@askexenow/exe-os 0.9.113 → 0.9.115

package/dist/hooks/session-end.js

@@ -154,6 +154,17 @@ function normalizeOrchestration(raw) {
   const userOrg = raw.orchestration ?? {};
   raw.orchestration = { ...defaultOrg, ...userOrg };
 }
+function normalizeCloudEndpoint(raw) {
+  const cloud = raw.cloud;
+  if (!cloud?.endpoint) return;
+  const ep = String(cloud.endpoint);
+  if (ep === "https://askexe.com/cloud" || ep === "https://askexe.com/cloud/") {
+    cloud.endpoint = "https://cloud.askexe.com";
+    process.stderr.write(
+      "[config] Auto-migrated cloud endpoint: askexe.com/cloud \u2192 cloud.askexe.com\n"
+    );
+  }
+}
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   await ensurePrivateDir(dir);
@@ -179,6 +190,7 @@ async function loadConfig() {
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
     normalizeOrchestration(migratedCfg);
+    normalizeCloudEndpoint(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
@@ -207,6 +219,7 @@ function loadConfigSync() {
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
     normalizeOrchestration(migratedCfg);
+    normalizeCloudEndpoint(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
@@ -435,6 +448,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -463,6 +477,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -1013,6 +1034,7 @@ var init_provider_table = __esm({
 // src/lib/intercom-queue.ts
 var intercom_queue_exports = {};
 __export(intercom_queue_exports, {
+  _resetDrainGuard: () => _resetDrainGuard,
   clearQueueForAgent: () => clearQueueForAgent,
   drainForSession: () => drainForSession,
   drainQueue: () => drainQueue,
@@ -1058,38 +1080,47 @@ function queueIntercom(targetSession, reason) {
   writeQueue(queue);
 }
 function drainQueue(isSessionBusy2, sendKeys) {
+  if (_draining) {
+    logQueue("SKIP_DRAIN \u2014 previous drain still running (possible tmux hang)");
+    return { drained: 0, failed: 0 };
+  }
   const queue = readQueue();
   if (queue.length === 0) return { drained: 0, failed: 0 };
+  _draining = true;
   const remaining = [];
   let drained = 0;
   let failed = 0;
-  for (const item of queue) {
-    const age = Date.now() - new Date(item.queuedAt).getTime();
-    if (age > TTL_MS) {
-      logQueue(`EXPIRED \u2192 ${item.targetSession} (${Math.round(age / 6e4)}min old, reason: ${item.reason})`);
-      failed++;
-      continue;
-    }
-    try {
-      if (!isSessionBusy2(item.targetSession)) {
-        const success = sendKeys(item.targetSession);
-        if (success) {
-          logQueue(`DRAINED \u2192 ${item.targetSession} (after ${item.attempts} retries)`);
-          drained++;
-          continue;
+  try {
+    for (const item of queue) {
+      const age = Date.now() - new Date(item.queuedAt).getTime();
+      if (age > TTL_MS) {
+        logQueue(`EXPIRED \u2192 ${item.targetSession} (${Math.round(age / 6e4)}min old, reason: ${item.reason})`);
+        failed++;
+        continue;
+      }
+      try {
+        if (!isSessionBusy2(item.targetSession)) {
+          const success = sendKeys(item.targetSession);
+          if (success) {
+            logQueue(`DRAINED \u2192 ${item.targetSession} (after ${item.attempts} retries)`);
+            drained++;
+            continue;
+          }
         }
+      } catch {
       }
-    } catch {
-    }
-    item.attempts++;
-    if (item.attempts >= MAX_RETRIES) {
-      logQueue(`FAILED \u2192 ${item.targetSession} (${MAX_RETRIES} retries exhausted, reason: ${item.reason})`);
-      failed++;
-      continue;
+      item.attempts++;
+      if (item.attempts >= MAX_RETRIES) {
+        logQueue(`FAILED \u2192 ${item.targetSession} (${MAX_RETRIES} retries exhausted, reason: ${item.reason})`);
+        failed++;
+        continue;
+      }
+      remaining.push(item);
     }
-    remaining.push(item);
+    writeQueue(remaining);
+  } finally {
+    _draining = false;
   }
-  writeQueue(remaining);
   return { drained, failed };
 }
 function drainForSession(targetSession, sendKeys) {
@@ -1114,6 +1145,9 @@ function clearQueueForAgent(agentName) {
     logQueue(`CLEARED ${before - filtered.length} stale item(s) for ${agentName}`);
   }
 }
+function _resetDrainGuard() {
+  _draining = false;
+}
 function logQueue(msg) {
   const line = `[${(/* @__PURE__ */ new Date()).toISOString()}] [queue] ${msg}
 `;
@@ -1125,13 +1159,14 @@ function logQueue(msg) {
   } catch {
   }
 }
-var QUEUE_PATH, MAX_RETRIES, TTL_MS, INTERCOM_LOG;
+var QUEUE_PATH, MAX_RETRIES, TTL_MS, _draining, INTERCOM_LOG;
 var init_intercom_queue = __esm({
   "src/lib/intercom-queue.ts"() {
     "use strict";
     QUEUE_PATH = path7.join(os5.homedir(), ".exe-os", "intercom-queue.json");
     MAX_RETRIES = 5;
     TTL_MS = 60 * 60 * 1e3;
+    _draining = false;
     INTERCOM_LOG = path7.join(os5.homedir(), ".exe-os", "intercom.log");
   }
 });
@@ -6072,7 +6107,13 @@ async function createReviewForCompletedTask(row, result, _baseDir, now) {
     taskFile
   });
   const originalPriority = String(row.priority).toLowerCase();
-  const autoApprove = originalPriority === "p2" && result?.toLowerCase().includes("tests pass");
+  const resultLower = result?.toLowerCase() ?? "";
+  const hasTestEvidence = (
+    // Vitest/Jest output patterns (hard to fake without actually running tests)
+    /\d+\s+pass(ed|ing)/.test(resultLower) || /test files?\s+\d+\s+passed/.test(resultLower) || /tests?\s+\d+\s+passed/.test(resultLower)
+  );
+  const hasNoFailures = !/fail(ed|ure|ing)|error/i.test(resultLower);
+  const autoApprove = originalPriority === "p2" && hasTestEvidence && hasNoFailures;
   if (!autoApprove) {
     try {
       const key = getSessionKey();
@@ -6080,6 +6121,13 @@ async function createReviewForCompletedTask(row, result, _baseDir, now) {
       if (exeSession) {
         sendIntercom(exeSession);
       }
+      if (reviewer && reviewer !== coordinatorName && reviewer !== exeSession) {
+        const { employeeSessionName: employeeSessionName2 } = await Promise.resolve().then(() => (init_tmux_routing(), tmux_routing_exports));
+        if (exeSession) {
+          const reviewerSession = employeeSessionName2(reviewer, exeSession);
+          sendIntercom(reviewerSession);
+        }
+      }
     } catch {
     }
   }
@@ -6855,6 +6903,20 @@ async function updateTask(input2) {
       notifyTaskDone();
     }
     await markTaskNotificationsRead(taskFile);
+    if (input2.status === "needs_review" && !isCoordinator) {
+      try {
+        const { writeNotification: writeNotification2 } = await Promise.resolve().then(() => (init_notifications(), notifications_exports));
+        await writeNotification2({
+          agentId: String(row.assigned_to),
+          agentRole: String(row.assigned_to),
+          event: "task_complete",
+          project: String(row.project_name),
+          summary: `"${String(row.title)}" is ready for review`,
+          taskFile
+        });
+      } catch {
+      }
+    }
     if (input2.status === "done" || input2.status === "closed") {
       try {
         await cascadeUnblock(taskId, input2.baseDir, now);
@@ -7287,18 +7349,31 @@ function acquireSpawnLock2(sessionName) {
     mkdirSync10(SPAWN_LOCK_DIR, { recursive: true });
   }
   const lockFile = spawnLockPath(sessionName);
-  if (existsSync17(lockFile)) {
-    try {
-      const lock = JSON.parse(readFileSync14(lockFile, "utf8"));
-      const age = Date.now() - lock.timestamp;
-      if (isProcessAlive(lock.pid) && age < 6e4) {
-        return false;
-      }
-    } catch {
+  const lockData = JSON.stringify({ pid: process.pid, timestamp: Date.now() });
+  const { openSync: openSync3, closeSync: closeSync3, writeSync } = __require("fs");
+  const { constants } = __require("fs");
+  try {
+    const fd = openSync3(lockFile, constants.O_WRONLY | constants.O_CREAT | constants.O_EXCL, 420);
+    writeSync(fd, lockData);
+    closeSync3(fd);
+    return true;
+  } catch (err) {
+    if (err?.code !== "EEXIST") {
+      return true;
     }
   }
-  writeFileSync10(lockFile, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
-  return true;
+  try {
+    const lock = JSON.parse(readFileSync14(lockFile, "utf8"));
+    const age = Date.now() - lock.timestamp;
+    if (isProcessAlive(lock.pid) && age < 6e4) {
+      return false;
+    }
+    writeFileSync10(lockFile, lockData);
+    return true;
+  } catch {
+    writeFileSync10(lockFile, lockData);
+    return true;
+  }
 }
 function releaseSpawnLock2(sessionName) {
   try {
@@ -7377,6 +7452,21 @@ function parseParentExe(sessionName, agentId) {
 function extractRootExe(name) {
   if (!name) return null;
   if (!name.includes("-")) return name;
+  try {
+    const roster = (init_employees(), __toCommonJS(employees_exports)).loadEmployeesSync();
+    if (roster.length > 0) {
+      const sortedNames = roster.map((e) => e.name).sort((a, b) => b.length - a.length);
+      for (const agentName of sortedNames) {
+        const escaped = agentName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        const regex = new RegExp(`^${escaped}\\d*-(.+)$`);
+        const match = name.match(regex);
+        if (match) {
+          return extractRootExe(match[1]);
+        }
+      }
+    }
+  } catch {
+  }
   const parts = name.split("-").filter(Boolean);
   return parts.length > 0 ? parts[parts.length - 1] : null;
 }
@@ -7395,6 +7485,10 @@ function registerParentExe(sessionKey, parentExe, dispatchedBy) {
 function getParentExe(sessionKey) {
   try {
     const data = JSON.parse(readFileSync14(path20.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
+    if (data.registeredAt) {
+      const age = Date.now() - new Date(data.registeredAt).getTime();
+      if (age > PARENT_EXE_CACHE_TTL_MS) return null;
+    }
     return data.parentExe || null;
   } catch {
     return null;
@@ -7943,7 +8037,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     sessionContextFlag = ` --append-system-prompt-file ${ctxFile}`;
   } catch {
   }
-  let envPrefix = `EXE_SESSION=${exeSession} EXE_SESSION_NAME=${sessionName}`;
+  let envPrefix = `EXE_SESSION=${exeSession} EXE_SESSION_NAME=${sessionName} EXE_SESSION_START_ISO=${(/* @__PURE__ */ new Date()).toISOString()}`;
   if (ccProvider !== DEFAULT_PROVIDER) {
     const cfg = PROVIDER_TABLE[ccProvider];
     if (cfg?.apiKeyEnv) {
@@ -7978,10 +8072,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }
@@ -8082,7 +8174,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   releaseSpawnLock2(sessionName);
   return { sessionName };
 }
-var SPAWN_LOCK_DIR, SESSION_CACHE, BEHAVIORS_EXPORT_TIMEOUT_MS, VALID_SESSION_NAME, VERIFY_PANE_LINES, INTERCOM_DEBOUNCE_MS, CODEX_DEBOUNCE_MS, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS, BUSY_PATTERN;
+var SPAWN_LOCK_DIR, SESSION_CACHE, BEHAVIORS_EXPORT_TIMEOUT_MS, VALID_SESSION_NAME, PARENT_EXE_CACHE_TTL_MS, VERIFY_PANE_LINES, INTERCOM_DEBOUNCE_MS, CODEX_DEBOUNCE_MS, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS, BUSY_PATTERN;
 var init_tmux_routing = __esm({
   "src/lib/tmux-routing.ts"() {
     "use strict";
@@ -8102,6 +8194,7 @@ var init_tmux_routing = __esm({
     SESSION_CACHE = path20.join(os12.homedir(), ".exe-os", "session-cache");
     BEHAVIORS_EXPORT_TIMEOUT_MS = 1e4;
     VALID_SESSION_NAME = /^[a-z]+\d*-[a-zA-Z0-9_]+$/;
+    PARENT_EXE_CACHE_TTL_MS = 4 * 60 * 60 * 1e3;
     VERIFY_PANE_LINES = 200;
     INTERCOM_DEBOUNCE_MS = 3e4;
     CODEX_DEBOUNCE_MS = 12e4;
@@ -8146,7 +8239,7 @@ var init_task_scope = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync19, statSync as statSync4 } from "fs";
 import { execSync as execSync9 } from "child_process";
 import path22 from "path";
@@ -8181,12 +8274,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os13.userInfo().uid === "number" ? os13.userInfo().uid : -1;
     const st = statSync4(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os13.userInfo().uid === "number" ? os13.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path22.resolve(keyPath).startsWith(path22.resolve(exeOsDir) + path22.sep));
+    if (exeOsDir && path22.resolve(keyPath).startsWith(path22.resolve(exeOsDir) + path22.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -8336,15 +8431,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir4(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile5(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync19(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile5(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile5(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -8411,7 +8516,7 @@ async function getMasterKey() {
       b64Value = content;
     }
     const key = Buffer.from(b64Value, "base64");
-    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+    if (isRootOnlyTrustedServerKeyFile(keyPath)) {
       return key;
     }
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);

package/dist/hooks/session-start.js

@@ -154,6 +154,17 @@ function normalizeOrchestration(raw) {
   const userOrg = raw.orchestration ?? {};
   raw.orchestration = { ...defaultOrg, ...userOrg };
 }
+function normalizeCloudEndpoint(raw) {
+  const cloud = raw.cloud;
+  if (!cloud?.endpoint) return;
+  const ep = String(cloud.endpoint);
+  if (ep === "https://askexe.com/cloud" || ep === "https://askexe.com/cloud/") {
+    cloud.endpoint = "https://cloud.askexe.com";
+    process.stderr.write(
+      "[config] Auto-migrated cloud endpoint: askexe.com/cloud \u2192 cloud.askexe.com\n"
+    );
+  }
+}
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   await ensurePrivateDir(dir);
@@ -179,6 +190,7 @@ async function loadConfig() {
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
     normalizeOrchestration(migratedCfg);
+    normalizeCloudEndpoint(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
@@ -207,6 +219,7 @@ function loadConfigSync() {
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
     normalizeOrchestration(migratedCfg);
+    normalizeCloudEndpoint(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
@@ -422,6 +435,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -450,6 +464,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -3741,7 +3762,7 @@ var init_database = __esm({
 });
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync8, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path7 from "path";
@@ -3776,12 +3797,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep));
+    if (exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -3931,15 +3954,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync8(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -4006,7 +4039,7 @@ async function getMasterKey() {
       b64Value = content;
     }
     const key = Buffer.from(b64Value, "base64");
-    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+    if (isRootOnlyTrustedServerKeyFile(keyPath)) {
       return key;
     }
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
@@ -8583,6 +8616,21 @@ function isRootSession(name) {
 function extractRootExe(name) {
   if (!name) return null;
   if (!name.includes("-")) return name;
+  try {
+    const roster = (init_employees(), __toCommonJS(employees_exports)).loadEmployeesSync();
+    if (roster.length > 0) {
+      const sortedNames = roster.map((e) => e.name).sort((a, b) => b.length - a.length);
+      for (const agentName of sortedNames) {
+        const escaped = agentName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        const regex = new RegExp(`^${escaped}\\d*-(.+)$`);
+        const match = name.match(regex);
+        if (match) {
+          return extractRootExe(match[1]);
+        }
+      }
+    }
+  } catch {
+  }
   const parts = name.split("-").filter(Boolean);
   return parts.length > 0 ? parts[parts.length - 1] : null;
 }
@@ -8601,6 +8649,10 @@ function registerParentExe(sessionKey, parentExe, dispatchedBy) {
 function getParentExe(sessionKey) {
   try {
     const data = JSON.parse(readFileSync11(path18.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
+    if (data.registeredAt) {
+      const age = Date.now() - new Date(data.registeredAt).getTime();
+      if (age > PARENT_EXE_CACHE_TTL_MS) return null;
+    }
     return data.parentExe || null;
   } catch {
     return null;
@@ -8673,7 +8725,7 @@ function resolveExeSession() {
   }
   return candidate;
 }
-var SPAWN_LOCK_DIR, SESSION_CACHE, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS;
+var SPAWN_LOCK_DIR, SESSION_CACHE, PARENT_EXE_CACHE_TTL_MS, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS;
 var init_tmux_routing = __esm({
   "src/lib/tmux-routing.ts"() {
     "use strict";
@@ -8691,6 +8743,7 @@ var init_tmux_routing = __esm({
     init_agent_symlinks();
     SPAWN_LOCK_DIR = path18.join(os10.homedir(), ".exe-os", "spawn-locks");
     SESSION_CACHE = path18.join(os10.homedir(), ".exe-os", "session-cache");
+    PARENT_EXE_CACHE_TTL_MS = 4 * 60 * 60 * 1e3;
     INTERCOM_LOG2 = path18.join(os10.homedir(), ".exe-os", "intercom.log");
     DEBOUNCE_FILE = path18.join(SESSION_CACHE, "intercom-debounce.json");
     DEBOUNCE_CLEANUP_AGE_MS = 5 * 60 * 1e3;