@askexenow/exe-os 0.9.147 → 0.9.148

package/deploy/compose/.env.customer.example

@@ -5,7 +5,7 @@
 # --- Data Layer ---
 POSTGRES_USER=exe
 POSTGRES_PASSWORD=CHANGEME_POSTGRES_PASSWORD
-POSTGRES_DB=default
+POSTGRES_DB=exedb
 
 CLICKHOUSE_DB=default
 CLICKHOUSE_USER=exe

package/deploy/compose/.env.default

@@ -23,7 +23,7 @@ GATEWAY_IMAGE_TAG=ghcr.io/askexe/exe-gateway:v0.9.1
 # ------------------------------------------------------------------
 POSTGRES_USER=exe
 POSTGRES_PASSWORD=CHANGEME_POSTGRES_PASSWORD
-POSTGRES_DB=default
+POSTGRES_DB=exedb
 WIKI_DB_NAME=wiki
 
 # ------------------------------------------------------------------

package/deploy/compose/.env.example

@@ -5,7 +5,7 @@
 # --- Data Layer ---
 POSTGRES_USER=exe
 POSTGRES_PASSWORD=CHANGEME_POSTGRES_PASSWORD
-POSTGRES_DB=default
+POSTGRES_DB=exedb
 
 CLICKHOUSE_DB=default
 CLICKHOUSE_USER=exe

package/deploy/compose/README.md

@@ -23,7 +23,7 @@ unchanged; this directory is the full stack.
 
 | Service        | Image                                         | Pin source             | Internal port |
 |----------------|-----------------------------------------------|------------------------|---------------|
-| `crm-postgres` | `postgres:16.6-alpine`                        | hard-pinned            | 5432          |
+| `exe-db` | `pgvector/pgvector:pg16`                        | hard-pinned            | 5432          |
 | `clickhouse`   | `clickhouse/clickhouse-server:24.8.4.13-alpine` | hard-pinned          | 8123 / 9000   |
 | `redis`        | `redis:7.4-alpine`                            | hard-pinned            | 6379          |
 | `exe-crm`      | `${CRM_IMAGE_TAG}`                            | `.env`                 | 3000          |

package/deploy/compose/docker-compose.yml

@@ -1,6 +1,7 @@
 # exe-os VPS stack — full production compose
 #
-# Services: exe-crm + crm-postgres + clickhouse + redis + exe-wiki + exed + exe-gateway
+# Services: exe-db (postgres) + clickhouse + redis + exe-crm + exe-wiki + exe-os + exe-gateway
+# ONE postgres (exe-db) — all services connect to it via DATABASE_URL.
 # Standard for managed customer VPSs: exe-monitor-agent reports fleet health to monitor.askexe.com.
 # All image tags pinned per-client via .env (no :latest). Healthchecks on every service.
 # Named volumes for state; explicit subnets; depends_on with service_healthy gates.
@@ -18,12 +19,12 @@ name: exe-os
 
 services:
   # ------------------------------------------------------------------
-  # Data layer
+  # Data layer — ONE postgres (exe-db) for all services
   # ------------------------------------------------------------------
 
-  crm-postgres:
-    image: postgres:16.6-alpine
-    container_name: crm-postgres
+  exe-db:
+    image: ${EXE_DB_IMAGE:-pgvector/pgvector:pg16}
+    container_name: exe-db
     restart: unless-stopped
     env_file:
       - path: .env
@@ -31,7 +32,7 @@ services:
     environment:
       POSTGRES_USER: ${POSTGRES_USER:-exe}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}
-      POSTGRES_DB: ${POSTGRES_DB:-default}
+      POSTGRES_DB: ${POSTGRES_DB:-exedb}
       PGDATA: /var/lib/postgresql/data/pgdata
     volumes:
       - postgres_data:/var/lib/postgresql/data
@@ -39,7 +40,7 @@ services:
       backend:
         ipv4_address: 10.42.0.10
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-exe} -d ${POSTGRES_DB:-default}"]
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-exe} -d ${POSTGRES_DB:-exedb}"]
       interval: 10s
       timeout: 5s
       start_period: 30s
@@ -112,7 +113,7 @@ services:
     container_name: exe-crm
     restart: unless-stopped
     depends_on:
-      crm-postgres:
+      exe-db:
         condition: service_healthy
       clickhouse:
         condition: service_healthy
@@ -127,7 +128,7 @@ services:
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
       SERVER_URL: ${CRM_SERVER_URL:-https://crm.askexe.com}
       APP_SECRET: ${CRM_APP_SECRET:?CRM_APP_SECRET is required}
-      PG_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@crm-postgres:5432/${POSTGRES_DB:-default}
+      PG_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}
       REDIS_URL: redis://:${REDIS_PASSWORD:?REDIS_PASSWORD is required}@redis:6379
       CLICKHOUSE_URL: http://${CLICKHOUSE_USER:-exe}:${CLICKHOUSE_PASSWORD:?CLICKHOUSE_PASSWORD is required}@clickhouse:8123/${CLICKHOUSE_DB:-default}
       STORAGE_TYPE: local
@@ -159,7 +160,7 @@ services:
     restart: unless-stopped
     command: ["yarn", "worker:prod"]
     depends_on:
-      crm-postgres:
+      exe-db:
         condition: service_healthy
       clickhouse:
         condition: service_healthy
@@ -175,7 +176,7 @@ services:
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
       SERVER_URL: ${CRM_SERVER_URL:-https://crm.askexe.com}
       APP_SECRET: ${CRM_APP_SECRET:?CRM_APP_SECRET is required}
-      PG_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@crm-postgres:5432/${POSTGRES_DB:-default}
+      PG_DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}
       REDIS_URL: redis://:${REDIS_PASSWORD:?REDIS_PASSWORD is required}@redis:6379
       CLICKHOUSE_URL: http://${CLICKHOUSE_USER:-exe}:${CLICKHOUSE_PASSWORD:?CLICKHOUSE_PASSWORD is required}@clickhouse:8123/${CLICKHOUSE_DB:-default}
       STORAGE_TYPE: local
@@ -198,7 +199,7 @@ services:
     container_name: exe-wiki
     restart: unless-stopped
     depends_on:
-      crm-postgres:
+      exe-db:
         condition: service_healthy
     env_file:
       - path: .env
@@ -208,7 +209,7 @@ services:
       SERVER_PORT: "3001"
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
       STORAGE_DIR: /app/server/storage
-      DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@crm-postgres:5432/${POSTGRES_DB:-default}?schema=${WIKI_DB_SCHEMA:-wiki}
+      DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}?schema=${WIKI_DB_SCHEMA:-wiki}
       AUTH_TOKEN: ${WIKI_AUTH_TOKEN:?WIKI_AUTH_TOKEN is required}
       JWT_SECRET: ${WIKI_JWT_SECRET:?WIKI_JWT_SECRET is required}
       SIG_KEY: ${WIKI_SIG_KEY:?WIKI_SIG_KEY is required}
@@ -249,7 +250,7 @@ services:
       EXED_MCP_TOKEN: ${EXED_MCP_TOKEN:?EXED_MCP_TOKEN is required}
       EXED_DEVICE_ID: ${EXED_DEVICE_ID:-vps-default}
       EXE_LICENSE_KEY: ${EXE_LICENSE_KEY:?EXE_LICENSE_KEY is required — purchase at https://askexe.com}
-      DATABASE_URL: ${EXED_DATABASE_URL:-postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@crm-postgres:5432/${POSTGRES_DB:-default}}
+      DATABASE_URL: ${EXED_DATABASE_URL:-postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}}
       EXE_CLOUD_SYNC_TO_POSTGRES: ${EXE_CLOUD_SYNC_TO_POSTGRES:-true}
       EXE_RSS_WARN_MB: ${EXE_RSS_WARN_MB:-6144}
       EXE_RSS_RESTART_MB: ${EXE_RSS_RESTART_MB:-8192}
@@ -285,6 +286,7 @@ services:
       NODE_ENV: production
       EXE_GATEWAY_HOME: /data
       EXE_GATEWAY_CONFIG: /data/gateway.json
+      DATABASE_URL: postgres://${POSTGRES_USER:-exe}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}@exe-db:5432/${POSTGRES_DB:-exedb}
       EXE_GATEWAY_PORT: "3100"
       EXE_GATEWAY_HOST: "127.0.0.1"
       EXE_GATEWAY_AUTH_TOKEN: ${EXE_GATEWAY_AUTH_TOKEN:?EXE_GATEWAY_AUTH_TOKEN is required}

package/dist/bin/stack-update.js

@@ -528,7 +528,7 @@ async function runStackUpdate(options) {
     }
     exec("docker", [...composeArgs, "pull"]);
     const RESTART_ORDER = [
-      "crm-postgres",
+      "exe-db",
       // data layer — must be healthy before apps
       "clickhouse",
       "redis",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askexenow/exe-os",
-  "version": "0.9.147",
+  "version": "0.9.148",
   "description": "AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",

package/release-notes.json

@@ -1,8 +1,8 @@
 {
-  "current": "0.9.147",
+  "current": "0.9.148",
   "notes": {
-    "0.9.147": {
-      "version": "0.9.147",
+    "0.9.148": {
+      "version": "0.9.148",
       "date": "2026-05-28",
       "features": [
         "graph auto-extract from ARCHITECTURE.md — regex-based entity/relationship extraction",
@@ -32,6 +32,7 @@
         "stale review auto-cleanup + file-copy size limit (features 5, 6)"
       ],
       "fixes": [
+        "ONE postgres — replace crm-postgres with exe-db across entire stack",
         "smart session-scoping gate + last boot cleanup leak + triage_bug docs",
         "add shipped_version to support triage + clean platform procedures",
         "close remaining session-scoping findings from Bob's audit",
@@ -55,8 +56,7 @@
         "replace require() with ESM import in shouldAutoInstance",
         "intercom-check passes project_name to scanFromDb — prevents cross-project task pollution",
         "periodic WAL checkpoint (TRUNCATE) every 5 minutes in daemon",
-        "orphan task routing + cloud push content hash (cherry-pick from tom4)",
-        "upgrade code_context platform procedure to P0 + add graph tools"
+        "orphan task routing + cloud push content hash (cherry-pick from tom4)"
       ],
       "security": [
         "fix shell injection, SSRF, socket leaks, backup validation",
@@ -104,8 +104,8 @@
         "exe-daemon.ts kills old embed.pid process and cleans up"
       ]
     },
-    "0.9.146": {
-      "version": "0.9.146",
+    "0.9.147": {
+      "version": "0.9.147",
       "date": "2026-05-28",
       "features": [
         "graph auto-extract from ARCHITECTURE.md — regex-based entity/relationship extraction",
@@ -135,6 +135,8 @@
         "stale review auto-cleanup + file-copy size limit (features 5, 6)"
       ],
       "fixes": [
+        "smart session-scoping gate + last boot cleanup leak + triage_bug docs",
+        "add shipped_version to support triage + clean platform procedures",
         "close remaining session-scoping findings from Bob's audit",
         "close 3 more session-scoping leaks from Bob's audit (LEAK-4, LEAK-7, LEAK-8)",
         "close 8 session-scoping leaks — daemon ALS trust + review cleanup + close-task + inbox",
@@ -157,9 +159,7 @@
         "intercom-check passes project_name to scanFromDb — prevents cross-project task pollution",
         "periodic WAL checkpoint (TRUNCATE) every 5 minutes in daemon",
         "orphan task routing + cloud push content hash (cherry-pick from tom4)",
-        "upgrade code_context platform procedure to P0 + add graph tools",
-        "defer initStore() to background — MCP startup is now instant",
-        "multi-project session isolation in create-task dispatch"
+        "upgrade code_context platform procedure to P0 + add graph tools"
       ],
       "security": [
         "fix shell injection, SSRF, socket leaks, backup validation",
@@ -207,62 +207,62 @@
         "exe-daemon.ts kills old embed.pid process and cleans up"
       ]
     },
-    "0.9.144": {
-      "version": "0.9.144",
-      "date": "2026-05-26",
+    "0.9.146": {
+      "version": "0.9.146",
+      "date": "2026-05-28",
       "features": [
-        "close_task auto-merges PR + pulls main + builds + prunes + respawns",
-        "auto-respawn Tom after close_task if more tasks queued",
-        "message WAL fallback — messages survive daemon downtime",
-        "entity type hierarchy — subtypes with rollup queries (PG-2)",
-        "temporal validity windows for graph queries (PG-3)",
-        "backup restore CLI + restoreBackup function",
-        "ESLint setup + dependency hygiene + any type reduction",
-        "config(action=\"hire\") MCP tool — COO can hire employees directly",
-        "GM (General Manager) role template + hiring guidance",
-        "merge gate warning in close_task — catches unmerged PRs",
-        "behavior hygiene — platform procedure + COO identity + company procedure",
-        "MCP auto-reconnect to daemon — survives deploy restarts transparently",
-        "event-driven notifications — stop polling managers, let task state drive everything",
-        "MCP disconnect tracker + daemon observability",
-        "MCP lifecycle logging to file — FULL transparency on every disconnect",
-        "automatic P0 bug fixing — daemon auto-dispatch + GitHub Actions fallback",
-        "enforce worktrees for engineer sessions — prevent direct main commits",
-        "multi-device coordination — routing, handoff, device status",
-        "hook tamper protection — SHA-256 manifest + verification before spawn",
-        "governed collaborative memory — visibility tags + write governance",
-        "cache-sharing protocol — pub/sub memory bus for inter-agent sharing",
-        "multi-modal memory — media attachments on memories",
-        "comprehensive \"last 20%\" integration tests + audit_trail read path",
-        "wire memory poisoning defense into writeMemory() pipeline",
-        "memory poisoning defense — trust levels, anomaly detection, quarantine"
+        "graph auto-extract from ARCHITECTURE.md — regex-based entity/relationship extraction",
+        "migrate cloud.askexe.com → api.askexe.com as canonical endpoint",
+        "federated recall — code_context + graph fallback when memory results weak",
+        "migrate cloud.askexe.com → api.askexe.com across all src/ defaults",
+        "rolling restart in stack-update — one service at a time with health verification",
+        "DMR benchmark harness + LoCoMo improvements for v0.9.145 evaluation",
+        "Windows/WSL support — WezTerm config + WSL detection in setup wizard",
+        "queryTaskRows() consolidation — single scoped query path for all task list operations",
+        "review signal files — reliable reviewer notification on update_task(done)",
+        "Ghostty-native notifications via OSC 9 — no more Script Editor popup",
+        "device-scoped behaviors — device_id column + filter in loading",
+        "dispatch reliability — 45s boot timeout, dispatch ack signals, agent heartbeat",
+        "setup wizard headless mode + daemon health check after restart",
+        "device-scoped behaviors — add device_id column + filter on load",
+        "gateway prompt injection defense — 3-tier security hardening",
+        "add diagnostics(action=\"merge_agent_memories\") for reassigning memories across agent IDs",
+        "add task dependency tree visualization (action=dependency_tree)",
+        "graceful COO auto-relaunch after context-full exit",
+        "desktop push notifications on task completion (macOS/Linux)",
+        "rename GHCR image exed → exe-os across all deploy/stack references",
+        "passive daemon-restart detection — agents get one-time /mcp notice",
+        "daemon restart orchestrator — single authority for all restart decisions",
+        "query router cache tuning + cross-session tasks + shared skills",
+        "socket health probe + tmux env guard + reviewer queue fallback (features 1, 2)",
+        "stale review auto-cleanup + file-copy size limit (features 5, 6)"
       ],
       "fixes": [
-        "remove unused test imports blocking publish",
-        "resolve all typecheck errors — await-in-sync + type mismatches",
-        "remaining require() → ESM imports in daemon (db-backup, intercom, shutdown)",
-        "eliminate CJS require() from ESM daemon + reliable task signal delivery",
-        "migrate critical writeFileSync to atomicWrite — prevent corruption on crash (Track C)",
-        "security hardening — SQL injection lint + TUI input sanitize + MCP rate limiter (Track D)",
-        "clear public launch readiness blockers",
-        "prune old worktree on close_task before respawning fresh",
-        "exe-launch-agent resolves multi-instance names — tom2/tom3 no longer rejected",
-        "worktree isolation for all runtimes + token budget enforcement + atomic memory versioning",
-        "cross-device sync dedup — cooldown key prevents duplicate pushes",
-        "merge gate checks branch name not git author — was silently passing",
-        "resume_employee uses autoInstance — spawns tom2/tom3 for parallel",
-        "security hardening — fail-closed behavior auth gates",
-        "send_message intercom uses force:true — bypass 5-min debounce",
-        "global session cap 10→50 — match MCP session cap",
-        "/exe-call ALWAYS fires + tmux send-keys blocked for ALL agents",
-        "SIGTERM graceful shutdown — remove process.exit(0) from initMetrics",
-        "stale task escalation — surface alive-but-stalled agents to COO",
-        "cloud sync upsert + entity type hierarchy + temporal validity + file_copy security",
-        "daemon memory leak + duplicate watchdog + HTTP body limit + WAL flush",
-        "heap pressure alarm was false positive — compared heapUsed/heapTotal instead of heapUsed/heapLimit",
-        "strengthen scoped SQL audit — cover UPDATE/INSERT, expand exemptions",
-        "hard block tmux send-keys for non-coordinator agents",
-        "MCP disconnect procedure — explicitly block tmux send-keys workaround"
+        "close remaining session-scoping findings from Bob's audit",
+        "close 3 more session-scoping leaks from Bob's audit (LEAK-4, LEAK-7, LEAK-8)",
+        "close 8 session-scoping leaks — daemon ALS trust + review cleanup + close-task + inbox",
+        "correct graph column names in federated recall query",
+        "diagnostics check_update ENOENT + healthcheck timeout",
+        "review notifications never reached reviewer — signal file gate was dead code",
+        "remove osascript fallback — desktop notifications use OSC 9 only on macOS",
+        "generate valid UUIDs in projection worker stableId + add wiki.* projection",
+        "RSS backpressure + safe Metal shutdown for embedding daemon OOM",
+        "multi-Tom dispatch — per-task signal files + atomic claim + herd prevention",
+        "restrict project_name='all' to coordinators only in list_tasks",
+        "CRM Dockerfile multi-arch — BUILDPLATFORM for build stages, rebuild bcrypt",
+        "enhance intercom log with caller/task/trigger metadata for tracing",
+        "project-scope review queries — no more cross-project review pollution",
+        "remove unused getActiveAgent import in list-tasks",
+        "project-scope ALL task queries — prevents cross-project pollution",
+        "hash-based cloud pull conflict detection + indentation-aware Python/Rust chunker",
+        "add sessionScopeFilter to worker-gate + create-task queries",
+        "replace require() with ESM import in shouldAutoInstance",
+        "intercom-check passes project_name to scanFromDb — prevents cross-project task pollution",
+        "periodic WAL checkpoint (TRUNCATE) every 5 minutes in daemon",
+        "orphan task routing + cloud push content hash (cherry-pick from tom4)",
+        "upgrade code_context platform procedure to P0 + add graph tools",
+        "defer initStore() to background — MCP startup is now instant",
+        "multi-project session isolation in create-task dispatch"
       ],
       "security": [
         "fix shell injection, SSRF, socket leaks, backup validation",
@@ -279,7 +279,15 @@
         "fix 4 pricing tier bypass vulnerabilities (audit F1-F4)"
       ],
       "other": [
+        "bump to v0.9.146 for publish",
+        "Windows support architecture — WezTerm + WSL decision (2026-05-27)",
+        "Merge branch 'tom4-work' — device-scoped behaviors + push-notification fix",
+        "bump to v0.9.145 for publish",
+        "revert: keep workflow files unchanged — GitHub OAuth blocks workflow scope",
+        "stage remaining Yoshi fixes — features + bug cleanup",
+        "add tests for daemon restart orchestrator module",
         "publish v0.9.144 — ESM require() fix + reliable task signals + OAuth 2.1",
+        "add MCP tool tests for message, cloud-sync, and file-copy",
         "add coverage for send_message, cloud_sync, file_copy MCP tools (Track A)",
         "Recover MCP sessions after daemon restart",
         "publish v0.9.143 — all fixes live",
@@ -295,23 +303,15 @@
         "roadmap: Cross-Repo Ontology — Palantir-level graph (PG-1 through PG-10)",
         "capture mcp restart self-healing roadmap",
         "Enforce chain of command task review parity",
-        "document raw SQL fallback in orchestrator auto-approve path",
-        "Finalize orchestration rollout fixes",
-        "Scope device governance task queries",
-        "bump v0.9.138 — 7 critical bug fixes, 10 features, 16 commits",
-        "bump v0.9.137 — Memanto typed schema, push notifications, lazy consolidation",
-        "bump v0.9.136 — daemon OOM fix, process monitor, auto-notify reviewer",
-        "bump v0.9.135 — code debt cleanup, 28 new tests, full observability",
-        "Codex MCP regression tests (18) + DB singleton integration tests (10)",
-        "release notes for v0.9.134"
+        "document raw SQL fallback in orchestrator auto-approve path"
       ],
       "migration_notes": [
         "If daemon goes down, agents will now fail instead of silently",
         "exe-daemon.ts kills old embed.pid process and cleans up"
       ]
     },
-    "0.9.143": {
-      "version": "0.9.143",
+    "0.9.144": {
+      "version": "0.9.144",
       "date": "2026-05-26",
       "features": [
         "close_task auto-merges PR + pulls main + builds + prunes + respawns",
@@ -341,6 +341,13 @@
         "memory poisoning defense — trust levels, anomaly detection, quarantine"
       ],
       "fixes": [
+        "remove unused test imports blocking publish",
+        "resolve all typecheck errors — await-in-sync + type mismatches",
+        "remaining require() → ESM imports in daemon (db-backup, intercom, shutdown)",
+        "eliminate CJS require() from ESM daemon + reliable task signal delivery",
+        "migrate critical writeFileSync to atomicWrite — prevent corruption on crash (Track C)",
+        "security hardening — SQL injection lint + TUI input sanitize + MCP rate limiter (Track D)",
+        "clear public launch readiness blockers",
         "prune old worktree on close_task before respawning fresh",
         "exe-launch-agent resolves multi-instance names — tom2/tom3 no longer rejected",
         "worktree isolation for all runtimes + token budget enforcement + atomic memory versioning",
@@ -358,14 +365,7 @@
         "heap pressure alarm was false positive — compared heapUsed/heapTotal instead of heapUsed/heapLimit",
         "strengthen scoped SQL audit — cover UPDATE/INSERT, expand exemptions",
         "hard block tmux send-keys for non-coordinator agents",
-        "MCP disconnect procedure — explicitly block tmux send-keys workaround",
-        "file_copy MCP tool — path boundary enforcement + symlink traversal block",
-        "cloud sync task pull uses ON CONFLICT upsert with updated_at guard",
-        "multi-instance Tom dispatch — create_task fans out to tom2, tom3",
-        "atomic writes for agent-config.json, roster (orchestration + rename)",
-        "atomic JSON writes + config.json corruption recovery",
-        "boot poll timeout no longer fails dispatch — session exists, task pending",
-        "master key clobber guard + COO naming in user-facing strings"
+        "MCP disconnect procedure — explicitly block tmux send-keys workaround"
       ],
       "security": [
         "fix shell injection, SSRF, socket leaks, backup validation",
@@ -382,6 +382,8 @@
         "fix 4 pricing tier bypass vulnerabilities (audit F1-F4)"
       ],
       "other": [
+        "publish v0.9.144 — ESM require() fix + reliable task signals + OAuth 2.1",
+        "add coverage for send_message, cloud_sync, file_copy MCP tools (Track A)",
         "Recover MCP sessions after daemon restart",
         "publish v0.9.143 — all fixes live",
         "publish v0.9.142",
@@ -404,17 +406,15 @@
         "bump v0.9.136 — daemon OOM fix, process monitor, auto-notify reviewer",
         "bump v0.9.135 — code debt cleanup, 28 new tests, full observability",
         "Codex MCP regression tests (18) + DB singleton integration tests (10)",
-        "release notes for v0.9.134",
-        "benchmark score entry for f95b862",
-        "add GitHub Actions CI pipeline — build + test on push"
+        "release notes for v0.9.134"
       ],
       "migration_notes": [
         "If daemon goes down, agents will now fail instead of silently",
         "exe-daemon.ts kills old embed.pid process and cleans up"
       ]
     },
-    "0.9.142": {
-      "version": "0.9.142",
+    "0.9.143": {
+      "version": "0.9.143",
       "date": "2026-05-26",
       "features": [
         "close_task auto-merges PR + pulls main + builds + prunes + respawns",
@@ -446,6 +446,7 @@
       "fixes": [
         "prune old worktree on close_task before respawning fresh",
         "exe-launch-agent resolves multi-instance names — tom2/tom3 no longer rejected",
+        "worktree isolation for all runtimes + token budget enforcement + atomic memory versioning",
         "cross-device sync dedup — cooldown key prevents duplicate pushes",
         "merge gate checks branch name not git author — was silently passing",
         "resume_employee uses autoInstance — spawns tom2/tom3 for parallel",
@@ -467,8 +468,7 @@
         "atomic writes for agent-config.json, roster (orchestration + rename)",
         "atomic JSON writes + config.json corruption recovery",
         "boot poll timeout no longer fails dispatch — session exists, task pending",
-        "master key clobber guard + COO naming in user-facing strings",
-        "MCP port retry + instant embed skip when OOM marker set"
+        "master key clobber guard + COO naming in user-facing strings"
       ],
       "security": [
         "fix shell injection, SSRF, socket leaks, backup validation",
@@ -485,6 +485,9 @@
         "fix 4 pricing tier bypass vulnerabilities (audit F1-F4)"
       ],
       "other": [
+        "Recover MCP sessions after daemon restart",
+        "publish v0.9.143 — all fixes live",
+        "publish v0.9.142",
         "publish v0.9.141",
         "ops: journalctl rotation + certbot expiry alerting",
         "revert: daemon heap back to 33% of RAM — no artificial cap",
@@ -506,10 +509,7 @@
         "Codex MCP regression tests (18) + DB singleton integration tests (10)",
         "release notes for v0.9.134",
         "benchmark score entry for f95b862",
-        "add GitHub Actions CI pipeline — build + test on push",
-        "gitignore GitHub workflows — add via web UI instead",
-        "remove ci.yml — GitHub token lacks workflow scope, will add via web UI",
-        "gitignore — add dist-next, db.sqlite, .wrangler; remove temp scripts"
+        "add GitHub Actions CI pipeline — build + test on push"
       ],
       "migration_notes": [
         "If daemon goes down, agents will now fail instead of silently",