@askexenow/exe-os 0.9.113 → 0.9.115

package/dist/bin/exe-agent.js

@@ -1861,6 +1861,33 @@ var DANGEROUS_PATTERNS = [
     regex: /\bkill\s+-9\b/,
     severity: "warning",
     reason: "Force kill signal"
+  },
+  // MCP bypass — agents must use MCP tools, never access the DB directly.
+  // These patterns catch attempts to work around a disconnected MCP server.
+  {
+    regex: /\bsqlite3\b.*\bmemories\.db\b/,
+    severity: "critical",
+    reason: "Direct SQLite access bypasses MCP contract boundary \u2014 use MCP tools"
+  },
+  {
+    regex: /\bsqlite3\b.*\.exe-os\b/,
+    severity: "critical",
+    reason: "Direct SQLite access to exe-os database \u2014 use MCP tools"
+  },
+  {
+    regex: /\bnode\s+-e\b.*\b(better-sqlite3|libsql|sqlite3)\b/,
+    severity: "critical",
+    reason: "Inline Node.js script accessing SQLite directly \u2014 use MCP tools"
+  },
+  {
+    regex: /\brequire\s*\(\s*['"].*memories\.db['"]\s*\)/,
+    severity: "critical",
+    reason: "Direct require of memories database \u2014 use MCP tools"
+  },
+  {
+    regex: /\bcat\b.*\bmemories\.db\b/,
+    severity: "warning",
+    reason: "Reading raw database file \u2014 encrypted data, use MCP tools instead"
   }
 ];
 function checkDangerousPatterns(command) {

package/dist/bin/exe-assign.js

@@ -129,6 +129,17 @@ function normalizeOrchestration(raw) {
   const userOrg = raw.orchestration ?? {};
   raw.orchestration = { ...defaultOrg, ...userOrg };
 }
+function normalizeCloudEndpoint(raw) {
+  const cloud = raw.cloud;
+  if (!cloud?.endpoint) return;
+  const ep = String(cloud.endpoint);
+  if (ep === "https://askexe.com/cloud" || ep === "https://askexe.com/cloud/") {
+    cloud.endpoint = "https://cloud.askexe.com";
+    process.stderr.write(
+      "[config] Auto-migrated cloud endpoint: askexe.com/cloud \u2192 cloud.askexe.com\n"
+    );
+  }
+}
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   await ensurePrivateDir(dir);
@@ -154,6 +165,7 @@ async function loadConfig() {
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
     normalizeOrchestration(migratedCfg);
+    normalizeCloudEndpoint(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
@@ -4681,7 +4693,7 @@ init_memory();
 init_database();
 
 // src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync7, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path6 from "path";
@@ -4720,12 +4732,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+    if (exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -4876,15 +4890,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync7(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -4951,7 +4975,7 @@ async function getMasterKey() {
       b64Value = content;
     }
     const key = Buffer.from(b64Value, "base64");
-    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+    if (isRootOnlyTrustedServerKeyFile(keyPath)) {
       return key;
     }
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);

package/dist/bin/exe-boot.js

@@ -155,6 +155,17 @@ function normalizeOrchestration(raw) {
   const userOrg = raw.orchestration ?? {};
   raw.orchestration = { ...defaultOrg, ...userOrg };
 }
+function normalizeCloudEndpoint(raw) {
+  const cloud = raw.cloud;
+  if (!cloud?.endpoint) return;
+  const ep = String(cloud.endpoint);
+  if (ep === "https://askexe.com/cloud" || ep === "https://askexe.com/cloud/") {
+    cloud.endpoint = "https://cloud.askexe.com";
+    process.stderr.write(
+      "[config] Auto-migrated cloud endpoint: askexe.com/cloud \u2192 cloud.askexe.com\n"
+    );
+  }
+}
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   await ensurePrivateDir(dir);
@@ -180,6 +191,7 @@ async function loadConfig() {
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
     normalizeOrchestration(migratedCfg);
+    normalizeCloudEndpoint(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
@@ -208,6 +220,7 @@ function loadConfigSync() {
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
     normalizeOrchestration(migratedCfg);
+    normalizeCloudEndpoint(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
@@ -368,6 +381,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -396,6 +410,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {
@@ -4060,7 +4081,7 @@ __export(keychain_exports, {
   importMnemonic: () => importMnemonic,
   setMasterKey: () => setMasterKey
 });
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2, rename, copyFile } from "fs/promises";
 import { existsSync as existsSync8, statSync as statSync3 } from "fs";
 import { execSync as execSync3 } from "child_process";
 import path7 from "path";
@@ -4095,12 +4116,14 @@ function linuxSecretAvailable() {
 function isRootOnlyTrustedServerKeyFile(keyPath) {
   if (process.platform !== "linux") return false;
   try {
-    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     const st = statSync3(keyPath);
     if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
     if (uid === 0) return true;
     const exeOsDir = process.env.EXE_OS_DIR;
-    return Boolean(exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep));
+    if (exeOsDir && path7.resolve(keyPath).startsWith(path7.resolve(exeOsDir) + path7.sep)) return true;
+    if (!linuxSecretAvailable()) return true;
+    return false;
   } catch {
     return false;
   }
@@ -4250,15 +4273,25 @@ async function writeMachineBoundFileFallback(b64) {
   await mkdir3(dir, { recursive: true });
   const keyPath = getKeyPath();
   const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  const content = machineKey ? encryptWithMachineKey(b64, machineKey) + "\n" : b64 + "\n";
+  const result = machineKey ? "encrypted" : "plaintext";
+  const tmpPath = keyPath + ".tmp";
+  try {
+    if (existsSync8(keyPath)) {
+      await copyFile(keyPath, keyPath + ".bak").catch(() => {
+      });
+    }
+    await writeFile3(tmpPath, content, "utf-8");
+    await chmod2(tmpPath, 384);
+    await rename(tmpPath, keyPath);
+  } catch (err) {
+    try {
+      await unlink(tmpPath);
+    } catch {
+    }
+    throw err;
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
+  return result;
 }
 async function getMasterKey() {
   let nativeValue = macKeychainGet() ?? linuxSecretGet();
@@ -4325,7 +4358,7 @@ async function getMasterKey() {
       b64Value = content;
     }
     const key = Buffer.from(b64Value, "base64");
-    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+    if (isRootOnlyTrustedServerKeyFile(keyPath)) {
       return key;
     }
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
@@ -5512,6 +5545,7 @@ var init_provider_table = __esm({
 // src/lib/intercom-queue.ts
 var intercom_queue_exports = {};
 __export(intercom_queue_exports, {
+  _resetDrainGuard: () => _resetDrainGuard,
   clearQueueForAgent: () => clearQueueForAgent,
   drainForSession: () => drainForSession,
   drainQueue: () => drainQueue,
@@ -5557,38 +5591,47 @@ function queueIntercom(targetSession, reason) {
   writeQueue(queue);
 }
 function drainQueue(isSessionBusy2, sendKeys) {
+  if (_draining) {
+    logQueue("SKIP_DRAIN \u2014 previous drain still running (possible tmux hang)");
+    return { drained: 0, failed: 0 };
+  }
   const queue = readQueue();
   if (queue.length === 0) return { drained: 0, failed: 0 };
+  _draining = true;
   const remaining = [];
   let drained = 0;
   let failed = 0;
-  for (const item of queue) {
-    const age = Date.now() - new Date(item.queuedAt).getTime();
-    if (age > TTL_MS) {
-      logQueue(`EXPIRED \u2192 ${item.targetSession} (${Math.round(age / 6e4)}min old, reason: ${item.reason})`);
-      failed++;
-      continue;
-    }
-    try {
-      if (!isSessionBusy2(item.targetSession)) {
-        const success = sendKeys(item.targetSession);
-        if (success) {
-          logQueue(`DRAINED \u2192 ${item.targetSession} (after ${item.attempts} retries)`);
-          drained++;
-          continue;
+  try {
+    for (const item of queue) {
+      const age = Date.now() - new Date(item.queuedAt).getTime();
+      if (age > TTL_MS) {
+        logQueue(`EXPIRED \u2192 ${item.targetSession} (${Math.round(age / 6e4)}min old, reason: ${item.reason})`);
+        failed++;
+        continue;
+      }
+      try {
+        if (!isSessionBusy2(item.targetSession)) {
+          const success = sendKeys(item.targetSession);
+          if (success) {
+            logQueue(`DRAINED \u2192 ${item.targetSession} (after ${item.attempts} retries)`);
+            drained++;
+            continue;
+          }
         }
+      } catch {
       }
-    } catch {
-    }
-    item.attempts++;
-    if (item.attempts >= MAX_RETRIES2) {
-      logQueue(`FAILED \u2192 ${item.targetSession} (${MAX_RETRIES2} retries exhausted, reason: ${item.reason})`);
-      failed++;
-      continue;
+      item.attempts++;
+      if (item.attempts >= MAX_RETRIES2) {
+        logQueue(`FAILED \u2192 ${item.targetSession} (${MAX_RETRIES2} retries exhausted, reason: ${item.reason})`);
+        failed++;
+        continue;
+      }
+      remaining.push(item);
     }
-    remaining.push(item);
+    writeQueue(remaining);
+  } finally {
+    _draining = false;
   }
-  writeQueue(remaining);
   return { drained, failed };
 }
 function drainForSession(targetSession, sendKeys) {
@@ -5613,6 +5656,9 @@ function clearQueueForAgent(agentName) {
     logQueue(`CLEARED ${before - filtered.length} stale item(s) for ${agentName}`);
   }
 }
+function _resetDrainGuard() {
+  _draining = false;
+}
 function logQueue(msg) {
   const line = `[${(/* @__PURE__ */ new Date()).toISOString()}] [queue] ${msg}
 `;
@@ -5624,13 +5670,14 @@ function logQueue(msg) {
   } catch {
   }
 }
-var QUEUE_PATH, MAX_RETRIES2, TTL_MS, INTERCOM_LOG;
+var QUEUE_PATH, MAX_RETRIES2, TTL_MS, _draining, INTERCOM_LOG;
 var init_intercom_queue = __esm({
   "src/lib/intercom-queue.ts"() {
     "use strict";
     QUEUE_PATH = path10.join(os7.homedir(), ".exe-os", "intercom-queue.json");
     MAX_RETRIES2 = 5;
     TTL_MS = 60 * 60 * 1e3;
+    _draining = false;
     INTERCOM_LOG = path10.join(os7.homedir(), ".exe-os", "intercom.log");
   }
 });
@@ -6245,6 +6292,17 @@ var init_agent_symlinks = __esm({
 });
 
 // src/lib/notifications.ts
+var notifications_exports = {};
+__export(notifications_exports, {
+  cleanupOldNotifications: () => cleanupOldNotifications,
+  formatNotifications: () => formatNotifications,
+  markAsRead: () => markAsRead,
+  markAsReadByTaskFile: () => markAsReadByTaskFile,
+  markDoneTaskNotificationsAsRead: () => markDoneTaskNotificationsAsRead,
+  migrateJsonNotifications: () => migrateJsonNotifications,
+  readUnreadNotifications: () => readUnreadNotifications,
+  writeNotification: () => writeNotification
+});
 import crypto2 from "crypto";
 import path14 from "path";
 import os10 from "os";
@@ -6374,6 +6432,29 @@ async function markDoneTaskNotificationsAsRead(sessionScope) {
     return 0;
   }
 }
+function formatNotifications(notifications) {
+  if (notifications.length === 0) return "";
+  const grouped = /* @__PURE__ */ new Map();
+  for (const n of notifications) {
+    const key = `${n.agentId}|${n.agentRole}`;
+    if (!grouped.has(key)) grouped.set(key, []);
+    grouped.get(key).push(n);
+  }
+  const lines = [];
+  lines.push(`## Notifications (${notifications.length} unread)
+`);
+  for (const [key, items] of grouped) {
+    const [agentId, agentRole] = key.split("|");
+    lines.push(`**${agentId}** (${agentRole}):`);
+    for (const item of items) {
+      const ago = formatTimeAgo(item.timestamp);
+      const icon = eventIcon(item.event);
+      lines.push(`- ${icon} ${item.summary} (${item.project}) \u2014 ${ago}`);
+    }
+    lines.push("");
+  }
+  return lines.join("\n");
+}
 async function migrateJsonNotifications() {
   const base = process.env.EXE_OS_DIR || process.env.EXE_MEM_DIR || path14.join(os10.homedir(), ".exe-os");
   const notifDir = path14.join(base, "notifications");
@@ -6419,6 +6500,34 @@ async function migrateJsonNotifications() {
   }
   return migrated;
 }
+function eventIcon(event) {
+  switch (event) {
+    case "task_complete":
+      return "Completed:";
+    case "task_needs_fix":
+      return "Needs fix:";
+    case "session_summary":
+      return "Session:";
+    case "error_spike":
+      return "Errors:";
+    case "orphan_task":
+      return "Orphan:";
+    case "subtasks_complete":
+      return "Subtasks done:";
+    case "capacity_relaunch":
+      return "Relaunched:";
+  }
+}
+function formatTimeAgo(timestamp) {
+  const diffMs = Date.now() - new Date(timestamp).getTime();
+  const mins = Math.floor(diffMs / 6e4);
+  if (mins < 1) return "just now";
+  if (mins < 60) return `${mins}m ago`;
+  const hours = Math.floor(mins / 60);
+  if (hours < 24) return `${hours}h ago`;
+  const days = Math.floor(hours / 24);
+  return `${days}d ago`;
+}
 var CLEANUP_DAYS;
 var init_notifications = __esm({
   "src/lib/notifications.ts"() {
@@ -7495,7 +7604,13 @@ async function createReviewForCompletedTask(row, result, _baseDir, now) {
     taskFile
   });
   const originalPriority = String(row.priority).toLowerCase();
-  const autoApprove = originalPriority === "p2" && result?.toLowerCase().includes("tests pass");
+  const resultLower = result?.toLowerCase() ?? "";
+  const hasTestEvidence = (
+    // Vitest/Jest output patterns (hard to fake without actually running tests)
+    /\d+\s+pass(ed|ing)/.test(resultLower) || /test files?\s+\d+\s+passed/.test(resultLower) || /tests?\s+\d+\s+passed/.test(resultLower)
+  );
+  const hasNoFailures = !/fail(ed|ure|ing)|error/i.test(resultLower);
+  const autoApprove = originalPriority === "p2" && hasTestEvidence && hasNoFailures;
   if (!autoApprove) {
     try {
       const key = getSessionKey();
@@ -7503,6 +7618,13 @@ async function createReviewForCompletedTask(row, result, _baseDir, now) {
       if (exeSession) {
         sendIntercom(exeSession);
       }
+      if (reviewer && reviewer !== coordinatorName && reviewer !== exeSession) {
+        const { employeeSessionName: employeeSessionName2 } = await Promise.resolve().then(() => (init_tmux_routing(), tmux_routing_exports));
+        if (exeSession) {
+          const reviewerSession = employeeSessionName2(reviewer, exeSession);
+          sendIntercom(reviewerSession);
+        }
+      }
     } catch {
     }
   }
@@ -8278,6 +8400,20 @@ async function updateTask(input) {
       notifyTaskDone();
     }
     await markTaskNotificationsRead(taskFile);
+    if (input.status === "needs_review" && !isCoordinator) {
+      try {
+        const { writeNotification: writeNotification2 } = await Promise.resolve().then(() => (init_notifications(), notifications_exports));
+        await writeNotification2({
+          agentId: String(row.assigned_to),
+          agentRole: String(row.assigned_to),
+          event: "task_complete",
+          project: String(row.project_name),
+          summary: `"${String(row.title)}" is ready for review`,
+          taskFile
+        });
+      } catch {
+      }
+    }
     if (input.status === "done" || input.status === "closed") {
       try {
         await cascadeUnblock(taskId, input.baseDir, now);
@@ -8710,18 +8846,31 @@ function acquireSpawnLock2(sessionName) {
     mkdirSync9(SPAWN_LOCK_DIR, { recursive: true });
   }
   const lockFile = spawnLockPath(sessionName);
-  if (existsSync18(lockFile)) {
-    try {
-      const lock = JSON.parse(readFileSync12(lockFile, "utf8"));
-      const age = Date.now() - lock.timestamp;
-      if (isProcessAlive(lock.pid) && age < 6e4) {
-        return false;
-      }
-    } catch {
+  const lockData = JSON.stringify({ pid: process.pid, timestamp: Date.now() });
+  const { openSync: openSync4, closeSync: closeSync4, writeSync } = __require("fs");
+  const { constants: constants2 } = __require("fs");
+  try {
+    const fd = openSync4(lockFile, constants2.O_WRONLY | constants2.O_CREAT | constants2.O_EXCL, 420);
+    writeSync(fd, lockData);
+    closeSync4(fd);
+    return true;
+  } catch (err) {
+    if (err?.code !== "EEXIST") {
+      return true;
     }
   }
-  writeFileSync8(lockFile, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
-  return true;
+  try {
+    const lock = JSON.parse(readFileSync12(lockFile, "utf8"));
+    const age = Date.now() - lock.timestamp;
+    if (isProcessAlive(lock.pid) && age < 6e4) {
+      return false;
+    }
+    writeFileSync8(lockFile, lockData);
+    return true;
+  } catch {
+    writeFileSync8(lockFile, lockData);
+    return true;
+  }
 }
 function releaseSpawnLock2(sessionName) {
   try {
@@ -8800,6 +8949,21 @@ function parseParentExe(sessionName, agentId) {
 function extractRootExe(name) {
   if (!name) return null;
   if (!name.includes("-")) return name;
+  try {
+    const roster = (init_employees(), __toCommonJS(employees_exports)).loadEmployeesSync();
+    if (roster.length > 0) {
+      const sortedNames = roster.map((e) => e.name).sort((a, b) => b.length - a.length);
+      for (const agentName of sortedNames) {
+        const escaped = agentName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        const regex = new RegExp(`^${escaped}\\d*-(.+)$`);
+        const match = name.match(regex);
+        if (match) {
+          return extractRootExe(match[1]);
+        }
+      }
+    }
+  } catch {
+  }
   const parts = name.split("-").filter(Boolean);
   return parts.length > 0 ? parts[parts.length - 1] : null;
 }
@@ -8818,6 +8982,10 @@ function registerParentExe(sessionKey, parentExe, dispatchedBy) {
 function getParentExe(sessionKey) {
   try {
     const data = JSON.parse(readFileSync12(path20.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
+    if (data.registeredAt) {
+      const age = Date.now() - new Date(data.registeredAt).getTime();
+      if (age > PARENT_EXE_CACHE_TTL_MS) return null;
+    }
     return data.parentExe || null;
   } catch {
     return null;
@@ -9366,7 +9534,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     sessionContextFlag = ` --append-system-prompt-file ${ctxFile}`;
   } catch {
   }
-  let envPrefix = `EXE_SESSION=${exeSession} EXE_SESSION_NAME=${sessionName}`;
+  let envPrefix = `EXE_SESSION=${exeSession} EXE_SESSION_NAME=${sessionName} EXE_SESSION_START_ISO=${(/* @__PURE__ */ new Date()).toISOString()}`;
   if (ccProvider !== DEFAULT_PROVIDER) {
     const cfg = PROVIDER_TABLE[ccProvider];
     if (cfg?.apiKeyEnv) {
@@ -9401,10 +9569,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   if (!useExeAgent && !useCodex && !useOpencode && !useBinSymlink) {
     if (agentRtConfig.runtime === "claude" && agentRtConfig.model) {
-      let ccModel = agentRtConfig.model.replace(/(\d+)\.(\d+)/g, "$1-$2");
-      if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
-        ccModel += "[1m]";
-      }
+      const { normalizeCcModelName: normalizeCcModelName2 } = (init_agent_config(), __toCommonJS(agent_config_exports));
+      const ccModel = normalizeCcModelName2(agentRtConfig.model);
       envPrefix = `${envPrefix} ANTHROPIC_MODEL=${ccModel}`;
     }
   }
@@ -9505,7 +9671,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   releaseSpawnLock2(sessionName);
   return { sessionName };
 }
-var SPAWN_LOCK_DIR, SESSION_CACHE, BEHAVIORS_EXPORT_TIMEOUT_MS, VALID_SESSION_NAME, VERIFY_PANE_LINES, INTERCOM_DEBOUNCE_MS, CODEX_DEBOUNCE_MS, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS, BUSY_PATTERN;
+var SPAWN_LOCK_DIR, SESSION_CACHE, BEHAVIORS_EXPORT_TIMEOUT_MS, VALID_SESSION_NAME, PARENT_EXE_CACHE_TTL_MS, VERIFY_PANE_LINES, INTERCOM_DEBOUNCE_MS, CODEX_DEBOUNCE_MS, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS, BUSY_PATTERN;
 var init_tmux_routing = __esm({
   "src/lib/tmux-routing.ts"() {
     "use strict";
@@ -9525,6 +9691,7 @@ var init_tmux_routing = __esm({
     SESSION_CACHE = path20.join(os12.homedir(), ".exe-os", "session-cache");
     BEHAVIORS_EXPORT_TIMEOUT_MS = 1e4;
     VALID_SESSION_NAME = /^[a-z]+\d*-[a-zA-Z0-9_]+$/;
+    PARENT_EXE_CACHE_TTL_MS = 4 * 60 * 60 * 1e3;
     VERIFY_PANE_LINES = 200;
     INTERCOM_DEBOUNCE_MS = 3e4;
     CODEX_DEBOUNCE_MS = 12e4;
@@ -9608,7 +9775,21 @@ function tryAcquireWorkerSlot() {
     for (const f of files) {
       if (!f.endsWith(".pid")) continue;
       if (f.startsWith("res-")) {
-        alive++;
+        const resParts = f.replace(".pid", "").split("-");
+        const resPid = parseInt(resParts[1] ?? "", 10);
+        if (!isNaN(resPid) && resPid > 0) {
+          try {
+            process.kill(resPid, 0);
+            alive++;
+          } catch {
+            try {
+              unlinkSync9(path22.join(WORKER_PID_DIR, f));
+            } catch {
+            }
+          }
+        } else {
+          alive++;
+        }
         continue;
       }
       const dashIdx = f.lastIndexOf("-");
@@ -10151,6 +10332,7 @@ __export(cloud_sync_exports, {
   markCloudReuploadRequired: () => markCloudReuploadRequired,
   mergeConfig: () => mergeConfig,
   mergeRosterFromRemote: () => mergeRosterFromRemote,
+  migrateEndpoint: () => migrateEndpoint,
   pushToPostgres: () => pushToPostgres,
   recordRosterDeletion: () => recordRosterDeletion
 });
@@ -10321,6 +10503,15 @@ async function fetchWithRetry(url, init) {
   }
   throw lastError;
 }
+function migrateEndpoint(endpoint) {
+  if (endpoint === "https://askexe.com/cloud" || endpoint === "https://askexe.com/cloud/") {
+    process.stderr.write(
+      "[cloud-sync] Auto-migrating endpoint from askexe.com/cloud to cloud.askexe.com (bypasses Cloudflare WAF for datacenter IPs)\n"
+    );
+    return "https://cloud.askexe.com";
+  }
+  return endpoint;
+}
 function assertSecureEndpoint(endpoint) {
   if (endpoint.startsWith("https://")) return;
   if (endpoint.startsWith("http://")) {
@@ -10458,6 +10649,7 @@ async function markCloudReuploadRequired(client = getClient()) {
   await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1')");
 }
 async function cloudSync(config) {
+  config = { ...config, endpoint: migrateEndpoint(config.endpoint) };
   if (!isSyncCryptoInitialized()) {
     try {
       const { getMasterKey: getMasterKey2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));

package/dist/bin/exe-call.js

@@ -1263,6 +1263,7 @@ __export(agent_config_exports, {
   clearAgentRuntime: () => clearAgentRuntime,
   getAgentRuntime: () => getAgentRuntime,
   loadAgentConfig: () => loadAgentConfig,
+  normalizeCcModelName: () => normalizeCcModelName,
   saveAgentConfig: () => saveAgentConfig,
   setAgentMcps: () => setAgentMcps,
   setAgentRuntime: () => setAgentRuntime
@@ -1291,6 +1292,13 @@ function getAgentRuntime(agentId) {
   if (orgDefault) return orgDefault;
   return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
 }
+function normalizeCcModelName(model) {
+  let ccModel = model.replace(/(\d+)\.(\d+)/g, "$1-$2");
+  if (/claude-(opus|sonnet)-4-[6-9]/.test(ccModel) && !ccModel.includes("[1m]")) {
+    ccModel += "[1m]";
+  }
+  return ccModel;
+}
 function setAgentRuntime(agentId, runtime, model, reasoning_effort, mcps) {
   const knownModels = KNOWN_RUNTIMES[runtime];
   if (!knownModels) {