@askexenow/exe-os 0.9.113 → 0.9.115

package/dist/bin/cli.js

@@ -155,6 +155,17 @@ function normalizeOrchestration(raw) {
   const userOrg = raw.orchestration ?? {};
   raw.orchestration = { ...defaultOrg, ...userOrg };
 }
+function normalizeCloudEndpoint(raw) {
+  const cloud = raw.cloud;
+  if (!cloud?.endpoint) return;
+  const ep = String(cloud.endpoint);
+  if (ep === "https://askexe.com/cloud" || ep === "https://askexe.com/cloud/") {
+    cloud.endpoint = "https://cloud.askexe.com";
+    process.stderr.write(
+      "[config] Auto-migrated cloud endpoint: askexe.com/cloud \u2192 cloud.askexe.com\n"
+    );
+  }
+}
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   await ensurePrivateDir(dir);
@@ -180,6 +191,7 @@ async function loadConfig() {
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
     normalizeOrchestration(migratedCfg);
+    normalizeCloudEndpoint(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
@@ -208,6 +220,7 @@ function loadConfigSync() {
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
     normalizeOrchestration(migratedCfg);
+    normalizeCloudEndpoint(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
@@ -368,6 +381,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -396,6 +410,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -896,7 +917,7 @@ function readOrCreateDaemonToken(homeDir = os5.homedir()) {
 function buildMcpHttpHeaders(homeDir = os5.homedir(), opts = {}) {
   const agentId = opts.useShellPlaceholders ? "${AGENT_ID:-exe}" : opts.agentId ?? DEFAULT_MCP_HTTP_AGENT_ID;
   const agentRole = opts.useShellPlaceholders ? "${AGENT_ROLE:-COO}" : opts.agentRole ?? DEFAULT_MCP_HTTP_AGENT_ROLE;
-  const sessionName = opts.useShellPlaceholders ? "$(tmux display-message -p '#{session_name}' 2>/dev/null || echo '')" : process.env.EXE_SESSION_NAME ?? "";
+  const sessionName = opts.useShellPlaceholders ? "" : process.env.EXE_SESSION_NAME ?? "";
   const headers = {
     Authorization: `Bearer ${readOrCreateDaemonToken(homeDir)}`,
     "X-Agent-Id": agentId,
@@ -2555,7 +2576,7 @@ __export(keychain_exports, {
   importMnemonic: () => importMnemonic,
   setMasterKey: () => setMasterKey
 });
-import { readFile as readFile4, writeFile as writeFile4, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile4, writeFile as writeFile4, unlink, mkdir as mkdir4, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync10, statSync } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path9 from "path";
@@ -2590,12 +2611,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os8.userInfo().uid === "number" ? os8.userInfo().uid : -1;
     const st = statSync(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os8.userInfo().uid === "number" ? os8.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path9.resolve(keyPath).startsWith(path9.resolve(exeOsDir) + path9.sep));
+    if (exeOsDir && path9.resolve(keyPath).startsWith(path9.resolve(exeOsDir) + path9.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -2745,15 +2768,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir4(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile4(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync10(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile4(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile4(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -2820,7 +2853,7 @@ async function getMasterKey() {
       b64Value = content;
     }
     const key = Buffer.from(b64Value, "base64");
-    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+    if (isRootOnlyTrustedServerKeyFile(keyPath)) {
       return key;
     }
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
@@ -6999,6 +7032,7 @@ __export(cloud_sync_exports, {
   markCloudReuploadRequired: () => markCloudReuploadRequired,
   mergeConfig: () => mergeConfig,
   mergeRosterFromRemote: () => mergeRosterFromRemote,
+  migrateEndpoint: () => migrateEndpoint,
   pushToPostgres: () => pushToPostgres,
   recordRosterDeletion: () => recordRosterDeletion
 });
@@ -7169,6 +7203,15 @@ async function fetchWithRetry(url, init) {
   }
   throw lastError;
 }
+function migrateEndpoint(endpoint) {
+  if (endpoint === "https://askexe.com/cloud" || endpoint === "https://askexe.com/cloud/") {
+    process.stderr.write(
+      "[cloud-sync] Auto-migrating endpoint from askexe.com/cloud to cloud.askexe.com (bypasses Cloudflare WAF for datacenter IPs)\n"
+    );
+    return "https://cloud.askexe.com";
+  }
+  return endpoint;
+}
 function assertSecureEndpoint(endpoint) {
   if (endpoint.startsWith("https://")) return;
   if (endpoint.startsWith("http://")) {
@@ -7306,6 +7349,7 @@ async function markCloudReuploadRequired(client = getClient()) {
   await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1')");
 }
 async function cloudSync(config) {
+  config = { ...config, endpoint: migrateEndpoint(config.endpoint) };
   if (!isSyncCryptoInitialized()) {
     try {
       const { getMasterKey: getMasterKey2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));
@@ -13929,6 +13973,7 @@ var init_provider_table = __esm({
 // src/lib/intercom-queue.ts
 var intercom_queue_exports = {};
 __export(intercom_queue_exports, {
+  _resetDrainGuard: () => _resetDrainGuard,
   clearQueueForAgent: () => clearQueueForAgent,
   drainForSession: () => drainForSession,
   drainQueue: () => drainQueue,
@@ -13974,38 +14019,47 @@ function queueIntercom(targetSession, reason) {
   writeQueue(queue);
 }
 function drainQueue(isSessionBusy2, sendKeys) {
+  if (_draining) {
+    logQueue("SKIP_DRAIN \u2014 previous drain still running (possible tmux hang)");
+    return { drained: 0, failed: 0 };
+  }
   const queue = readQueue();
   if (queue.length === 0) return { drained: 0, failed: 0 };
+  _draining = true;
   const remaining = [];
   let drained = 0;
   let failed = 0;
-  for (const item of queue) {
-    const age = Date.now() - new Date(item.queuedAt).getTime();
-    if (age > TTL_MS) {
-      logQueue(`EXPIRED \u2192 ${item.targetSession} (${Math.round(age / 6e4)}min old, reason: ${item.reason})`);
-      failed++;
-      continue;
-    }
-    try {
-      if (!isSessionBusy2(item.targetSession)) {
-        const success = sendKeys(item.targetSession);
-        if (success) {
-          logQueue(`DRAINED \u2192 ${item.targetSession} (after ${item.attempts} retries)`);
-          drained++;
-          continue;
+  try {
+    for (const item of queue) {
+      const age = Date.now() - new Date(item.queuedAt).getTime();
+      if (age > TTL_MS) {
+        logQueue(`EXPIRED \u2192 ${item.targetSession} (${Math.round(age / 6e4)}min old, reason: ${item.reason})`);
+        failed++;
+        continue;
+      }
+      try {
+        if (!isSessionBusy2(item.targetSession)) {
+          const success = sendKeys(item.targetSession);
+          if (success) {
+            logQueue(`DRAINED \u2192 ${item.targetSession} (after ${item.attempts} retries)`);
+            drained++;
+            continue;
+          }
         }
+      } catch {
       }
-    } catch {
-    }
-    item.attempts++;
-    if (item.attempts >= MAX_RETRIES2) {
-      logQueue(`FAILED \u2192 ${item.targetSession} (${MAX_RETRIES2} retries exhausted, reason: ${item.reason})`);
-      failed++;
-      continue;
+      item.attempts++;
+      if (item.attempts >= MAX_RETRIES2) {
+        logQueue(`FAILED \u2192 ${item.targetSession} (${MAX_RETRIES2} retries exhausted, reason: ${item.reason})`);
+        failed++;
+        continue;
+      }
+      remaining.push(item);
     }
-    remaining.push(item);
+    writeQueue(remaining);
+  } finally {
+    _draining = false;
   }
-  writeQueue(remaining);
   return { drained, failed };
 }
 function drainForSession(targetSession, sendKeys) {
@@ -14030,6 +14084,9 @@ function clearQueueForAgent(agentName) {
     logQueue(`CLEARED ${before - filtered.length} stale item(s) for ${agentName}`);
   }
 }
+function _resetDrainGuard() {
+  _draining = false;
+}
 function logQueue(msg) {
   const line = `[${(/* @__PURE__ */ new Date()).toISOString()}] [queue] ${msg}
 `;
@@ -14041,13 +14098,14 @@ function logQueue(msg) {
   } catch {
   }
 }
-var QUEUE_PATH, MAX_RETRIES2, TTL_MS, INTERCOM_LOG;
+var QUEUE_PATH, MAX_RETRIES2, TTL_MS, _draining, INTERCOM_LOG;
 var init_intercom_queue = __esm({
   "src/lib/intercom-queue.ts"() {
     "use strict";
     QUEUE_PATH = path26.join(os15.homedir(), ".exe-os", "intercom-queue.json");
     MAX_RETRIES2 = 5;
     TTL_MS = 60 * 60 * 1e3;
+    _draining = false;
     INTERCOM_LOG = path26.join(os15.homedir(), ".exe-os", "intercom.log");
   }
 });
@@ -14170,6 +14228,17 @@ var init_task_scope = __esm({
 });
 
 // src/lib/notifications.ts
+var notifications_exports = {};
+__export(notifications_exports, {
+  cleanupOldNotifications: () => cleanupOldNotifications,
+  formatNotifications: () => formatNotifications,
+  markAsRead: () => markAsRead,
+  markAsReadByTaskFile: () => markAsReadByTaskFile,
+  markDoneTaskNotificationsAsRead: () => markDoneTaskNotificationsAsRead,
+  migrateJsonNotifications: () => migrateJsonNotifications,
+  readUnreadNotifications: () => readUnreadNotifications,
+  writeNotification: () => writeNotification
+});
 import crypto7 from "crypto";
 import path28 from "path";
 import os16 from "os";
@@ -14206,6 +14275,52 @@ async function writeNotification(notification) {
 `);
   }
 }
+async function readUnreadNotifications(agentFilter, sessionScope) {
+  try {
+    const client = getClient();
+    const conditions = ["read = 0"];
+    const args2 = [];
+    const scope = strictSessionScopeFilter(sessionScope);
+    if (agentFilter) {
+      conditions.push("agent_id = ?");
+      args2.push(agentFilter);
+    }
+    const result = await client.execute({
+      sql: `SELECT id, agent_id, agent_role, event, project, summary, task_file, session_scope, created_at
+            FROM notifications
+            WHERE ${conditions.join(" AND ")}${scope.sql}
+            ORDER BY created_at ASC`,
+      args: [...args2, ...scope.args]
+    });
+    return result.rows.map((r) => ({
+      id: String(r.id),
+      agentId: String(r.agent_id),
+      agentRole: String(r.agent_role),
+      event: String(r.event),
+      project: String(r.project),
+      summary: String(r.summary),
+      taskFile: r.task_file ? String(r.task_file) : void 0,
+      sessionScope: r.session_scope == null ? null : String(r.session_scope),
+      timestamp: String(r.created_at),
+      read: false
+    }));
+  } catch {
+    return [];
+  }
+}
+async function markAsRead(ids, sessionScope) {
+  if (ids.length === 0) return;
+  try {
+    const client = getClient();
+    const placeholders = ids.map(() => "?").join(", ");
+    const scope = strictSessionScopeFilter(sessionScope);
+    await client.execute({
+      sql: `UPDATE notifications SET read = 1 WHERE id IN (${placeholders})${scope.sql}`,
+      args: [...ids, ...scope.args]
+    });
+  } catch {
+  }
+}
 async function markAsReadByTaskFile(taskFile, sessionScope) {
   try {
     const client = getClient();
@@ -14218,11 +14333,144 @@ async function markAsReadByTaskFile(taskFile, sessionScope) {
   } catch {
   }
 }
+async function cleanupOldNotifications(daysOld = CLEANUP_DAYS, sessionScope) {
+  try {
+    const client = getClient();
+    const cutoff = new Date(
+      Date.now() - daysOld * 24 * 60 * 60 * 1e3
+    ).toISOString();
+    const scope = strictSessionScopeFilter(sessionScope);
+    const result = await client.execute({
+      sql: `DELETE FROM notifications WHERE created_at < ?${scope.sql}`,
+      args: [cutoff, ...scope.args]
+    });
+    return result.rowsAffected;
+  } catch {
+    return 0;
+  }
+}
+async function markDoneTaskNotificationsAsRead(sessionScope) {
+  try {
+    const client = getClient();
+    const scope = strictSessionScopeFilter(sessionScope);
+    const result = await client.execute({
+      sql: `UPDATE notifications SET read = 1
+            WHERE read = 0
+              AND task_file IS NOT NULL
+              ${scope.sql}
+              AND task_file IN (
+                SELECT task_file FROM tasks WHERE status = 'done'${scope.sql}
+              )`,
+      args: [...scope.args, ...scope.args]
+    });
+    return result.rowsAffected;
+  } catch {
+    return 0;
+  }
+}
+function formatNotifications(notifications) {
+  if (notifications.length === 0) return "";
+  const grouped = /* @__PURE__ */ new Map();
+  for (const n of notifications) {
+    const key = `${n.agentId}|${n.agentRole}`;
+    if (!grouped.has(key)) grouped.set(key, []);
+    grouped.get(key).push(n);
+  }
+  const lines = [];
+  lines.push(`## Notifications (${notifications.length} unread)
+`);
+  for (const [key, items] of grouped) {
+    const [agentId, agentRole] = key.split("|");
+    lines.push(`**${agentId}** (${agentRole}):`);
+    for (const item of items) {
+      const ago = formatTimeAgo(item.timestamp);
+      const icon = eventIcon(item.event);
+      lines.push(`- ${icon} ${item.summary} (${item.project}) \u2014 ${ago}`);
+    }
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+async function migrateJsonNotifications() {
+  const base = process.env.EXE_OS_DIR || process.env.EXE_MEM_DIR || path28.join(os16.homedir(), ".exe-os");
+  const notifDir = path28.join(base, "notifications");
+  if (!existsSync26(notifDir)) return 0;
+  let migrated = 0;
+  try {
+    const files = readdirSync5(notifDir).filter((f) => f.endsWith(".json"));
+    if (files.length === 0) return 0;
+    const client = getClient();
+    for (const file of files) {
+      try {
+        const filePath = path28.join(notifDir, file);
+        const data = JSON.parse(readFileSync21(filePath, "utf8"));
+        await client.execute({
+          sql: `INSERT OR IGNORE INTO notifications (id, agent_id, agent_role, event, project, summary, task_file, session_scope, read, created_at)
+                VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+          args: [
+            crypto7.randomUUID(),
+            data.agentId ?? "unknown",
+            data.agentRole ?? "unknown",
+            data.event ?? "session_summary",
+            data.project ?? "unknown",
+            data.summary ?? "",
+            data.taskFile ?? null,
+            null,
+            data.read ? 1 : 0,
+            data.timestamp ?? (/* @__PURE__ */ new Date()).toISOString()
+          ]
+        });
+        unlinkSync9(filePath);
+        migrated++;
+      } catch {
+      }
+    }
+    try {
+      const remaining = readdirSync5(notifDir);
+      if (remaining.length === 0) {
+        rmdirSync(notifDir);
+      }
+    } catch {
+    }
+  } catch {
+  }
+  return migrated;
+}
+function eventIcon(event) {
+  switch (event) {
+    case "task_complete":
+      return "Completed:";
+    case "task_needs_fix":
+      return "Needs fix:";
+    case "session_summary":
+      return "Session:";
+    case "error_spike":
+      return "Errors:";
+    case "orphan_task":
+      return "Orphan:";
+    case "subtasks_complete":
+      return "Subtasks done:";
+    case "capacity_relaunch":
+      return "Relaunched:";
+  }
+}
+function formatTimeAgo(timestamp) {
+  const diffMs = Date.now() - new Date(timestamp).getTime();
+  const mins = Math.floor(diffMs / 6e4);
+  if (mins < 1) return "just now";
+  if (mins < 60) return `${mins}m ago`;
+  const hours = Math.floor(mins / 60);
+  if (hours < 24) return `${hours}h ago`;
+  const days = Math.floor(hours / 24);
+  return `${days}d ago`;
+}
+var CLEANUP_DAYS;
 var init_notifications = __esm({
   "src/lib/notifications.ts"() {
     "use strict";
     init_database();
     init_task_scope();
+    CLEANUP_DAYS = 7;
   }
 });
 
@@ -15229,7 +15477,13 @@ async function createReviewForCompletedTask(row, result, _baseDir, now2) {
     taskFile
   });
   const originalPriority = String(row.priority).toLowerCase();
-  const autoApprove = originalPriority === "p2" && result?.toLowerCase().includes("tests pass");
+  const resultLower = result?.toLowerCase() ?? "";
+  const hasTestEvidence = (
+    // Vitest/Jest output patterns (hard to fake without actually running tests)
+    /\d+\s+pass(ed|ing)/.test(resultLower) || /test files?\s+\d+\s+passed/.test(resultLower) || /tests?\s+\d+\s+passed/.test(resultLower)
+  );
+  const hasNoFailures = !/fail(ed|ure|ing)|error/i.test(resultLower);
+  const autoApprove = originalPriority === "p2" && hasTestEvidence && hasNoFailures;
   if (!autoApprove) {
     try {
       const key = getSessionKey();
@@ -15237,6 +15491,13 @@ async function createReviewForCompletedTask(row, result, _baseDir, now2) {
       if (exeSession) {
         sendIntercom(exeSession);
       }
+      if (reviewer && reviewer !== coordinatorName && reviewer !== exeSession) {
+        const { employeeSessionName: employeeSessionName2 } = await Promise.resolve().then(() => (init_tmux_routing(), tmux_routing_exports));
+        if (exeSession) {
+          const reviewerSession = employeeSessionName2(reviewer, exeSession);
+          sendIntercom(reviewerSession);
+        }
+      }
     } catch {
     }
   }
@@ -16012,6 +16273,20 @@ async function updateTask(input) {
       notifyTaskDone();
     }
     await markTaskNotificationsRead(taskFile);
+    if (input.status === "needs_review" && !isCoordinator) {
+      try {
+        const { writeNotification: writeNotification2 } = await Promise.resolve().then(() => (init_notifications(), notifications_exports));
+        await writeNotification2({
+          agentId: String(row.assigned_to),
+          agentRole: String(row.assigned_to),
+          event: "task_complete",
+          project: String(row.project_name),
+          summary: `"${String(row.title)}" is ready for review`,
+          taskFile
+        });
+      } catch {
+      }
+    }
     if (input.status === "done" || input.status === "closed") {
       try {
         await cascadeUnblock(taskId, input.baseDir, now2);
@@ -16444,18 +16719,31 @@ function acquireSpawnLock2(sessionName) {
     mkdirSync21(SPAWN_LOCK_DIR, { recursive: true });
   }
   const lockFile = spawnLockPath(sessionName);
-  if (existsSync29(lockFile)) {
-    try {
-      const lock = JSON.parse(readFileSync23(lockFile, "utf8"));
-      const age = Date.now() - lock.timestamp;
-      if (isProcessAlive(lock.pid) && age < 6e4) {
-        return false;
-      }
-    } catch {
+  const lockData = JSON.stringify({ pid: process.pid, timestamp: Date.now() });
+  const { openSync: openSync5, closeSync: closeSync5, writeSync } = __require("fs");
+  const { constants: constants3 } = __require("fs");
+  try {
+    const fd = openSync5(lockFile, constants3.O_WRONLY | constants3.O_CREAT | constants3.O_EXCL, 420);
+    writeSync(fd, lockData);
+    closeSync5(fd);
+    return true;
+  } catch (err) {
+    if (err?.code !== "EEXIST") {
+      return true;
     }
   }
-  writeFileSync20(lockFile, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
-  return true;
+  try {
+    const lock = JSON.parse(readFileSync23(lockFile, "utf8"));
+    const age = Date.now() - lock.timestamp;
+    if (isProcessAlive(lock.pid) && age < 6e4) {
+      return false;
+    }
+    writeFileSync20(lockFile, lockData);
+    return true;
+  } catch {
+    writeFileSync20(lockFile, lockData);
+    return true;
+  }
 }
 function releaseSpawnLock2(sessionName) {
   try {
@@ -16534,6 +16822,21 @@ function parseParentExe(sessionName, agentId) {
 function extractRootExe(name) {
   if (!name) return null;
   if (!name.includes("-")) return name;
+  try {
+    const roster = (init_employees(), __toCommonJS(employees_exports)).loadEmployeesSync();
+    if (roster.length > 0) {
+      const sortedNames = roster.map((e) => e.name).sort((a, b) => b.length - a.length);
+      for (const agentName of sortedNames) {
+        const escaped = agentName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        const regex = new RegExp(`^${escaped}\\d*-(.+)$`);
+        const match = name.match(regex);
+        if (match) {
+          return extractRootExe(match[1]);
+        }
+      }
+    }
+  } catch {
+  }
   const parts = name.split("-").filter(Boolean);
   return parts.length > 0 ? parts[parts.length - 1] : null;
 }
@@ -16552,6 +16855,10 @@ function registerParentExe(sessionKey, parentExe, dispatchedBy) {
 function getParentExe(sessionKey) {
   try {
     const data = JSON.parse(readFileSync23(path34.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
+    if (data.registeredAt) {
+      const age = Date.now() - new Date(data.registeredAt).getTime();
+      if (age > PARENT_EXE_CACHE_TTL_MS) return null;
+    }
     return data.parentExe || null;
   } catch {
     return null;
@@ -17100,7 +17407,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     sessionContextFlag = ` --append-system-prompt-file ${ctxFile}`;
   } catch {
   }
-  let envPrefix = `EXE_SESSION=${exeSession} EXE_SESSION_NAME=${sessionName}`;
+  let envPrefix = `EXE_SESSION=${exeSession} EXE_SESSION_NAME=${sessionName} EXE_SESSION_START_ISO=${(/* @__PURE__ */ new Date()).toISOString()}`;
   if (ccProvider !== DEFAULT_PROVIDER) {
     const cfg = PROVIDER_TABLE[ccProvider];
     if (cfg?.apiKeyEnv) {
@@ -17135,10 +17442,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }
@@ -17239,7 +17544,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   releaseSpawnLock2(sessionName);
   return { sessionName };
 }
-var SPAWN_LOCK_DIR, SESSION_CACHE, BEHAVIORS_EXPORT_TIMEOUT_MS, VALID_SESSION_NAME, VERIFY_PANE_LINES, INTERCOM_DEBOUNCE_MS, CODEX_DEBOUNCE_MS, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS, BUSY_PATTERN;
+var SPAWN_LOCK_DIR, SESSION_CACHE, BEHAVIORS_EXPORT_TIMEOUT_MS, VALID_SESSION_NAME, PARENT_EXE_CACHE_TTL_MS, VERIFY_PANE_LINES, INTERCOM_DEBOUNCE_MS, CODEX_DEBOUNCE_MS, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS, BUSY_PATTERN;
 var init_tmux_routing = __esm({
   "src/lib/tmux-routing.ts"() {
     "use strict";
@@ -17259,6 +17564,7 @@ var init_tmux_routing = __esm({
     SESSION_CACHE = path34.join(os18.homedir(), ".exe-os", "session-cache");
     BEHAVIORS_EXPORT_TIMEOUT_MS = 1e4;
     VALID_SESSION_NAME = /^[a-z]+\d*-[a-zA-Z0-9_]+$/;
+    PARENT_EXE_CACHE_TTL_MS = 4 * 60 * 60 * 1e3;
     VERIFY_PANE_LINES = 200;
     INTERCOM_DEBOUNCE_MS = 3e4;
     CODEX_DEBOUNCE_MS = 12e4;
@@ -20483,6 +20789,24 @@ async function runSetupWizard(opts = {}) {
     log("");
     log("=== exe-os Setup ===");
     log("");
+    if (process.platform === "darwin") {
+      const currentShell = process.env.SHELL ?? "";
+      if (currentShell.includes("bash")) {
+        log("  \u26A0 Your default shell is bash.");
+        log("  macOS uses zsh by default since Catalina (2019).");
+        log("  exe-os works with bash, but switching to zsh is recommended:");
+        log("    chsh -s /bin/zsh");
+        log("  Then restart your terminal.");
+        log("");
+        const cont = await ask3(rl, "  Continue with bash? (y/n, default: y): ");
+        if (cont.toLowerCase() === "n") {
+          log("  Run `chsh -s /bin/zsh`, restart your terminal, then run setup again.");
+          rl.close();
+          return;
+        }
+        log("");
+      }
+    }
     log("What are you setting up?");
     log("");
     log("  [1] First device / brand new Exe OS memory");
@@ -21155,7 +21479,7 @@ var init_setup_wizard = __esm({
 });
 
 // src/lib/update-backup.ts
-import { copyFile, readFile as readFile6, readdir as readdir3, writeFile as writeFile7, rm as rm2, mkdir as mkdir7, cp } from "fs/promises";
+import { copyFile as copyFile2, readFile as readFile6, readdir as readdir3, writeFile as writeFile7, rm as rm2, mkdir as mkdir7, cp } from "fs/promises";
 import { existsSync as existsSync36 } from "fs";
 import path42 from "path";
 import os20 from "os";
@@ -21191,7 +21515,7 @@ async function createUpdateBackup(currentVersion, dataDir2, homeDir = os20.homed
     if (!existsSync36(src)) continue;
     const dest = path42.join(backupDir, target.name);
     if (target.type === "file") {
-      await copyFile(src, dest);
+      await copyFile2(src, dest);
     } else {
       await cp(src, dest, { recursive: true });
     }
@@ -21202,7 +21526,7 @@ async function createUpdateBackup(currentVersion, dataDir2, homeDir = os20.homed
     if (entry.isFile() && entry.name.endsWith(".db") && entry.name !== BACKUP_DIR_NAME) {
       const src = path42.join(dir, entry.name);
       const dest = path42.join(backupDir, entry.name);
-      await copyFile(src, dest);
+      await copyFile2(src, dest);
       backedUpFiles.push(entry.name);
     }
   }
@@ -21211,7 +21535,7 @@ async function createUpdateBackup(currentVersion, dataDir2, homeDir = os20.homed
   for (const target of externalBackupTargets(homeDir)) {
     if (!existsSync36(target.path)) continue;
     await mkdir7(externalDir, { recursive: true });
-    await copyFile(target.path, path42.join(externalDir, target.name));
+    await copyFile2(target.path, path42.join(externalDir, target.name));
     externalFiles.push(target);
   }
   const manifest = {
@@ -21246,14 +21570,14 @@ async function restoreFromBackup(dataDir2) {
     if (stat2.isDirectory()) {
       await cp(src, dest, { recursive: true, force: true });
     } else {
-      await copyFile(src, dest);
+      await copyFile2(src, dest);
     }
   }
   for (const external of manifest.externalFiles ?? []) {
     const src = path42.join(backupDir, "external", external.name);
     if (!existsSync36(src)) continue;
     await mkdir7(path42.dirname(external.path), { recursive: true });
-    await copyFile(src, external.path);
+    await copyFile2(src, external.path);
   }
   return manifest;
 }
@@ -32121,6 +32445,33 @@ var init_dangerous_patterns = __esm({
         regex: /\bkill\s+-9\b/,
         severity: "warning",
         reason: "Force kill signal"
+      },
+      // MCP bypass — agents must use MCP tools, never access the DB directly.
+      // These patterns catch attempts to work around a disconnected MCP server.
+      {
+        regex: /\bsqlite3\b.*\bmemories\.db\b/,
+        severity: "critical",
+        reason: "Direct SQLite access bypasses MCP contract boundary \u2014 use MCP tools"
+      },
+      {
+        regex: /\bsqlite3\b.*\.exe-os\b/,
+        severity: "critical",
+        reason: "Direct SQLite access to exe-os database \u2014 use MCP tools"
+      },
+      {
+        regex: /\bnode\s+-e\b.*\b(better-sqlite3|libsql|sqlite3)\b/,
+        severity: "critical",
+        reason: "Inline Node.js script accessing SQLite directly \u2014 use MCP tools"
+      },
+      {
+        regex: /\brequire\s*\(\s*['"].*memories\.db['"]\s*\)/,
+        severity: "critical",
+        reason: "Direct require of memories database \u2014 use MCP tools"
+      },
+      {
+        regex: /\bcat\b.*\bmemories\.db\b/,
+        severity: "warning",
+        reason: "Reading raw database file \u2014 encrypted data, use MCP tools instead"
       }
     ];
   }
@@ -35693,7 +36044,7 @@ function agentColor(agentId) {
       return "#F0EDE8";
   }
 }
-function formatTimeAgo(iso) {
+function formatTimeAgo2(iso) {
   const diff2 = Date.now() - new Date(iso).getTime();
   const hours = Math.floor(diff2 / 36e5);
   if (hours < 1) return "just now";
@@ -36019,7 +36370,7 @@ function WikiView({ onBack }) {
                   result.rawText.length > 80 ? "..." : ""
                 ] }),
                 "  ",
-                /* @__PURE__ */ jsx13(Text, { color: isSelected ? "#F5D76E" : "#3D3660", dimColor: !isSelected, children: formatTimeAgo(result.timestamp) })
+                /* @__PURE__ */ jsx13(Text, { color: isSelected ? "#F5D76E" : "#3D3660", dimColor: !isSelected, children: formatTimeAgo2(result.timestamp) })
               ]
             }
           ),