
+        const assignee = String(ur.assigned_to);
+        if (dispatched.has(assignee)) continue;
+        dispatched.add(assignee);
+        queueIntercom2(`${assignee}`, `unblocked: "${String(ur.title)}" is now ready`);
+      }
+    } catch {
+    }
+  }
 }
 async function findNextTask(assignedTo) {
   const client = getClient();
@@ -7570,6 +7836,15 @@ var init_embedder = __esm({
 // src/lib/behaviors.ts
 import crypto5 from "crypto";
 async function storeBehavior(opts) {
+  try {
+    const { loadEmployeesSync: loadEmployeesSync2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
+    const roster = loadEmployeesSync2();
+    if (roster.length > 0 && !roster.some((e) => e.name === opts.agentId)) {
+      throw new Error(`Agent "${opts.agentId}" not found in roster. Cannot store behavior for unregistered agent.`);
+    }
+  } catch (e) {
+    if (e instanceof Error && e.message.includes("not found in roster")) throw e;
+  }
   const client = getClient();
   const id = crypto5.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
@@ -8023,6 +8298,12 @@ async function updateTask(input) {
       }
     }
   }
+  if (input.status === "cancelled") {
+    try {
+      await cascadeUnblock(taskId, input.baseDir, now);
+    } catch {
+    }
+  }
   if ((input.status === "done" || input.status === "closed") && !isCoordinatorName(String(row.assigned_to)) && !process.env.VITEST) {
     Promise.resolve().then(() => (init_skill_learning(), skill_learning_exports)).then(
       ({ captureAndLearn: captureAndLearn2 }) => captureAndLearn2({
@@ -8554,11 +8835,12 @@ function getDispatchedBy(sessionKey) {
   }
 }
 function resolveExeSession() {
+  if (process.env.EXE_SESSION_NAME) {
+    const fromEnv = extractRootExe(process.env.EXE_SESSION_NAME) ?? process.env.EXE_SESSION_NAME;
+    if (fromEnv) return fromEnv;
+  }
   const mySession = getMySession();
   if (!mySession) {
-    if (process.env.EXE_SESSION_NAME) {
-      return extractRootExe(process.env.EXE_SESSION_NAME) ?? process.env.EXE_SESSION_NAME;
-    }
     return null;
   }
   const fromSessionName = extractRootExe(mySession);
@@ -8573,6 +8855,10 @@ function resolveExeSession() {
           `[tmux-routing] WARN: cache says "${fromCache}" but session name says "${fromSessionName}". Trusting session name.
 `
         );
+        try {
+          registerParentExe(key, fromSessionName);
+        } catch {
+        }
         candidate = fromSessionName;
       } else {
         candidate = fromCache;
@@ -10261,6 +10547,27 @@ async function cloudSync(config) {
       if (stmts.length > 0) await client.batch(stmts, "write");
       pulled = pullResult.records.length;
     } else {
+      try {
+        const incomingIds = pullResult.records.map((r) => sqlSafe(r.id));
+        if (incomingIds.length > 0) {
+          const ph = incomingIds.map(() => "?").join(",");
+          const existing = await client.execute({
+            sql: `SELECT id, version, timestamp FROM memories WHERE id IN (${ph})`,
+            args: incomingIds
+          });
+          const localMap = new Map(existing.rows.map((r) => [String(r.id), r]));
+          for (const rec of pullResult.records) {
+            const local = localMap.get(String(rec.id));
+            if (local && Number(local.version) > 0 && Number(local.version) !== Number(rec.version ?? 0)) {
+              process.stderr.write(
+                `[cloud-sync] CONFLICT: memory ${String(rec.id).slice(0, 8)} \u2014 local v${local.version} vs remote v${rec.version ?? 0}. Remote wins (LWW).
+`
+              );
+            }
+          }
+        }
+      } catch {
+      }
       const stmts = pullResult.records.map((rec) => ({
         sql: `INSERT OR REPLACE INTO memories
               (id, agent_id, agent_role, session_id, timestamp,
@@ -11608,9 +11915,23 @@ var PROCEDURES_MARKER = "EXE OS \u2014 VISION AND NON-NEGOTIABLE PRINCIPLES";
 function getSessionPrompt(storedPrompt) {
   const markerIndex = storedPrompt.indexOf(PROCEDURES_MARKER);
   const withoutProcedures = markerIndex >= 0 ? storedPrompt.slice(0, markerIndex).trimEnd() : storedPrompt;
+  let titlePrefix = "";
+  const frontmatterMatch = withoutProcedures.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (frontmatterMatch) {
+    const titleMatch = frontmatterMatch[1].match(/^title:\s*(.+)$/m);
+    const roleMatch = frontmatterMatch[1].match(/^role:\s*(.+)$/m);
+    if (titleMatch) {
+      const title = titleMatch[1].trim();
+      const role = roleMatch ? roleMatch[1].trim() : "";
+      if (title && role && title.toLowerCase() !== role.toLowerCase()) {
+        titlePrefix = `## Your Identity
+You are **${title}** (specialist). `;
+      }
+    }
+  }
   const rolePrompt = withoutProcedures.replace(/^---\r?\n[\s\S]*?\r?\n---\r?\n?/, "").replace(/<!--[\s\S]*?-->/g, "").trimStart();
   const globalBlock = getGlobalProceduresBlock();
-  return `${globalBlock}${rolePrompt}
+  return `${globalBlock}${titlePrefix}${rolePrompt}
 ${BASE_OPERATING_PROCEDURES}`;
 }
 
@@ -11817,7 +12138,20 @@ function buildActionRequired(data) {
   const blockedTasks = data.globalTasks.filter((t) => t.status === "blocked");
   if (blockedTasks.length > 0) {
     hasIssues = true;
-    lines.push(`  \u{1F534} ${blockedTasks.length} blocked task${blockedTasks.length === 1 ? "" : "s"} \u2014 needs your decision`);
+    const ESCALATION_MS = 48 * 60 * 60 * 1e3;
+    const stale = blockedTasks.filter((t) => {
+      if (!t.updatedAt) return false;
+      return Date.now() - new Date(t.updatedAt).getTime() > ESCALATION_MS;
+    });
+    if (stale.length > 0) {
+      lines.push(`  \u{1F534} ESCALATION: ${stale.length} task${stale.length === 1 ? "" : "s"} blocked >48h:`);
+      for (const t of stale) {
+        const ageH = Math.round((Date.now() - new Date(t.updatedAt).getTime()) / 36e5);
+        lines.push(`    - "${t.title}" (${t.assignedTo}) \u2014 blocked ${ageH}h`);
+      }
+    } else {
+      lines.push(`  \u{1F534} ${blockedTasks.length} blocked task${blockedTasks.length === 1 ? "" : "s"} \u2014 needs your decision`);
+    }
   }
   if (data.flaggedIssues.length > 0) {
     hasIssues = true;