@askexenow/exe-os 0.9.280 → 0.9.282

package/dist/chunk-BWVLMA53.js

@@ -0,0 +1,2113 @@
+import {
+  isCrdtSyncEnabled
+} from "./chunk-EW6XDHID.js";
+import {
+  decryptSyncBlob,
+  encryptSyncBlob,
+  initSyncCrypto,
+  isSyncCryptoInitialized
+} from "./chunk-LO6L5ADL.js";
+import {
+  getClient,
+  loadEmployees,
+  registerBinSymlinks,
+  saveEmployees
+} from "./chunk-52UDAVZE.js";
+import {
+  loadDeviceId
+} from "./chunk-EAPUSVKS.js";
+import {
+  EXE_AI_DIR
+} from "./chunk-T3B5RK4H.js";
+import {
+  atomicWriteJsonSync,
+  atomicWriteSync,
+  enforcePrivateFileSync,
+  ensurePrivateDirSync
+} from "./chunk-LYH5HE24.js";
+
+// src/lib/cloud-sync.ts
+import { readFileSync, writeFileSync, existsSync, readdirSync, mkdirSync, appendFileSync, unlinkSync, openSync, closeSync, statSync } from "fs";
+import crypto from "crypto";
+import path from "path";
+import { homedir } from "os";
+
+// src/lib/compress.ts
+import { brotliCompressSync, brotliDecompressSync, constants } from "zlib";
+function compress(input) {
+  if (input.length === 0) return Buffer.alloc(0);
+  return brotliCompressSync(input, {
+    params: {
+      [constants.BROTLI_PARAM_QUALITY]: 4
+    }
+  });
+}
+function decompress(input) {
+  if (input.length === 0) return Buffer.alloc(0);
+  return brotliDecompressSync(input);
+}
+
+// src/lib/cloud-sync.ts
+var _cloudSyncInProgress = false;
+function sqlSafe(v) {
+  return v === void 0 ? null : v;
+}
+function sqlSafeRequired(v, fallback) {
+  if (v === void 0 || v === null || v === "") return fallback;
+  return v;
+}
+function logError(msg) {
+  try {
+    const logPath = path.join(homedir(), ".exe-os", "workers.log");
+    appendFileSync(logPath, `${(/* @__PURE__ */ new Date()).toISOString()} ${msg}
+`);
+  } catch (e) {
+    process.stderr.write("[cloud-sync] logError write failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+  }
+}
+var LOCALHOST_PATTERNS = /^(localhost|127\.0\.0\.1|\[::1\])$/i;
+var FETCH_TIMEOUT_MS = 3e4;
+var PUSH_BATCH_SIZE = 5e3;
+var ROSTER_LOCK_PATH = path.join(EXE_AI_DIR, "roster-merge.lock");
+var LOCK_STALE_MS = 3e4;
+var _daemonCrdtSkipLogged = false;
+function shouldUseCrdtMergeForCloudSync() {
+  if (!isCrdtSyncEnabled()) return false;
+  if (process.env.EXE_IS_DAEMON === "1" && process.env.EXE_DAEMON_CRDT_SYNC !== "1") {
+    return false;
+  }
+  return true;
+}
+function logDaemonCrdtSkipOnce() {
+  if (_daemonCrdtSkipLogged) return;
+  _daemonCrdtSkipLogged = true;
+  process.stderr.write(
+    "[cloud-sync] CRDT merge disabled inside daemon; using bounded SQL upsert path. Set EXE_DAEMON_CRDT_SYNC=1 only for diagnostics.\n"
+  );
+}
+var SYNC_COOLDOWN_MS = 1e4;
+var _lastSyncPushVersion = -1;
+var _lastSyncPushTimestamp = 0;
+var _pgPromise = null;
+var _pgFailed = false;
+function isTruthyEnv(value) {
+  return /^(1|true|yes|on)$/i.test(value ?? "");
+}
+function loadPgClient() {
+  if (_pgFailed) return null;
+  const configPath = path.join(EXE_AI_DIR, "config.json");
+  let cloudPostgresUrl;
+  let configEnabled = false;
+  try {
+    if (existsSync(configPath)) {
+      const cfg = JSON.parse(readFileSync(configPath, "utf8"));
+      cloudPostgresUrl = cfg.cloud?.postgresUrl;
+      configEnabled = cfg.cloud?.syncToPostgres === true;
+    }
+  } catch (e) {
+    process.stderr.write("[cloud-sync] config.json parse failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+  }
+  const envEnabled = isTruthyEnv(process.env.EXE_CLOUD_SYNC_TO_POSTGRES);
+  if (!envEnabled && !configEnabled) {
+    return null;
+  }
+  const url = process.env.DATABASE_URL || cloudPostgresUrl;
+  if (!url) {
+    _pgFailed = true;
+    return null;
+  }
+  if (!_pgPromise) {
+    _pgPromise = (async () => {
+      if (!process.env.DATABASE_URL) process.env.DATABASE_URL = url;
+      const { createRequire } = await import("module");
+      const { pathToFileURL } = await import("url");
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const mod = await import(pathToFileURL(explicitPath).href);
+        const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+        if (!Ctor) throw new Error(`No PrismaClient at ${explicitPath}`);
+        return new Ctor();
+      }
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path.join(homedir(), "exe-db");
+      const packagePath = path.join(exeDbRoot, "package.json");
+      if (existsSync(packagePath)) {
+        const req = createRequire(packagePath);
+        const entry = req.resolve("@prisma/client");
+        const mod = await import(pathToFileURL(entry).href);
+        const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+        if (!Ctor) throw new Error("No PrismaClient");
+        return new Ctor();
+      }
+      const { Pool } = await import("pg");
+      const { pgSslConfig } = await import("./pg-ssl-7JXQFL4I.js");
+      const pool = new Pool({
+        connectionString: process.env.DATABASE_URL,
+        ...pgSslConfig(),
+        max: 5,
+        // Limit connection pool (default 10 is too many for single-tenant)
+        idleTimeoutMillis: 3e4
+        // Close idle connections after 30s
+      });
+      return {
+        async $queryRawUnsafe(query, ...values) {
+          const result = await pool.query(query, values);
+          return result.rows;
+        },
+        async $executeRawUnsafe(query, ...values) {
+          const result = await pool.query(query, values);
+          return result.rowCount ?? 0;
+        },
+        async $disconnect() {
+          await pool.end();
+        }
+      };
+    })().catch((err) => {
+      process.stderr.write(`[cloud-sync] Postgres connection failed: ${err instanceof Error ? err.message : String(err)}
+`);
+      _pgFailed = true;
+      _pgPromise = null;
+      throw new Error("pg_unavailable");
+    });
+  }
+  return _pgPromise;
+}
+async function disposeCloudSync() {
+  if (_pgPromise) {
+    try {
+      const pg = await _pgPromise;
+      if (pg.$disconnect) await pg.$disconnect();
+    } catch {
+    }
+    _pgPromise = null;
+  }
+}
+async function pushToPostgres(records) {
+  const loader = loadPgClient();
+  if (!loader) return 0;
+  if (!isSyncCryptoInitialized()) {
+    process.stderr.write("[cloud-sync] Postgres raw_events push skipped: sync crypto is not initialized; refusing plaintext Company Brain payload.\n");
+    return 0;
+  }
+  let prisma;
+  try {
+    prisma = await loader;
+  } catch (e) {
+    process.stderr.write("[cloud-sync] Postgres client init failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    return 0;
+  }
+  let inserted = 0;
+  for (const rec of records) {
+    try {
+      const encryptedPayload = encryptSyncBlob(Buffer.from(JSON.stringify(rec), "utf8"));
+      const changed = await prisma.$executeRawUnsafe(
+        `INSERT INTO raw.raw_events (id, source, source_id, event_type, payload, metadata, timestamp)
+         VALUES (gen_random_uuid(), 'cloud_sync', $1, 'memory', $2::jsonb, $3::jsonb, $4)
+         ON CONFLICT (source, source_id, event_type) DO UPDATE SET
+           payload = EXCLUDED.payload,
+           metadata = EXCLUDED.metadata,
+           processed_at = NULL`,
+        String(rec.id ?? ""),
+        JSON.stringify({ e2ee: true, format: "exe-sync-blob", blob: encryptedPayload }),
+        JSON.stringify({ e2ee: true, format: "exe-sync-blob", plaintext_metadata: false }),
+        rec.timestamp ? new Date(String(rec.timestamp)) : /* @__PURE__ */ new Date()
+      );
+      inserted += Number(changed ?? 0);
+    } catch (e) {
+      process.stderr.write("[cloud-sync] Postgres raw_events insert failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+  }
+  return inserted;
+}
+async function withRosterLock(fn) {
+  try {
+    const fd = openSync(ROSTER_LOCK_PATH, "wx");
+    closeSync(fd);
+    writeFileSync(ROSTER_LOCK_PATH, String(Date.now()));
+  } catch (err) {
+    if (err.code === "EEXIST") {
+      try {
+        const ts = parseInt(readFileSync(ROSTER_LOCK_PATH, "utf-8"), 10);
+        if (Date.now() - ts < LOCK_STALE_MS) {
+          throw new Error("Roster merge already in progress \u2014 another sync is running");
+        }
+        unlinkSync(ROSTER_LOCK_PATH);
+        const fd = openSync(ROSTER_LOCK_PATH, "wx");
+        closeSync(fd);
+        writeFileSync(ROSTER_LOCK_PATH, String(Date.now()));
+      } catch (retryErr) {
+        if (retryErr instanceof Error && retryErr.message.includes("already in progress")) throw retryErr;
+        throw new Error("Roster merge already in progress \u2014 another sync is running");
+      }
+    } else {
+      throw err;
+    }
+  }
+  try {
+    return await fn();
+  } finally {
+    try {
+      unlinkSync(ROSTER_LOCK_PATH);
+    } catch (e) {
+      process.stderr.write("[cloud-sync] roster lock cleanup failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+  }
+}
+async function fetchWithRetry(url, init) {
+  const MAX_RETRIES = 3;
+  const BASE_DELAY_MS = 200;
+  let lastError;
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    try {
+      const signal = AbortSignal.timeout(FETCH_TIMEOUT_MS);
+      const resp = await fetch(url, { ...init, signal });
+      if (resp && resp.status >= 500 && attempt < MAX_RETRIES) {
+        try {
+          await resp.text();
+        } catch {
+        }
+        await new Promise((r) => setTimeout(r, BASE_DELAY_MS * Math.pow(2, attempt)));
+        continue;
+      }
+      return resp;
+    } catch (err) {
+      lastError = err;
+      if (attempt === MAX_RETRIES) throw err;
+      await new Promise((r) => setTimeout(r, BASE_DELAY_MS * Math.pow(2, attempt)));
+    }
+  }
+  throw lastError;
+}
+function migrateEndpoint(endpoint) {
+  if (endpoint === "https://askexe.com/cloud" || endpoint === "https://askexe.com/cloud/") {
+    process.stderr.write(
+      "[cloud-sync] Auto-migrating endpoint from askexe.com/cloud to api.askexe.com\n"
+    );
+    return "https://api.askexe.com";
+  }
+  if (endpoint === "https://cloud.askexe.com" || endpoint === "https://cloud.askexe.com/") {
+    process.stderr.write(
+      "[cloud-sync] Auto-migrating endpoint from cloud.askexe.com to api.askexe.com\n"
+    );
+    return "https://api.askexe.com";
+  }
+  return endpoint;
+}
+var PRIVATE_IP_PATTERN = /^(10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|169\.254\.|0\.|fc|fd)/i;
+function assertSecureEndpoint(endpoint) {
+  if (endpoint.startsWith("https://")) return;
+  if (endpoint.startsWith("http://")) {
+    try {
+      const parsed = new URL(endpoint);
+      if (LOCALHOST_PATTERNS.test(parsed.hostname)) return;
+      if (PRIVATE_IP_PATTERN.test(parsed.hostname)) {
+        throw new Error(
+          `Private network endpoint rejected: "${endpoint}". Cloud sync cannot target internal IPs (10.x, 172.16-31.x, 192.168.x, link-local).`
+        );
+      }
+    } catch (e) {
+      if (e instanceof Error && e.message.includes("rejected")) throw e;
+      process.stderr.write("[cloud-sync] malformed endpoint URL parse: " + (e instanceof Error ? e.message : String(e)) + "\n");
+      return;
+    }
+    throw new Error(
+      `Insecure cloud endpoint rejected: "${endpoint}". Use https:// for remote hosts. Plain http:// is only allowed for localhost.`
+    );
+  }
+}
+async function cloudPush(records, maxVersion, config) {
+  if (records.length === 0) return true;
+  assertSecureEndpoint(config.endpoint);
+  try {
+    const json = JSON.stringify(records);
+    const compressed = compress(Buffer.from(json, "utf8"));
+    const blob = encryptSyncBlob(compressed);
+    const resp = await fetchWithRetry(`${config.endpoint}/sync/push`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "Content-Type": "application/json",
+        "X-Device-Id": loadDeviceId(),
+        "X-Expected-Version": String(maxVersion)
+      },
+      body: JSON.stringify({ version: maxVersion, blob })
+    });
+    if (resp == null) {
+      logError("[cloud-sync] PUSH FAILED: no response from server");
+      return false;
+    }
+    if (resp.status === 409) {
+      logError("[cloud-sync] PUSH VERSION CONFLICT \u2014 re-pull required before next push");
+      return false;
+    }
+    return resp.ok;
+  } catch (err) {
+    logError(`[cloud-sync] PUSH FAILED: ${err instanceof Error ? err.message : String(err)}`);
+    return false;
+  }
+}
+async function cloudResetMemoryBlobs(config) {
+  assertSecureEndpoint(config.endpoint);
+  const resp = await fetchWithRetry(`${config.endpoint}/sync/reset-memory`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${config.apiKey}`,
+      "Content-Type": "application/json",
+      "X-Device-Id": loadDeviceId()
+    },
+    body: JSON.stringify({ confirm: "LOCAL DB IS SOURCE OF TRUTH" })
+  });
+  if (!resp.ok) {
+    throw new Error(`cloud reset failed: HTTP ${resp.status}`);
+  }
+  const data = await resp.json();
+  return { deleted: Number(data.deleted ?? 0), freedBytes: Number(data.freed_bytes ?? 0) };
+}
+async function cloudPull(sinceVersion, config) {
+  assertSecureEndpoint(config.endpoint);
+  const PULL_PAGE_LIMIT = 1e3;
+  try {
+    const allBlobs = [];
+    let currentSince = sinceVersion;
+    let maxVersion = sinceVersion;
+    let hasMore = true;
+    while (hasMore) {
+      const response = await fetchWithRetry(`${config.endpoint}/sync/pull`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${config.apiKey}`,
+          "Content-Type": "application/json",
+          "X-Device-Id": loadDeviceId()
+        },
+        body: JSON.stringify({ since_version: currentSince, limit: PULL_PAGE_LIMIT })
+      });
+      if (response == null) {
+        logError("[cloud-sync] PULL FAILED: no response from server");
+        return { records: [], maxVersion: sinceVersion };
+      }
+      if (!response.ok) return { records: [], maxVersion: sinceVersion };
+      const data = await response.json();
+      const pageBlobs = data.blobs ?? [];
+      allBlobs.push(...pageBlobs);
+      maxVersion = Math.max(maxVersion, data.max_version ?? 0);
+      if (pageBlobs.length < PULL_PAGE_LIMIT) {
+        hasMore = false;
+      } else {
+        const lastBlobVersion = pageBlobs[pageBlobs.length - 1]?.version ?? 0;
+        if (lastBlobVersion <= currentSince) {
+          hasMore = false;
+        } else {
+          currentSince = lastBlobVersion;
+        }
+      }
+    }
+    const allRecords = [];
+    let maxReadableVersion = sinceVersion;
+    let skippedBlobs = 0;
+    for (const { version, blob } of allBlobs) {
+      try {
+        const compressed = decryptSyncBlob(blob);
+        const json = decompress(compressed).toString("utf8");
+        const records = JSON.parse(json);
+        allRecords.push(...records);
+        const recordMax = records.reduce((max, rec) => {
+          const v = Number(rec.version ?? 0);
+          return Number.isFinite(v) ? Math.max(max, v) : max;
+        }, 0);
+        const blobVersion = Number(version ?? 0);
+        maxReadableVersion = Math.max(
+          maxReadableVersion,
+          Number.isFinite(blobVersion) ? blobVersion : 0,
+          recordMax
+        );
+      } catch (e) {
+        process.stderr.write("[cloud-sync] blob decrypt/decompress failed (version " + version + "): " + (e instanceof Error ? e.message : String(e)) + "\n");
+        skippedBlobs++;
+        continue;
+      }
+    }
+    const finalMaxVersion = maxReadableVersion;
+    if (skippedBlobs > 0) {
+      logError(`[cloud-sync] PULL skipped ${skippedBlobs} undecryptable blob(s); cursor advancing to ${finalMaxVersion} (last readable: ${maxReadableVersion})`);
+    }
+    return { records: allRecords, maxVersion: finalMaxVersion };
+  } catch (err) {
+    logError(`[cloud-sync] PULL FAILED: ${err instanceof Error ? err.message : String(err)}`);
+    return { records: [], maxVersion: sinceVersion };
+  }
+}
+var CLOUD_REUPLOAD_REQUIRED_MESSAGE = "Cloud sync is blocked because this device rotated its memory encryption key. Run `exe-os cloud reupload` first to re-upload the cloud backup with the new key.";
+async function getCloudReuploadRequired(client = getClient()) {
+  try {
+    await client.execute("CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+    const result = await client.execute("SELECT key, value FROM sync_meta WHERE key IN ('cloud_reupload_required', 'cloud_relink_required')");
+    return result.rows.some((row) => String(row.value ?? "") === "1");
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    process.stderr.write("[cloud-sync] getCloudReuploadRequired query failed (blocking sync as precaution): " + msg + "\n");
+    throw new Error(`[cloud-sync] Key-rotation guard check failed: ${msg}`);
+  }
+}
+async function clearCloudReuploadRequired(client = getClient()) {
+  await client.execute("CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+  await client.execute("INSERT INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '0') ON CONFLICT(key) DO UPDATE SET value = excluded.value");
+  await client.execute("INSERT INTO sync_meta (key, value) VALUES ('cloud_relink_required', '0') ON CONFLICT(key) DO UPDATE SET value = excluded.value");
+  await client.execute({
+    sql: "INSERT INTO sync_meta (key, value) VALUES ('cloud_reuploaded_at', ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value",
+    args: [(/* @__PURE__ */ new Date()).toISOString()]
+  });
+  await client.execute("DELETE FROM sync_meta WHERE key IN ('last_cloud_pull_version', 'last_cloud_push_version')");
+}
+var getCloudRelinkRequired = getCloudReuploadRequired;
+async function clearCloudRelinkRequired(client = getClient()) {
+  await client.execute("CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+  await client.execute("INSERT INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '0') ON CONFLICT(key) DO UPDATE SET value = excluded.value");
+  await client.execute("INSERT INTO sync_meta (key, value) VALUES ('cloud_relink_required', '0') ON CONFLICT(key) DO UPDATE SET value = excluded.value");
+  await client.execute({
+    sql: "INSERT INTO sync_meta (key, value) VALUES ('cloud_relinked_at', ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value",
+    args: [(/* @__PURE__ */ new Date()).toISOString()]
+  });
+  await client.execute("DELETE FROM sync_meta WHERE key IN ('last_cloud_pull_version', 'last_cloud_push_version')");
+}
+async function markCloudReuploadRequired(client = getClient()) {
+  await client.execute("CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+  await client.execute("INSERT INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1') ON CONFLICT(key) DO UPDATE SET value = excluded.value");
+}
+function defaultOnProgress(stage, detail) {
+  const msg = detail ? `[cloud-sync] ${stage}: ${detail}` : `[cloud-sync] ${stage}`;
+  process.stderr.write(msg + "\n");
+}
+async function cloudSync(config, options) {
+  const onProgress = options?.onProgress ?? defaultOnProgress;
+  if (_cloudSyncInProgress) {
+    process.stderr.write("[cloud-sync] Cloud sync already in progress \u2014 skipping this request.\n");
+    return { pushed: 0, pulled: 0, totalMemories: 0, behaviors: { pushed: 0, pulled: 0 }, graphrag: { pushed: 0, pulled: 0 }, tasks: { pushed: 0, pulled: 0 }, conversations: { pushed: 0, pulled: 0 }, documents: { pushed: 0, pulled: 0 }, roster: { employees: 0, identities: 0 } };
+  }
+  _cloudSyncInProgress = true;
+  const syncStartTime = Date.now();
+  try {
+    config = { ...config, endpoint: migrateEndpoint(config.endpoint) };
+    onProgress("Cloud sync", "authenticating...");
+    if (!isSyncCryptoInitialized()) {
+      try {
+        const { getMasterKey } = await import("./lib/keychain.js");
+        const masterKey = await getMasterKey();
+        if (masterKey) {
+          initSyncCrypto(masterKey);
+        } else {
+          throw new Error("No master key found");
+        }
+      } catch (err) {
+        throw new Error(`[cloud-sync] Cannot initialize encryption: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+    let client;
+    try {
+      client = getClient();
+    } catch (e) {
+      process.stderr.write("[cloud-sync] getClient() failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+      throw new Error("[cloud-sync] Database not initialized. Call initStore() before cloudSync().");
+    }
+    try {
+      if (await getCloudReuploadRequired(client)) throw new Error(CLOUD_REUPLOAD_REQUIRED_MESSAGE);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg === CLOUD_REUPLOAD_REQUIRED_MESSAGE || msg.includes("key rotation") || msg.includes("guard check failed")) throw err;
+    }
+    try {
+      const { getRawClient } = await import("./lib/database.js");
+      await getRawClient().execute("PRAGMA wal_checkpoint(PASSIVE)");
+    } catch (e) {
+      process.stderr.write("[cloud-sync] WAL checkpoint failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+    try {
+      await client.execute(
+        "CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)"
+      );
+    } catch (e) {
+      logError(`[cloud-sync] sync_meta CREATE failed: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    onProgress("Cloud sync", "pulling remote changes...");
+    const pullMeta = await client.execute(
+      "SELECT value FROM sync_meta WHERE key = 'last_cloud_pull_version'"
+    );
+    const lastPullVersion = pullMeta.rows.length > 0 ? Number(pullMeta.rows[0].value) : 0;
+    const pullResult = await cloudPull(lastPullVersion, config);
+    let pulled = 0;
+    if (pullResult.records.length > 0) {
+      if (shouldUseCrdtMergeForCloudSync()) {
+        const { initCrdtDoc, importExistingMemories, readAllMemories } = await import("./crdt-sync-UIQJ5U7T.js");
+        initCrdtDoc();
+        importExistingMemories(
+          pullResult.records.map((rec) => ({
+            id: String(rec.id ?? ""),
+            agent_id: rec.agent_id,
+            agent_role: rec.agent_role,
+            session_id: rec.session_id,
+            timestamp: rec.timestamp,
+            tool_name: rec.tool_name,
+            project_name: rec.project_name,
+            has_error: rec.has_error ?? 0,
+            raw_text: rec.raw_text ?? "",
+            version: rec.version ?? 0,
+            author_device_id: rec.author_device_id,
+            scope: rec.scope ?? "business"
+          }))
+        );
+        const pulledIds = new Set(pullResult.records.map((r) => String(r.id ?? "")));
+        const merged = readAllMemories().filter((rec) => pulledIds.has(rec.id));
+        const stmts = merged.map((rec) => ({
+          sql: `INSERT INTO memories
+              (id, agent_id, agent_role, session_id, timestamp,
+               tool_name, project_name, has_error, raw_text, version,
+               author_device_id, scope, memory_type, session_scope)
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+              ON CONFLICT(id) DO UPDATE SET
+                agent_id = excluded.agent_id,
+                agent_role = excluded.agent_role,
+                session_id = excluded.session_id,
+                timestamp = excluded.timestamp,
+                tool_name = excluded.tool_name,
+                project_name = excluded.project_name,
+                has_error = excluded.has_error,
+                raw_text = excluded.raw_text,
+                version = excluded.version,
+                author_device_id = excluded.author_device_id,
+                scope = excluded.scope,
+                memory_type = COALESCE(excluded.memory_type, memories.memory_type),
+                session_scope = COALESCE(excluded.session_scope, memories.session_scope),
+                vector = COALESCE(memories.vector, excluded.vector),
+                importance = COALESCE(memories.importance, excluded.importance),
+                confidence = COALESCE(memories.confidence, excluded.confidence),
+                tier = COALESCE(memories.tier, excluded.tier),
+                strength = COALESCE(memories.strength, excluded.strength)`,
+          args: [
+            sqlSafe(rec.id),
+            sqlSafe(rec.agent_id),
+            sqlSafe(rec.agent_role),
+            sqlSafe(rec.session_id),
+            sqlSafe(rec.timestamp),
+            sqlSafe(rec.tool_name),
+            sqlSafe(rec.project_name),
+            sqlSafe(rec.has_error ?? 0),
+            sqlSafe(rec.raw_text ?? ""),
+            sqlSafe(rec.version ?? 0),
+            sqlSafe(rec.author_device_id),
+            sqlSafe(rec.scope ?? "business"),
+            sqlSafe(rec.memory_type),
+            sqlSafe(rec.session_scope)
+          ]
+        }));
+        if (stmts.length > 0) await client.batch(stmts, "write");
+        pulled = pullResult.records.length;
+      } else {
+        if (process.env.EXE_IS_DAEMON === "1" && isCrdtSyncEnabled()) {
+          logDaemonCrdtSkipOnce();
+        }
+        try {
+          const incomingIds = pullResult.records.map((r) => sqlSafe(r.id));
+          if (incomingIds.length > 0) {
+            const ph = incomingIds.map(() => "?").join(",");
+            const existing = await client.execute({
+              sql: `SELECT id, version, timestamp FROM memories WHERE id IN (${ph})`,
+              args: incomingIds
+            });
+            const localMap = new Map(existing.rows.map((r) => [String(r.id), r]));
+            for (const rec of pullResult.records) {
+              const local = localMap.get(String(rec.id));
+              if (local && Number(local.version) > 0 && Number(local.version) !== Number(rec.version ?? 0)) {
+                process.stderr.write(
+                  `[cloud-sync] CONFLICT: memory ${String(rec.id).slice(0, 8)} \u2014 local v${local.version} vs remote v${rec.version ?? 0}. Remote wins (LWW).
+`
+                );
+                client.execute({
+                  sql: `INSERT OR IGNORE INTO sync_conflicts (id, memory_id, local_version, remote_version, local_timestamp, remote_timestamp, local_device_id, resolution, created_at)
+                      VALUES (?, ?, ?, ?, ?, ?, ?, 'remote_wins', ?)`,
+                  args: [
+                    `conflict-${String(rec.id).slice(0, 8)}-${Date.now()}`,
+                    String(rec.id),
+                    Number(local.version),
+                    Number(rec.version ?? 0),
+                    String(local.timestamp ?? ""),
+                    String(rec.timestamp ?? ""),
+                    process.env.EXE_DEVICE_ID ?? "",
+                    (/* @__PURE__ */ new Date()).toISOString()
+                  ]
+                }).catch((err) => {
+                  process.stderr.write(`[cloud-sync] conflict audit insert failed: ${err instanceof Error ? err.message : String(err)}
+`);
+                });
+              }
+            }
+          }
+        } catch (e) {
+          process.stderr.write("[cloud-sync] conflict detection query failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+        }
+        const localDeviceId = loadDeviceId();
+        const deviceFilteredRecords = pullResult.records.filter((rec) => {
+          const authorDevice = rec.author_device_id;
+          if (!authorDevice) return true;
+          if (String(authorDevice) === localDeviceId) return true;
+          return true;
+        });
+        const stmts = deviceFilteredRecords.map((rec) => ({
+          sql: `INSERT INTO memories
+              (id, agent_id, agent_role, session_id, timestamp,
+               tool_name, project_name, has_error, raw_text, version,
+               author_device_id, scope, memory_type, session_scope)
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+              ON CONFLICT(id) DO UPDATE SET
+                agent_id = excluded.agent_id,
+                agent_role = excluded.agent_role,
+                session_id = excluded.session_id,
+                timestamp = excluded.timestamp,
+                tool_name = excluded.tool_name,
+                project_name = excluded.project_name,
+                has_error = excluded.has_error,
+                raw_text = excluded.raw_text,
+                version = excluded.version,
+                author_device_id = excluded.author_device_id,
+                scope = excluded.scope,
+                memory_type = COALESCE(excluded.memory_type, memories.memory_type),
+                session_scope = COALESCE(excluded.session_scope, memories.session_scope),
+                vector = COALESCE(memories.vector, excluded.vector),
+                importance = COALESCE(memories.importance, excluded.importance),
+                confidence = COALESCE(memories.confidence, excluded.confidence),
+                tier = COALESCE(memories.tier, excluded.tier),
+                strength = COALESCE(memories.strength, excluded.strength)`,
+          args: [
+            sqlSafe(rec.id),
+            sqlSafeRequired(rec.agent_id, "unknown"),
+            sqlSafeRequired(rec.agent_role, "employee"),
+            sqlSafeRequired(rec.session_id, "cloud-sync"),
+            sqlSafeRequired(rec.timestamp, (/* @__PURE__ */ new Date()).toISOString()),
+            sqlSafeRequired(rec.tool_name, "cloud_sync"),
+            sqlSafeRequired(rec.project_name, "unknown"),
+            sqlSafe(rec.has_error ?? 0),
+            sqlSafe(rec.raw_text ?? ""),
+            sqlSafe(rec.version ?? 0),
+            sqlSafe(rec.author_device_id),
+            sqlSafe(rec.scope ?? "business"),
+            sqlSafe(rec.memory_type),
+            sqlSafe(rec.session_scope)
+          ]
+        }));
+        let syncErrors = 0;
+        const BATCH_SIZE = 100;
+        for (let i = 0; i < stmts.length; i += BATCH_SIZE) {
+          const batch = stmts.slice(i, i + BATCH_SIZE);
+          try {
+            await client.batch(batch, "write");
+          } catch (batchErr) {
+            for (const stmt of batch) {
+              try {
+                await client.execute(stmt);
+              } catch (recErr) {
+                syncErrors++;
+                process.stderr.write(
+                  `[cloud-sync] Skipped bad record (${recErr instanceof Error ? recErr.message : String(recErr)})
+`
+                );
+              }
+            }
+          }
+          if (i + BATCH_SIZE < stmts.length) {
+            await new Promise((resolve) => setImmediate(resolve));
+          }
+        }
+        pulled = stmts.length - syncErrors;
+        if (syncErrors > 0) {
+          process.stderr.write(`[cloud-sync] Pull completed with ${syncErrors} skipped record(s)
+`);
+        }
+      }
+    }
+    if (pulled > 0) {
+      try {
+        await pushToPostgres(pullResult.records);
+      } catch (e) {
+        process.stderr.write("[cloud-sync] Postgres push of pulled records failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+      }
+    }
+    if (pullResult.maxVersion > lastPullVersion) {
+      await client.execute({
+        sql: "INSERT INTO sync_meta (key, value) VALUES ('last_cloud_pull_version', ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value",
+        args: [String(pullResult.maxVersion)]
+      });
+    }
+    onProgress("Cloud sync", `pushing memories...`);
+    const pushMeta = await client.execute(
+      "SELECT value FROM sync_meta WHERE key = 'last_cloud_push_version'"
+    );
+    const lastPushVersion = pushMeta.rows.length > 0 ? Number(pushMeta.rows[0].value) : 0;
+    let pushed = 0;
+    let batchCursor = lastPushVersion;
+    const nowMs = Date.now();
+    const pushCooldownActive = lastPushVersion > 0 && lastPushVersion === _lastSyncPushVersion && nowMs - _lastSyncPushTimestamp < SYNC_COOLDOWN_MS;
+    if (pushCooldownActive) {
+    } else {
+      while (true) {
+        const recordsResult = await client.execute({
+          sql: `SELECT id, agent_id, agent_role, session_id, timestamp,
+                   tool_name, project_name, has_error, raw_text, version,
+                   author_device_id, scope, session_scope
+            FROM memories
+            WHERE version > ?
+              AND (scope IS NULL OR scope != 'personal')
+            ORDER BY version ASC
+            LIMIT ?`,
+          args: [batchCursor, PUSH_BATCH_SIZE]
+        });
+        if (recordsResult.rows.length === 0) break;
+        const records = recordsResult.rows.map((row) => ({
+          id: row.id,
+          agent_id: row.agent_id,
+          agent_role: row.agent_role,
+          session_id: row.session_id,
+          timestamp: row.timestamp,
+          tool_name: row.tool_name,
+          project_name: row.project_name,
+          has_error: row.has_error,
+          raw_text: row.raw_text,
+          version: row.version,
+          author_device_id: row.author_device_id,
+          scope: row.scope,
+          session_scope: row.session_scope
+        }));
+        const maxVersion = Number(records[records.length - 1].version);
+        let pushOk = await cloudPush(records, maxVersion, config);
+        if (!pushOk) {
+          await cloudPull(lastPullVersion, config);
+          pushOk = await cloudPush(records, maxVersion, config);
+          if (!pushOk) break;
+        }
+        try {
+          await pushToPostgres(records);
+        } catch (e) {
+          process.stderr.write("[cloud-sync] Postgres push of local records failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+        }
+        await client.execute({
+          sql: "INSERT INTO sync_meta (key, value) VALUES ('last_cloud_push_version', ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value",
+          args: [String(maxVersion)]
+        });
+        pushed += records.length;
+        batchCursor = maxVersion;
+        _lastSyncPushVersion = maxVersion;
+        _lastSyncPushTimestamp = Date.now();
+        if (recordsResult.rows.length < PUSH_BATCH_SIZE) break;
+        await new Promise((resolve) => setImmediate(resolve));
+      }
+    }
+    onProgress("Cloud sync", "merging roster...");
+    try {
+      await cloudPushRoster(config);
+    } catch (err) {
+      logError(`[cloud-sync] Roster push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      await cloudPullRoster(config);
+    } catch (err) {
+      logError(`[cloud-sync] Roster pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      await cloudPushGlobalProcedures(config);
+    } catch (err) {
+      logError(`[cloud-sync] Company procedures push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      await cloudPullGlobalProcedures(config);
+    } catch (err) {
+      logError(`[cloud-sync] Company procedures pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const countRows = async (sql) => {
+      try {
+        return Number((await client.execute(sql)).rows[0]?.cnt ?? 0);
+      } catch (e) {
+        process.stderr.write("[cloud-sync] countRows failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+        return 0;
+      }
+    };
+    onProgress("Cloud sync", "syncing behaviors...");
+    const behaviorsResult = { pushed: 0, pulled: 0 };
+    try {
+      await cloudPushBehaviors(config);
+      behaviorsResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM behaviors WHERE active = 1");
+    } catch (err) {
+      logError(`[cloud-sync] Behaviors push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      const pullResult2 = await cloudPullBehaviors(config);
+      behaviorsResult.pulled = pullResult2.pulled;
+    } catch (err) {
+      logError(`[cloud-sync] Behaviors pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    onProgress("Cloud sync", "syncing graph...");
+    const graphragResult = { pushed: 0, pulled: 0 };
+    try {
+      await cloudPushGraphRAG(config);
+      graphragResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM entities");
+    } catch (err) {
+      logError(`[cloud-sync] GraphRAG push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      const pullResult2 = await cloudPullGraphRAG(config);
+      graphragResult.pulled = pullResult2.pulled;
+    } catch (err) {
+      logError(`[cloud-sync] GraphRAG pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    onProgress("Cloud sync", "syncing tasks...");
+    const tasksResult = { pushed: 0, pulled: 0 };
+    try {
+      await cloudPushTasks(config);
+      tasksResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM tasks");
+    } catch (err) {
+      logError(`[cloud-sync] Tasks push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      const pullResult2 = await cloudPullTasks(config);
+      tasksResult.pulled = pullResult2.pulled;
+    } catch (err) {
+      logError(`[cloud-sync] Tasks pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const conversationsResult = { pushed: 0, pulled: 0 };
+    try {
+      await cloudPushConversations(config);
+      conversationsResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM conversations");
+    } catch (err) {
+      logError(`[cloud-sync] Conversations push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      const pullResult2 = await cloudPullConversations(config);
+      conversationsResult.pulled = pullResult2.pulled;
+    } catch (err) {
+      logError(`[cloud-sync] Conversations pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const schedulesResult = { pushed: 0, pulled: 0 };
+    try {
+      await cloudPushSchedules(config);
+      schedulesResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM schedules");
+    } catch (err) {
+      logError(`[cloud-sync] Schedules push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      const pullResult2 = await cloudPullSchedules(config);
+      schedulesResult.pulled = pullResult2.pulled;
+    } catch (err) {
+      logError(`[cloud-sync] Schedules pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const trajectoriesResult = { pushed: 0, pulled: 0 };
+    try {
+      await cloudPushTrajectories(config);
+      trajectoriesResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM trajectories");
+    } catch (err) {
+      logError(`[cloud-sync] Trajectories push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      const pullResult2 = await cloudPullTrajectories(config);
+      trajectoriesResult.pulled = pullResult2.pulled;
+    } catch (err) {
+      logError(`[cloud-sync] Trajectories pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const consolidationsResult = { pushed: 0, pulled: 0 };
+    try {
+      await cloudPushConsolidations(config);
+      consolidationsResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM consolidations");
+    } catch (err) {
+      logError(`[cloud-sync] Consolidations push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      const pullResult2 = await cloudPullConsolidations(config);
+      consolidationsResult.pulled = pullResult2.pulled;
+    } catch (err) {
+      logError(`[cloud-sync] Consolidations pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const identityResult = { pushed: 0, pulled: 0 };
+    try {
+      await cloudPushIdentityMeta(config);
+      identityResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM identity");
+    } catch (err) {
+      logError(`[cloud-sync] Identity push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      const pullResult2 = await cloudPullIdentityMeta(config);
+      identityResult.pulled = pullResult2.pulled;
+    } catch (err) {
+      logError(`[cloud-sync] Identity pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const documentsResult = { pushed: 0, pulled: 0 };
+    try {
+      await cloudPushDocuments(config);
+      documentsResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM documents");
+    } catch (err) {
+      logError(`[cloud-sync] Documents push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      const pullResult2 = await cloudPullDocuments(config);
+      documentsResult.pulled = pullResult2.pulled;
+    } catch (err) {
+      logError(`[cloud-sync] Documents pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const coreMemoryResult = { pushed: 0, pulled: 0 };
+    try {
+      await cloudPushCoreMemory(config);
+      coreMemoryResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM core_memory");
+    } catch (err) {
+      logError(`[cloud-sync] Core memory push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      const pullResult2 = await cloudPullCoreMemory(config);
+      coreMemoryResult.pulled = pullResult2.pulled;
+    } catch (err) {
+      logError(`[cloud-sync] Core memory pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const rosterResult = { employees: 0, identities: 0 };
+    try {
+      const employees = await loadEmployees();
+      rosterResult.employees = employees.length;
+      const idDir = path.join(EXE_AI_DIR, "identity");
+      if (existsSync(idDir)) {
+        rosterResult.identities = readdirSync(idDir).filter((f) => f.endsWith(".md")).length;
+      }
+    } catch (e) {
+      process.stderr.write("[cloud-sync] roster count failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+    const totalMemories = await countRows("SELECT COUNT(*) as cnt FROM memories WHERE status = 'active' OR status IS NULL");
+    try {
+      const { getLatestBackup } = await import("./db-backup-F7VP4QRH.js");
+      const latestBackup = getLatestBackup();
+      if (latestBackup) {
+        const backupSize = statSync(latestBackup).size;
+        const MAX_CLOUD_BACKUP_BYTES = 50 * 1024 * 1024;
+        if (backupSize <= MAX_CLOUD_BACKUP_BYTES) {
+          const backupData = readFileSync(latestBackup);
+          const deviceId = loadDeviceId() ?? "unknown";
+          const encrypted = encryptSyncBlob(backupData);
+          const backupRes = await fetchWithRetry(`${config.endpoint}/sync/push-db-backup`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json", Authorization: `Bearer ${config.apiKey}` },
+            body: JSON.stringify({
+              device_id: deviceId,
+              filename: path.basename(latestBackup),
+              blob: encrypted,
+              size: backupData.length
+            })
+          });
+          if (backupRes && !backupRes.ok) {
+            logError(`[cloud-sync] DB backup upload failed: ${backupRes.status}`);
+          }
+        }
+      }
+    } catch (err) {
+      logError(`[cloud-sync] DB backup upload error: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const codeContextResult = { pushed: 0, pulled: 0 };
+    try {
+      codeContextResult.pushed = await cloudPushCodeContext(config);
+    } catch (err) {
+      logError(`[cloud-sync] Code context push: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    try {
+      codeContextResult.pulled = await cloudPullCodeContext(config);
+    } catch (err) {
+      logError(`[cloud-sync] Code context pull: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const elapsedSec = ((Date.now() - syncStartTime) / 1e3).toFixed(1);
+    onProgress("Cloud sync", `complete (pushed ${pushed}, pulled ${pulled}, elapsed ${elapsedSec}s)`);
+    return {
+      pushed,
+      pulled,
+      totalMemories,
+      behaviors: behaviorsResult,
+      graphrag: graphragResult,
+      tasks: tasksResult,
+      conversations: conversationsResult,
+      documents: documentsResult,
+      coreMemory: coreMemoryResult,
+      roster: rosterResult,
+      codeContext: codeContextResult,
+      elapsedMs: Date.now() - syncStartTime
+    };
+  } finally {
+    _cloudSyncInProgress = false;
+  }
+}
+var ROSTER_DELETIONS_PATH = path.join(EXE_AI_DIR, "roster-deletions.json");
+function recordRosterDeletion(name) {
+  let deletions = [];
+  try {
+    if (existsSync(ROSTER_DELETIONS_PATH)) {
+      deletions = JSON.parse(readFileSync(ROSTER_DELETIONS_PATH, "utf-8"));
+    }
+  } catch (e) {
+    process.stderr.write("[cloud-sync] roster-deletions.json read failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+  }
+  if (!deletions.includes(name)) deletions.push(name);
+  atomicWriteJsonSync(ROSTER_DELETIONS_PATH, deletions);
+}
+function consumeRosterDeletions() {
+  try {
+    if (!existsSync(ROSTER_DELETIONS_PATH)) return [];
+    const deletions = JSON.parse(readFileSync(ROSTER_DELETIONS_PATH, "utf-8"));
+    atomicWriteJsonSync(ROSTER_DELETIONS_PATH, []);
+    return deletions;
+  } catch (e) {
+    process.stderr.write("[cloud-sync] consumeRosterDeletions failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    return [];
+  }
+}
+function buildRosterBlob(paths) {
+  const rosterPath = paths?.rosterPath ?? path.join(EXE_AI_DIR, "exe-employees.json");
+  const identityDir = paths?.identityDir ?? path.join(EXE_AI_DIR, "identity");
+  const configPath = paths?.configPath ?? path.join(EXE_AI_DIR, "config.json");
+  let roster = [];
+  if (existsSync(rosterPath)) {
+    try {
+      roster = JSON.parse(readFileSync(rosterPath, "utf-8"));
+    } catch (e) {
+      process.stderr.write("[cloud-sync] roster file parse failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+  }
+  const identities = {};
+  if (existsSync(identityDir)) {
+    for (const file of readdirSync(identityDir).filter((f) => f.endsWith(".md"))) {
+      try {
+        identities[file] = readFileSync(path.join(identityDir, file), "utf-8");
+      } catch (e) {
+        process.stderr.write("[cloud-sync] identity file read failed (" + file + "): " + (e instanceof Error ? e.message : String(e)) + "\n");
+      }
+    }
+  }
+  let config;
+  if (existsSync(configPath)) {
+    try {
+      config = JSON.parse(readFileSync(configPath, "utf-8"));
+    } catch (e) {
+      process.stderr.write("[cloud-sync] config.json read failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+  }
+  let agentConfig;
+  const agentConfigPath = path.join(EXE_AI_DIR, "agent-config.json");
+  if (existsSync(agentConfigPath)) {
+    try {
+      agentConfig = JSON.parse(readFileSync(agentConfigPath, "utf-8"));
+    } catch (e) {
+      process.stderr.write("[cloud-sync] agent-config.json read failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+  }
+  const deletedNames = consumeRosterDeletions();
+  const content = JSON.stringify({ roster, identities, config, agentConfig, deletedNames });
+  const hash = crypto.createHash("sha256").update(content).digest("hex").slice(0, 16);
+  return { roster, identities, config, agentConfig, deletedNames, version: hash };
+}
+async function cloudPushRoster(config) {
+  assertSecureEndpoint(config.endpoint);
+  const blob = buildRosterBlob();
+  if (blob.roster.length === 0) return true;
+  try {
+    const client = getClient();
+    const meta = await client.execute(
+      "SELECT value FROM sync_meta WHERE key = 'last_roster_push_version'"
+    );
+    const lastVersion = meta.rows.length > 0 ? Number(meta.rows[0].value) : 0;
+    if (blob.version === lastVersion) return true;
+  } catch (e) {
+    process.stderr.write("[cloud-sync] roster push version check failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+  }
+  try {
+    const json = JSON.stringify(blob);
+    const compressed = compress(Buffer.from(json, "utf8"));
+    const encrypted = encryptSyncBlob(compressed);
+    const resp = await fetchWithRetry(`${config.endpoint}/sync/push-roster`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "Content-Type": "application/json",
+        "X-Device-Id": loadDeviceId()
+      },
+      body: JSON.stringify({ blob: encrypted })
+    });
+    if (resp.ok) {
+      try {
+        const client = getClient();
+        await client.execute({
+          sql: "INSERT INTO sync_meta (key, value) VALUES ('last_roster_push_version', ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value",
+          args: [String(blob.version)]
+        });
+      } catch (e) {
+        process.stderr.write("[cloud-sync] roster push version update failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+      }
+    }
+    return resp.ok;
+  } catch (err) {
+    process.stderr.write(`[cloud-sync] ROSTER PUSH FAILED: ${err instanceof Error ? err.message : String(err)}
+`);
+    return false;
+  }
+}
+async function cloudPullRoster(config) {
+  assertSecureEndpoint(config.endpoint);
+  try {
+    const resp = await fetchWithRetry(`${config.endpoint}/sync/pull-roster`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "X-Device-Id": loadDeviceId()
+      }
+    });
+    if (!resp.ok) return { added: 0 };
+    const data = await resp.json();
+    if (!data.blob) return { added: 0 };
+    const compressed = decryptSyncBlob(data.blob);
+    const json = decompress(compressed).toString("utf8");
+    const remote = JSON.parse(json);
+    return mergeRosterFromRemote(remote);
+  } catch (err) {
+    process.stderr.write(`[cloud-sync] ROSTER PULL FAILED: ${err instanceof Error ? err.message : String(err)}
+`);
+    return { added: 0 };
+  }
+}
+function mergeConfig(remoteConfig, configPath) {
+  const cfgPath = configPath ?? path.join(EXE_AI_DIR, "config.json");
+  let local = {};
+  if (existsSync(cfgPath)) {
+    try {
+      local = JSON.parse(readFileSync(cfgPath, "utf-8"));
+    } catch (e) {
+      process.stderr.write("[cloud-sync] mergeConfig local config parse failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+  }
+  const merged = { ...remoteConfig, ...local };
+  const dir = path.dirname(cfgPath);
+  ensurePrivateDirSync(dir);
+  atomicWriteSync(cfgPath, JSON.stringify(merged, null, 2) + "\n");
+  enforcePrivateFileSync(cfgPath);
+}
+async function mergeRosterFromRemote(remote, paths) {
+  return withRosterLock(async () => {
+    const rosterPath = paths?.rosterPath ?? void 0;
+    const identityDir = paths?.identityDir ?? path.join(EXE_AI_DIR, "identity");
+    const localEmployees = await loadEmployees(rosterPath);
+    const localNames = new Set(localEmployees.map((e) => e.name));
+    let added = 0;
+    let identitiesUpdated = 0;
+    for (const remoteEmp of remote.roster) {
+      if (!localNames.has(remoteEmp.name)) {
+        localEmployees.push(remoteEmp);
+        localNames.add(remoteEmp.name);
+        added++;
+        try {
+          registerBinSymlinks(remoteEmp.name);
+        } catch (e) {
+          process.stderr.write("[cloud-sync] bin symlink registration failed for " + remoteEmp.name + ": " + (e instanceof Error ? e.message : String(e)) + "\n");
+        }
+      }
+      const lookupKey = `${remoteEmp.name}.md`;
+      const matchedKey = Object.keys(remote.identities).find(
+        (k) => k.toLowerCase() === lookupKey.toLowerCase()
+      ) ?? lookupKey;
+      const remoteIdentity = remote.identities[matchedKey];
+      if (remoteIdentity) {
+        if (!existsSync(identityDir)) mkdirSync(identityDir, { recursive: true });
+        const idPath = path.join(identityDir, `${remoteEmp.name}.md`);
+        let localIdentity = null;
+        try {
+          localIdentity = existsSync(idPath) ? readFileSync(idPath, "utf-8") : null;
+        } catch (e) {
+          process.stderr.write("[cloud-sync] local identity file read failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+        }
+        if (localIdentity !== remoteIdentity) {
+          atomicWriteSync(idPath, remoteIdentity);
+          identitiesUpdated++;
+        }
+      }
+    }
+    let removed = 0;
+    if (remote.deletedNames && remote.deletedNames.length > 0) {
+      const toRemove = new Set(remote.deletedNames);
+      const filtered = localEmployees.filter((e) => !toRemove.has(e.name));
+      removed = localEmployees.length - filtered.length;
+      if (removed > 0) {
+        localEmployees.length = 0;
+        localEmployees.push(...filtered);
+      }
+    }
+    if (added > 0 || removed > 0) {
+      await saveEmployees(localEmployees, rosterPath);
+    }
+    if (remote.config && Object.keys(remote.config).length > 0) {
+      try {
+        mergeConfig(remote.config, paths?.configPath);
+      } catch (e) {
+        process.stderr.write("[cloud-sync] config merge failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+      }
+    }
+    if (remote.agentConfig && Object.keys(remote.agentConfig).length > 0) {
+      try {
+        const agentConfigPath = path.join(EXE_AI_DIR, "agent-config.json");
+        let local = {};
+        if (existsSync(agentConfigPath)) {
+          try {
+            local = JSON.parse(readFileSync(agentConfigPath, "utf-8"));
+          } catch (e) {
+            process.stderr.write("[cloud-sync] agent-config.json parse failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+          }
+        }
+        const merged = { ...remote.agentConfig, ...local };
+        ensurePrivateDirSync(path.dirname(agentConfigPath));
+        atomicWriteSync(agentConfigPath, JSON.stringify(merged, null, 2) + "\n");
+        enforcePrivateFileSync(agentConfigPath);
+      } catch (e) {
+        process.stderr.write("[cloud-sync] agent-config merge failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+      }
+    }
+    return { added, identitiesUpdated };
+  });
+}
+async function cloudPushBlob(route, data, metaKey, config) {
+  if (data.length === 0) return { ok: true };
+  assertSecureEndpoint(config.endpoint);
+  const json = JSON.stringify(data);
+  const version = parseInt(crypto.createHash("sha256").update(json).digest("hex").slice(0, 12), 16);
+  try {
+    const client = getClient();
+    const meta = await client.execute({
+      sql: "SELECT value FROM sync_meta WHERE key = ?",
+      args: [metaKey]
+    });
+    const lastVersion = meta.rows.length > 0 ? Number(meta.rows[0].value) : 0;
+    if (version === lastVersion) return { ok: true };
+  } catch (e) {
+    process.stderr.write("[cloud-sync] pushBlob version check failed (" + metaKey + "): " + (e instanceof Error ? e.message : String(e)) + "\n");
+  }
+  try {
+    const compressed = compress(Buffer.from(json, "utf8"));
+    const encrypted = encryptSyncBlob(compressed);
+    const resp = await fetchWithRetry(`${config.endpoint}${route}`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "Content-Type": "application/json",
+        "X-Device-Id": loadDeviceId()
+      },
+      body: JSON.stringify({ blob: encrypted })
+    });
+    if (resp.ok) {
+      try {
+        const client = getClient();
+        await client.execute({
+          sql: "INSERT INTO sync_meta (key, value) VALUES (?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value",
+          args: [metaKey, String(version)]
+        });
+      } catch (e) {
+        process.stderr.write("[cloud-sync] pushBlob version update failed (" + metaKey + "): " + (e instanceof Error ? e.message : String(e)) + "\n");
+      }
+    }
+    return { ok: resp.ok };
+  } catch (err) {
+    logError(`[cloud-sync] PUSH ${route}: ${err instanceof Error ? err.message : String(err)}`);
+    return { ok: false };
+  }
+}
+async function cloudPullBlob(route, config) {
+  assertSecureEndpoint(config.endpoint);
+  try {
+    const resp = await fetchWithRetry(`${config.endpoint}${route}`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "X-Device-Id": loadDeviceId()
+      }
+    });
+    if (!resp.ok) return null;
+    const data = await resp.json();
+    if (!data.blob) return null;
+    const compressed = decryptSyncBlob(data.blob);
+    const json = decompress(compressed).toString("utf8");
+    return JSON.parse(json);
+  } catch (err) {
+    logError(`[cloud-sync] PULL ${route}: ${err instanceof Error ? err.message : String(err)}`);
+    return null;
+  }
+}
+async function cloudPushGlobalProcedures(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM company_procedures LIMIT 1000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob(
+    "/sync/push-global-procedures",
+    rows,
+    "last_company_procedures_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullGlobalProcedures(config) {
+  const remoteProcs = await cloudPullBlob(
+    "/sync/pull-global-procedures",
+    config
+  );
+  if (!remoteProcs || remoteProcs.length === 0) return { pulled: 0 };
+  const client = getClient();
+  let pulled = 0;
+  for (const p of remoteProcs) {
+    try {
+      await client.execute({
+        sql: `INSERT INTO company_procedures
+              (id, title, content, priority, domain, active, created_at, updated_at)
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+              ON CONFLICT(id) DO UPDATE SET
+                title = excluded.title,
+                content = excluded.content,
+                priority = excluded.priority,
+                domain = excluded.domain,
+                active = excluded.active,
+                updated_at = excluded.updated_at
+              WHERE excluded.updated_at > company_procedures.updated_at`,
+        args: [
+          sqlSafe(p.id),
+          sqlSafeRequired(p.title, "(untitled)"),
+          sqlSafeRequired(p.content, ""),
+          sqlSafe(p.priority ?? "p0"),
+          sqlSafe(p.domain),
+          sqlSafe(p.active ?? 1),
+          sqlSafe(p.created_at ?? (/* @__PURE__ */ new Date()).toISOString()),
+          sqlSafe(p.updated_at ?? (/* @__PURE__ */ new Date()).toISOString())
+        ]
+      });
+      pulled++;
+    } catch (e) {
+      process.stderr.write(
+        `[cloud-sync] Skipping bad company_procedure record ${String(p.id).slice(0, 8)}: ${e instanceof Error ? e.message : String(e)}
+`
+      );
+    }
+  }
+  return { pulled };
+}
+async function cloudPushBehaviors(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM behaviors LIMIT 10000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob(
+    "/sync/push-behaviors",
+    rows,
+    "last_behaviors_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullBehaviors(config) {
+  const remoteBehaviors = await cloudPullBlob(
+    "/sync/pull-behaviors",
+    config
+  );
+  if (!remoteBehaviors || remoteBehaviors.length === 0) return { pulled: 0 };
+  const client = getClient();
+  let pulled = 0;
+  for (const behavior of remoteBehaviors) {
+    try {
+      await client.execute({
+        sql: `INSERT INTO behaviors
+              (id, agent_id, project_name, domain, content, active, priority, created_at, updated_at)
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+              ON CONFLICT(id) DO UPDATE SET
+                active = excluded.active,
+                priority = excluded.priority,
+                updated_at = excluded.updated_at`,
+        args: [
+          sqlSafe(behavior.id),
+          sqlSafeRequired(behavior.agent_id, "unknown"),
+          sqlSafe(behavior.project_name),
+          sqlSafe(behavior.domain ?? "general"),
+          sqlSafeRequired(behavior.content, "(empty)"),
+          sqlSafe(behavior.active ?? 1),
+          sqlSafe(behavior.priority ?? "p1"),
+          sqlSafe(behavior.created_at ?? (/* @__PURE__ */ new Date()).toISOString()),
+          sqlSafe(behavior.updated_at ?? (/* @__PURE__ */ new Date()).toISOString())
+        ]
+      });
+      pulled++;
+    } catch (e) {
+      process.stderr.write(
+        `[cloud-sync] Skipped bad behavior record: ${e instanceof Error ? e.message : String(e)}
+`
+      );
+    }
+  }
+  return { pulled };
+}
+async function cloudPushGraphRAG(config) {
+  const client = getClient();
+  const [entities, relationships, aliases, entityMems, relMems, hyperedges, hyperedgeNodes] = await Promise.all([
+    client.execute("SELECT * FROM entities LIMIT 50000"),
+    client.execute("SELECT * FROM relationships LIMIT 50000"),
+    client.execute("SELECT * FROM entity_aliases LIMIT 50000"),
+    client.execute("SELECT * FROM entity_memories LIMIT 50000"),
+    client.execute("SELECT * FROM relationship_memories LIMIT 50000"),
+    client.execute("SELECT * FROM hyperedges LIMIT 50000"),
+    client.execute("SELECT * FROM hyperedge_nodes LIMIT 50000")
+  ]);
+  const blob = {
+    entities: entities.rows,
+    relationships: relationships.rows,
+    entity_aliases: aliases.rows,
+    entity_memories: entityMems.rows,
+    relationship_memories: relMems.rows,
+    hyperedges: hyperedges.rows,
+    hyperedge_nodes: hyperedgeNodes.rows
+  };
+  const { ok } = await cloudPushBlob(
+    "/sync/push-graphrag",
+    [blob],
+    "last_graphrag_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullGraphRAG(config) {
+  const data = await cloudPullBlob(
+    "/sync/pull-graphrag",
+    config
+  );
+  if (!data || data.length === 0) return { pulled: 0 };
+  const blob = data[0];
+  let pulled = 0;
+  let client = null;
+  try {
+    client = getClient();
+  } catch {
+    process.stderr.write("[cloud-sync] SQLite unavailable for GraphRAG pull \u2014 using PostgreSQL projection only\n");
+  }
+  if (client && blob.entities.length > 0) {
+    const stmts = blob.entities.map((e) => ({
+      sql: `INSERT OR IGNORE INTO entities (id, name, type, first_seen, last_seen, properties)
+            VALUES (?, ?, ?, ?, ?, ?)`,
+      args: [sqlSafe(e.id), sqlSafe(e.name), sqlSafe(e.type), sqlSafe(e.first_seen), sqlSafe(e.last_seen), sqlSafe(e.properties ?? "{}")]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (client && blob.relationships.length > 0) {
+    const stmts = blob.relationships.map((r) => ({
+      sql: `INSERT OR IGNORE INTO relationships
+            (id, source_entity_id, target_entity_id, type, weight, timestamp, properties, confidence, confidence_label)
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+      args: [
+        sqlSafe(r.id),
+        sqlSafe(r.source_entity_id),
+        sqlSafe(r.target_entity_id),
+        sqlSafe(r.type),
+        sqlSafe(r.weight ?? 1),
+        sqlSafe(r.timestamp),
+        sqlSafe(r.properties ?? "{}"),
+        sqlSafe(r.confidence ?? 1),
+        sqlSafe(r.confidence_label ?? "extracted")
+      ]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (client && blob.entity_aliases.length > 0) {
+    const stmts = blob.entity_aliases.map((a) => ({
+      sql: `INSERT OR IGNORE INTO entity_aliases (alias, canonical_entity_id) VALUES (?, ?)`,
+      args: [sqlSafe(a.alias), sqlSafe(a.canonical_entity_id)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (client && blob.entity_memories.length > 0) {
+    const stmts = blob.entity_memories.map((em) => ({
+      sql: `INSERT OR IGNORE INTO entity_memories (entity_id, memory_id) VALUES (?, ?)`,
+      args: [sqlSafe(em.entity_id), sqlSafe(em.memory_id)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (client && blob.relationship_memories.length > 0) {
+    const stmts = blob.relationship_memories.map((rm) => ({
+      sql: `INSERT OR IGNORE INTO relationship_memories (relationship_id, memory_id) VALUES (?, ?)`,
+      args: [sqlSafe(rm.relationship_id), sqlSafe(rm.memory_id)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (client && blob.hyperedges.length > 0) {
+    const stmts = blob.hyperedges.map((h) => ({
+      sql: `INSERT OR IGNORE INTO hyperedges (id, label, relation, confidence, timestamp)
+            VALUES (?, ?, ?, ?, ?)`,
+      args: [sqlSafe(h.id), sqlSafe(h.label), sqlSafe(h.relation), sqlSafe(h.confidence ?? 1), sqlSafe(h.timestamp)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (client && blob.hyperedge_nodes.length > 0) {
+    const stmts = blob.hyperedge_nodes.map((hn) => ({
+      sql: `INSERT OR IGNORE INTO hyperedge_nodes (hyperedge_id, entity_id) VALUES (?, ?)`,
+      args: [sqlSafe(hn.hyperedge_id), sqlSafe(hn.entity_id)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  const pgPromise = loadPgClient();
+  if (pgPromise) {
+    try {
+      const pg = await pgPromise;
+      const S = "graph";
+      for (const e of blob.entities) {
+        await pg.$executeRawUnsafe(
+          `INSERT INTO ${S}.entities (id, name, type, first_seen, last_seen, properties)
+           VALUES ($1::uuid, $2, $3, $4::timestamptz, $5::timestamptz, $6::jsonb)
+           ON CONFLICT (id) DO UPDATE SET name = EXCLUDED.name, type = EXCLUDED.type,
+             last_seen = EXCLUDED.last_seen, properties = EXCLUDED.properties`,
+          e.id,
+          e.name ?? "unknown",
+          e.type ?? "unknown",
+          e.first_seen ?? (/* @__PURE__ */ new Date()).toISOString(),
+          e.last_seen ?? (/* @__PURE__ */ new Date()).toISOString(),
+          e.properties ?? "{}"
+        );
+      }
+      for (const r of blob.relationships) {
+        await pg.$executeRawUnsafe(
+          `INSERT INTO ${S}.relationships (id, source_entity_id, target_entity_id, type, confidence, properties)
+           VALUES ($1::uuid, $2::uuid, $3::uuid, $4, $5, $6::jsonb)
+           ON CONFLICT (id) DO NOTHING`,
+          r.id,
+          r.source_entity_id,
+          r.target_entity_id,
+          r.type ?? "related_to",
+          r.confidence ?? 0.8,
+          r.properties ?? "{}"
+        );
+      }
+      for (const em of blob.entity_memories) {
+        await pg.$executeRawUnsafe(
+          `INSERT INTO ${S}.entity_memories (entity_id, memory_id)
+           VALUES ($1::uuid, $2::uuid) ON CONFLICT DO NOTHING`,
+          em.entity_id,
+          em.memory_id
+        );
+      }
+      process.stderr.write(`[cloud-sync] Projected ${blob.entities.length} entities + ${blob.relationships.length} relationships to PostgreSQL graph schema
+`);
+    } catch (pgErr) {
+      process.stderr.write(`[cloud-sync] PostgreSQL graph projection failed: ${pgErr instanceof Error ? pgErr.message : String(pgErr)}
+`);
+    }
+  }
+  return { pulled };
+}
+async function cloudPushTasks(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM tasks LIMIT 10000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob(
+    "/sync/push-tasks",
+    rows,
+    "last_tasks_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullTasks(config) {
+  const remoteTasks = await cloudPullBlob(
+    "/sync/pull-tasks",
+    config
+  );
+  if (!remoteTasks || remoteTasks.length === 0) return { pulled: 0 };
+  const client = getClient();
+  const stmts = remoteTasks.map((t) => ({
+    sql: `INSERT OR IGNORE INTO tasks
+          (id, title, assigned_to, assigned_by, project_name, priority, status, task_file, created_at, updated_at,
+           blocked_by, parent_task_id, budget_tokens, budget_fallback_model, tokens_used, tokens_warned_at,
+           reviewer, context, complexity, session_scope, spawn_runtime, spawn_model, result)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+    args: [
+      sqlSafe(t.id),
+      sqlSafe(t.title),
+      sqlSafe(t.assigned_to),
+      sqlSafe(t.assigned_by),
+      sqlSafe(t.project_name),
+      sqlSafe(t.priority ?? "p1"),
+      sqlSafe(t.status ?? "open"),
+      sqlSafe(t.task_file),
+      sqlSafe(t.created_at),
+      sqlSafe(t.updated_at),
+      sqlSafe(t.blocked_by),
+      sqlSafe(t.parent_task_id),
+      sqlSafe(t.budget_tokens),
+      sqlSafe(t.budget_fallback_model),
+      sqlSafe(t.tokens_used ?? 0),
+      sqlSafe(t.tokens_warned_at),
+      sqlSafe(t.reviewer),
+      sqlSafe(t.context),
+      sqlSafe(t.complexity),
+      sqlSafe(t.session_scope),
+      sqlSafe(t.spawn_runtime),
+      sqlSafe(t.spawn_model),
+      sqlSafe(t.result)
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return { pulled: remoteTasks.length };
+}
+async function cloudPushConversations(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM conversations LIMIT 50000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob(
+    "/sync/push-conversations",
+    rows,
+    "last_conversations_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullConversations(config) {
+  const remoteConvos = await cloudPullBlob(
+    "/sync/pull-conversations",
+    config
+  );
+  if (!remoteConvos || remoteConvos.length === 0) return { pulled: 0 };
+  const client = getClient();
+  const stmts = remoteConvos.map((c) => ({
+    sql: `INSERT INTO conversations
+          (id, platform, external_id, sender_id, sender_name, sender_phone, sender_email,
+           recipient_id, channel_id, thread_id, reply_to_id, content_text, content_media,
+           content_metadata, agent_response, agent_name, timestamp, ingested_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+          ON CONFLICT(id) DO UPDATE SET
+            platform = excluded.platform,
+            external_id = excluded.external_id,
+            sender_id = excluded.sender_id,
+            sender_name = excluded.sender_name,
+            sender_phone = excluded.sender_phone,
+            sender_email = excluded.sender_email,
+            recipient_id = excluded.recipient_id,
+            channel_id = excluded.channel_id,
+            thread_id = excluded.thread_id,
+            reply_to_id = excluded.reply_to_id,
+            content_text = excluded.content_text,
+            content_media = excluded.content_media,
+            content_metadata = excluded.content_metadata,
+            agent_response = excluded.agent_response,
+            agent_name = excluded.agent_name,
+            timestamp = excluded.timestamp,
+            ingested_at = excluded.ingested_at
+          WHERE COALESCE(excluded.ingested_at, excluded.timestamp, '') > COALESCE(conversations.ingested_at, conversations.timestamp, '')`,
+    args: [
+      sqlSafe(c.id),
+      sqlSafe(c.platform),
+      sqlSafe(c.external_id),
+      sqlSafe(c.sender_id),
+      sqlSafe(c.sender_name),
+      sqlSafe(c.sender_phone),
+      sqlSafe(c.sender_email),
+      sqlSafe(c.recipient_id),
+      sqlSafe(c.channel_id),
+      sqlSafe(c.thread_id),
+      sqlSafe(c.reply_to_id),
+      sqlSafe(c.content_text),
+      sqlSafe(c.content_media),
+      sqlSafe(c.content_metadata),
+      sqlSafe(c.agent_response),
+      sqlSafe(c.agent_name),
+      sqlSafe(c.timestamp),
+      sqlSafe(c.ingested_at)
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return { pulled: remoteConvos.length };
+}
+async function cloudPushDocuments(config) {
+  const client = getClient();
+  const [workspaces, documents] = await Promise.all([
+    client.execute("SELECT * FROM workspaces LIMIT 1000"),
+    client.execute("SELECT * FROM documents LIMIT 10000")
+  ]);
+  const blob = {
+    workspaces: workspaces.rows,
+    documents: documents.rows
+  };
+  const { ok } = await cloudPushBlob(
+    "/sync/push-documents",
+    [blob],
+    "last_documents_push_version",
+    config
+  );
+  return ok;
+}
+async function cloudPullDocuments(config) {
+  const data = await cloudPullBlob(
+    "/sync/pull-documents",
+    config
+  );
+  if (!data || data.length === 0) return { pulled: 0 };
+  const blob = data[0];
+  const client = getClient();
+  let pulled = 0;
+  if (blob.workspaces.length > 0) {
+    const stmts = blob.workspaces.map((w) => ({
+      sql: `INSERT INTO workspaces (id, slug, name, owner_agent_id, created_at, metadata)
+            VALUES (?, ?, ?, ?, ?, ?)
+            ON CONFLICT(id) DO UPDATE SET
+              slug = excluded.slug,
+              name = excluded.name,
+              owner_agent_id = excluded.owner_agent_id,
+              metadata = excluded.metadata
+            WHERE COALESCE(excluded.created_at, '') >= COALESCE(workspaces.created_at, '')`,
+      args: [sqlSafe(w.id), sqlSafe(w.slug), sqlSafe(w.name), sqlSafe(w.owner_agent_id), sqlSafe(w.created_at), sqlSafe(w.metadata)]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  if (blob.documents.length > 0) {
+    const stmts = blob.documents.map((d) => ({
+      sql: `INSERT INTO documents
+            (id, workspace_id, filename, mime, source_type, user_id, uploaded_at, metadata)
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+            ON CONFLICT(id) DO UPDATE SET
+              workspace_id = excluded.workspace_id,
+              filename = excluded.filename,
+              mime = excluded.mime,
+              source_type = excluded.source_type,
+              user_id = excluded.user_id,
+              uploaded_at = excluded.uploaded_at,
+              metadata = excluded.metadata
+            WHERE COALESCE(excluded.uploaded_at, '') > COALESCE(documents.uploaded_at, '')`,
+      args: [
+        sqlSafe(d.id),
+        sqlSafe(d.workspace_id),
+        sqlSafe(d.filename),
+        sqlSafe(d.mime),
+        sqlSafe(d.source_type),
+        sqlSafe(d.user_id),
+        sqlSafe(d.uploaded_at),
+        sqlSafe(d.metadata)
+      ]
+    }));
+    await client.batch(stmts, "write");
+    pulled += stmts.length;
+  }
+  return { pulled };
+}
+var CODE_CONTEXT_DIR = path.join(EXE_AI_DIR, "code-context");
+async function cloudPushCodeContext(config) {
+  assertSecureEndpoint(config.endpoint);
+  if (!existsSync(CODE_CONTEXT_DIR)) return 0;
+  const files = readdirSync(CODE_CONTEXT_DIR).filter(
+    (f) => f.endsWith(".json") && !f.endsWith(".vectors.json") && !f.startsWith(".")
+  );
+  if (files.length === 0) return 0;
+  const metaPath = path.join(CODE_CONTEXT_DIR, ".sync-meta.json");
+  let syncMeta = {};
+  if (existsSync(metaPath)) {
+    try {
+      syncMeta = JSON.parse(readFileSync(metaPath, "utf-8"));
+    } catch (e) {
+      process.stderr.write("[cloud-sync] code-context sync-meta parse failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+  }
+  let pushed = 0;
+  for (const file of files) {
+    const filePath = path.join(CODE_CONTEXT_DIR, file);
+    try {
+      const stat = statSync(filePath);
+      const lastPushed = syncMeta[file] ?? 0;
+      if (stat.mtimeMs <= lastPushed) continue;
+      const content = readFileSync(filePath, "utf-8");
+      const header = content.substring(0, 300);
+      if (header.includes("/tmp") || header.includes("/var/folders") || header.includes(".worktrees/")) continue;
+      const compressed = compress(Buffer.from(content, "utf8"));
+      const encrypted = encryptSyncBlob(compressed);
+      const resp = await fetchWithRetry(`${config.endpoint}/sync/push-code-context`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${config.apiKey}`,
+          "Content-Type": "application/json",
+          "X-Device-Id": loadDeviceId()
+        },
+        body: JSON.stringify({ key: file, blob: encrypted })
+      });
+      if (resp.ok) {
+        syncMeta[file] = stat.mtimeMs;
+        pushed++;
+      }
+    } catch (e) {
+      process.stderr.write("[cloud-sync] code-context push failed (" + file + "): " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+  }
+  if (pushed > 0) {
+    try {
+      atomicWriteJsonSync(metaPath, syncMeta);
+    } catch (e) {
+      process.stderr.write("[cloud-sync] code-context sync-meta write failed: " + (e instanceof Error ? e.message : String(e)) + "\n");
+    }
+  }
+  return pushed;
+}
+async function cloudPullCodeContext(config) {
+  assertSecureEndpoint(config.endpoint);
+  try {
+    const resp = await fetchWithRetry(`${config.endpoint}/sync/pull-code-context`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "X-Device-Id": loadDeviceId()
+      }
+    });
+    if (!resp.ok) return 0;
+    const data = await resp.json();
+    if (!data.indexes || data.indexes.length === 0) return 0;
+    mkdirSync(CODE_CONTEXT_DIR, { recursive: true });
+    let pulled = 0;
+    for (const { key, blob } of data.indexes) {
+      try {
+        if (key.endsWith(".vectors.json")) continue;
+        const localPath = path.join(CODE_CONTEXT_DIR, key);
+        const compressed = decryptSyncBlob(blob);
+        const content = decompress(compressed).toString("utf8");
+        if (!existsSync(localPath)) {
+          atomicWriteSync(localPath, content);
+          pulled++;
+        } else {
+          const remoteHash = crypto.createHash("sha256").update(content).digest("hex");
+          const localHash = crypto.createHash("sha256").update(readFileSync(localPath, "utf-8")).digest("hex");
+          if (localHash !== remoteHash) {
+            atomicWriteSync(localPath, content);
+            pulled++;
+          }
+        }
+      } catch (e) {
+        process.stderr.write("[cloud-sync] code-context pull failed (" + key + "): " + (e instanceof Error ? e.message : String(e)) + "\n");
+      }
+    }
+    return pulled;
+  } catch (err) {
+    process.stderr.write(`[cloud-sync] Code context pull failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return 0;
+  }
+}
+async function cloudPushSchedules(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM schedules LIMIT 10000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob("/sync/push-schedules", rows, "last_schedules_push_version", config);
+  return ok;
+}
+async function cloudPullSchedules(config) {
+  const remote = await cloudPullBlob("/sync/pull-schedules", config);
+  if (!remote || remote.length === 0) return { pulled: 0 };
+  const client = getClient();
+  const stmts = remote.map((r) => ({
+    sql: `INSERT INTO schedules
+          (id, cron, description, job_type, prompt, assigned_to, project_name, active, use_crontab, created_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+          ON CONFLICT(id) DO UPDATE SET
+            cron = excluded.cron,
+            description = excluded.description,
+            job_type = excluded.job_type,
+            prompt = excluded.prompt,
+            assigned_to = excluded.assigned_to,
+            project_name = excluded.project_name,
+            active = excluded.active,
+            use_crontab = excluded.use_crontab`,
+    args: [
+      sqlSafe(r.id),
+      sqlSafe(r.cron),
+      sqlSafe(r.description),
+      sqlSafe(r.job_type ?? "report"),
+      sqlSafe(r.prompt),
+      sqlSafe(r.assigned_to),
+      sqlSafe(r.project_name),
+      sqlSafe(r.active ?? 1),
+      sqlSafe(r.use_crontab ?? 0),
+      sqlSafe(r.created_at)
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return { pulled: remote.length };
+}
+async function cloudPushTrajectories(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM trajectories LIMIT 50000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob("/sync/push-trajectories", rows, "last_trajectories_push_version", config);
+  return ok;
+}
+async function cloudPullTrajectories(config) {
+  const remote = await cloudPullBlob("/sync/pull-trajectories", config);
+  if (!remote || remote.length === 0) return { pulled: 0 };
+  const client = getClient();
+  const stmts = remote.map((r) => ({
+    sql: `INSERT INTO trajectories
+          (id, task_id, agent_id, project_name, task_title, signature, signature_hash, tool_count, skill_id, created_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+          ON CONFLICT(id) DO UPDATE SET
+            task_id = excluded.task_id,
+            agent_id = excluded.agent_id,
+            project_name = excluded.project_name,
+            task_title = excluded.task_title,
+            signature = excluded.signature,
+            signature_hash = excluded.signature_hash,
+            tool_count = excluded.tool_count,
+            skill_id = excluded.skill_id,
+            created_at = excluded.created_at
+          WHERE COALESCE(excluded.created_at, '') >= COALESCE(trajectories.created_at, '')`,
+    args: [
+      sqlSafe(r.id),
+      sqlSafe(r.task_id),
+      sqlSafe(r.agent_id),
+      sqlSafe(r.project_name),
+      sqlSafe(r.task_title),
+      sqlSafe(r.signature),
+      sqlSafe(r.signature_hash),
+      sqlSafe(r.tool_count ?? 0),
+      sqlSafe(r.skill_id),
+      sqlSafe(r.created_at)
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return { pulled: remote.length };
+}
+async function cloudPushConsolidations(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM consolidations LIMIT 50000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob("/sync/push-consolidations", rows, "last_consolidations_push_version", config);
+  return ok;
+}
+async function cloudPullConsolidations(config) {
+  const remote = await cloudPullBlob("/sync/pull-consolidations", config);
+  if (!remote || remote.length === 0) return { pulled: 0 };
+  const client = getClient();
+  const stmts = remote.map((r) => ({
+    sql: `INSERT INTO consolidations
+          (id, consolidated_memory_id, source_memory_id, created_at)
+          VALUES (?, ?, ?, ?)
+          ON CONFLICT(id) DO UPDATE SET
+            consolidated_memory_id = excluded.consolidated_memory_id,
+            source_memory_id = excluded.source_memory_id,
+            created_at = excluded.created_at
+          WHERE COALESCE(excluded.created_at, '') >= COALESCE(consolidations.created_at, '')`,
+    args: [
+      sqlSafe(r.id),
+      sqlSafe(r.consolidated_memory_id),
+      sqlSafe(r.source_memory_id),
+      sqlSafe(r.created_at)
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return { pulled: remote.length };
+}
+async function cloudPushIdentityMeta(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM identity LIMIT 1000");
+  const rows = result.rows;
+  const { ok } = await cloudPushBlob("/sync/push-identity", rows, "last_identity_push_version", config);
+  return ok;
+}
+async function cloudPullIdentityMeta(config) {
+  const remote = await cloudPullBlob("/sync/pull-identity", config);
+  if (!remote || remote.length === 0) return { pulled: 0 };
+  const client = getClient();
+  const stmts = remote.map((r) => ({
+    sql: `INSERT INTO identity
+          (agent_id, content_hash, updated_at, updated_by)
+          VALUES (?, ?, ?, ?)
+          ON CONFLICT(agent_id) DO UPDATE SET
+            content_hash = excluded.content_hash,
+            updated_at = excluded.updated_at,
+            updated_by = excluded.updated_by
+          WHERE COALESCE(excluded.updated_at, '') > COALESCE(identity.updated_at, '')`,
+    args: [
+      sqlSafe(r.agent_id),
+      sqlSafe(r.content_hash),
+      sqlSafe(r.updated_at),
+      sqlSafe(r.updated_by)
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return { pulled: remote.length };
+}
+async function cloudPushCoreMemory(config) {
+  const client = getClient();
+  const result = await client.execute("SELECT * FROM core_memory LIMIT 1000");
+  const rows = result.rows;
+  if (rows.length === 0) return true;
+  const { ok } = await cloudPushBlob("/sync/push-core-memory", rows, "last_core_memory_push_version", config);
+  return ok;
+}
+async function cloudPullCoreMemory(config) {
+  const remote = await cloudPullBlob("/sync/pull-core-memory", config);
+  if (!remote || remote.length === 0) return { pulled: 0 };
+  const client = getClient();
+  const stmts = remote.map((r) => ({
+    sql: `INSERT INTO core_memory (agent_id, key, value, updated_at)
+          VALUES (?, ?, ?, ?)
+          ON CONFLICT(agent_id, key) DO UPDATE SET
+            value = excluded.value,
+            updated_at = excluded.updated_at
+          WHERE excluded.updated_at > core_memory.updated_at`,
+    args: [
+      sqlSafe(r.agent_id),
+      sqlSafe(r.key),
+      sqlSafe(r.value),
+      sqlSafe(r.updated_at)
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return { pulled: remote.length };
+}
+
+export {
+  shouldUseCrdtMergeForCloudSync,
+  loadPgClient,
+  disposeCloudSync,
+  pushToPostgres,
+  migrateEndpoint,
+  assertSecureEndpoint,
+  cloudPush,
+  cloudResetMemoryBlobs,
+  cloudPull,
+  CLOUD_REUPLOAD_REQUIRED_MESSAGE,
+  getCloudReuploadRequired,
+  clearCloudReuploadRequired,
+  getCloudRelinkRequired,
+  clearCloudRelinkRequired,
+  markCloudReuploadRequired,
+  cloudSync,
+  recordRosterDeletion,
+  buildRosterBlob,
+  cloudPushRoster,
+  cloudPullRoster,
+  mergeConfig,
+  mergeRosterFromRemote,
+  cloudPushBlob,
+  cloudPullBlob,
+  cloudPushGlobalProcedures,
+  cloudPullGlobalProcedures,
+  cloudPushBehaviors,
+  cloudPullBehaviors,
+  cloudPushGraphRAG,
+  cloudPullGraphRAG,
+  cloudPushTasks,
+  cloudPullTasks,
+  cloudPushConversations,
+  cloudPullConversations,
+  cloudPushDocuments,
+  cloudPullDocuments,
+  cloudPushCodeContext,
+  cloudPullCodeContext,
+  cloudPushSchedules,
+  cloudPullSchedules,
+  cloudPushTrajectories,
+  cloudPullTrajectories,
+  cloudPushConsolidations,
+  cloudPullConsolidations,
+  cloudPushIdentityMeta,
+  cloudPullIdentityMeta,
+  cloudPushCoreMemory,
+  cloudPullCoreMemory
+};