@askexenow/exe-os 0.9.39 → 0.9.41

package/dist/lib/exe-daemon.js

@@ -4088,7 +4088,7 @@ async function tryKeytar() {
 }
 function deriveMachineKey() {
   try {
-    const crypto21 = __require("crypto");
+    const crypto22 = __require("crypto");
     const material = [
       os6.hostname(),
       os6.userInfo().username,
@@ -4097,7 +4097,7 @@ function deriveMachineKey() {
       // Machine ID on Linux (stable across reboots)
       process.platform === "linux" ? readMachineId() : ""
     ].join("|");
-    return crypto21.createHash("sha256").update(material).digest();
+    return crypto22.createHash("sha256").update(material).digest();
   } catch {
     return null;
   }
@@ -4111,9 +4111,9 @@ function readMachineId() {
   }
 }
 function encryptWithMachineKey(plaintext, machineKey) {
-  const crypto21 = __require("crypto");
-  const iv = crypto21.randomBytes(12);
-  const cipher = crypto21.createCipheriv("aes-256-gcm", machineKey, iv);
+  const crypto22 = __require("crypto");
+  const iv = crypto22.randomBytes(12);
+  const cipher = crypto22.createCipheriv("aes-256-gcm", machineKey, iv);
   let encrypted = cipher.update(plaintext, "utf-8", "base64");
   encrypted += cipher.final("base64");
   const authTag = cipher.getAuthTag().toString("base64");
@@ -4122,13 +4122,13 @@ function encryptWithMachineKey(plaintext, machineKey) {
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
-    const crypto21 = __require("crypto");
+    const crypto22 = __require("crypto");
     const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
     if (parts.length !== 3) return null;
     const [ivB64, tagB64, cipherB64] = parts;
     const iv = Buffer.from(ivB64, "base64");
     const authTag = Buffer.from(tagB64, "base64");
-    const decipher = crypto21.createDecipheriv("aes-256-gcm", machineKey, iv);
+    const decipher = crypto22.createDecipheriv("aes-256-gcm", machineKey, iv);
     decipher.setAuthTag(authTag);
     let decrypted = decipher.update(cipherB64, "base64", "utf-8");
     decrypted += decipher.final("utf-8");
@@ -4408,6 +4408,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "NEVER: (1) Access the database directly \u2014 it's SQLCipher encrypted, always fails. Use MCP tools only. (2) Manually spawn tmux sessions \u2014 create_task handles it. (3) Run git checkout main \u2014 agents work in worktrees. (4) Modify another agent's in-progress task. (5) Push to remote \u2014 the COO reviews and pushes. (6) Skip update_task(done) \u2014 it's the ONLY way your work gets reviewed. (7) Run git init."
       },
+      {
+        title: "Customer patch triage \u2014 upstream bug vs customization",
+        domain: "support",
+        priority: "p0",
+        content: "Before editing platform code for a customer issue, classify it. Upstream bug = reproducible exe-os/platform defect; call create_bug_report with repro/version/workaround and avoid permanent local patches unless founder approves. Customer customization = identity, behavior, procedure, config, branding, workflow; store it in customer-owned layers, not platform code. Emergency hotfix = temporary only; document files/diff and re-check after npm update."
+      },
       // --- Operations ---
       {
         title: "Managers must supervise deployed workers",
@@ -4476,7 +4482,7 @@ var init_platform_procedures = __esm({
         title: "MCP tools \u2014 identity, behavior, and decisions",
         domain: "tool-use",
         priority: "p1",
-        content: "get_identity: read an agent's exe.md (Layer 1 identity). update_identity: write an agent's exe.md. Identity > behavior \u2014 use for permanent rules. store_behavior: record a correction or pattern for an agent (Layer 2 expertise). list_behaviors: view an agent's active behaviors. deactivate_behavior: soft-delete a stale or conflicting behavior. store_decision: record an ADR (architectural decision record). get_decision: retrieve a past decision by query."
+        content: "get_identity: read an agent's exe.md (Layer 1 identity). update_identity: write an agent's exe.md. Identity > behavior \u2014 use for permanent rules. store_behavior: record a correction or pattern for an agent (Layer 2 expertise). list_behaviors: view an agent's active behaviors. deactivate_behavior: soft-delete a stale or conflicting behavior. store_decision: record an ADR (architectural decision record). get_decision: retrieve a past decision by query. create_bug_report: classify/file upstream bugs, customer customizations, and emergency hotfixes."
       },
       {
         title: "MCP tools \u2014 communication and messaging",
@@ -5602,8 +5608,8 @@ async function embedDirect(text3) {
   const llamaCpp = await import("node-llama-cpp");
   const { MODELS_DIR: MODELS_DIR2 } = await Promise.resolve().then(() => (init_config(), config_exports));
   const { existsSync: existsSync40 } = await import("fs");
-  const path53 = await import("path");
-  const modelPath = path53.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
+  const path54 = await import("path");
+  const modelPath = path54.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
   if (!existsSync40(modelPath)) {
     throw new Error(`Embedding model not found at ${modelPath}. Run '/exe-setup' to download it.`);
   }
@@ -6681,10 +6687,10 @@ async function hybridSearch(queryText, agentId, options) {
     };
     try {
       const fs = await import("fs");
-      const path53 = await import("path");
+      const path54 = await import("path");
       const os23 = await import("os");
-      const logPath = path53.join(os23.homedir(), ".exe-os", "search-quality.jsonl");
-      fs.mkdirSync(path53.dirname(logPath), { recursive: true });
+      const logPath = path54.join(os23.homedir(), ".exe-os", "search-quality.jsonl");
+      fs.mkdirSync(path54.dirname(logPath), { recursive: true });
       fs.appendFileSync(logPath, JSON.stringify(logEntry) + "\n");
     } catch {
     }
@@ -8302,8 +8308,8 @@ __export(wiki_client_exports, {
   listDocuments: () => listDocuments,
   listWorkspaces: () => listWorkspaces
 });
-async function wikiFetch(config2, path53, method = "GET", body) {
-  const url = `${config2.baseUrl}/api/v1${path53}`;
+async function wikiFetch(config2, path54, method = "GET", body) {
+  const url = `${config2.baseUrl}/api/v1${path54}`;
   const headers = {
     Authorization: `Bearer ${config2.apiKey}`,
     "Content-Type": "application/json"
@@ -8336,7 +8342,7 @@ async function wikiFetch(config2, path53, method = "GET", body) {
       }
     }
     if (!response.ok) {
-      throw new Error(`Wiki API ${method} ${path53}: ${response.status} ${response.statusText}`);
+      throw new Error(`Wiki API ${method} ${path54}: ${response.status} ${response.statusText}`);
     }
     return response.json();
   } finally {
@@ -18747,9 +18753,9 @@ var init_hostinger_api = __esm({
         }
         this.lastRequestTime = Date.now();
       }
-      async request(method, path53, body) {
+      async request(method, path54, body) {
         await this.rateLimit();
-        const url = `${this.baseUrl}${path53}`;
+        const url = `${this.baseUrl}${path54}`;
         const headers = {
           Authorization: `Bearer ${this.apiKey}`,
           "Content-Type": "application/json",
@@ -18818,8 +18824,8 @@ async function requestCloudflare(cfApiToken, zoneId, options) {
   }
   return envelope.result;
 }
-function buildUrl(zoneId, path53 = "/dns_records", query) {
-  const normalizedPath = path53.startsWith("/") ? path53 : `/${path53}`;
+function buildUrl(zoneId, path54 = "/dns_records", query) {
+  const normalizedPath = path54.startsWith("/") ? path54 : `/${path54}`;
   const url = new URL(
     `${CLOUDFLARE_API_BASE_URL}/zones/${zoneId}${normalizedPath}`
   );
@@ -21146,12 +21152,12 @@ function registerExportGraph(server) {
         }
         const html = await exportGraphHTML(client);
         const fs = await import("fs");
-        const path53 = await import("path");
+        const path54 = await import("path");
         const os23 = await import("os");
-        const outDir = path53.join(os23.homedir(), ".exe-os", "exports");
+        const outDir = path54.join(os23.homedir(), ".exe-os", "exports");
         fs.mkdirSync(outDir, { recursive: true });
         const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
-        const filePath = path53.join(outDir, `graph-${timestamp}.html`);
+        const filePath = path54.join(outDir, `graph-${timestamp}.html`);
         fs.writeFileSync(filePath, html, "utf-8");
         return {
           content: [
@@ -26794,6 +26800,225 @@ var init_activate_license = __esm({
   }
 });
 
+// src/mcp/tools/create-bug-report.ts
+import { z as z82 } from "zod";
+import crypto19 from "crypto";
+import { mkdir as mkdir6, writeFile as writeFile7 } from "fs/promises";
+import path49 from "path";
+function slugify2(input) {
+  return input.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 80) || "bug-report";
+}
+function formatList(items) {
+  if (!items || items.length === 0) return "- Not provided";
+  return items.map((item) => `- ${item}`).join("\n");
+}
+function section(title, body) {
+  return `## ${title}
+
+${body?.trim() || "Not provided"}`;
+}
+function buildMarkdown(input) {
+  return [
+    `# Bug Report \u2014 ${input.title}`,
+    "",
+    `id: ${input.id}`,
+    `classification: ${input.classification}`,
+    `severity: ${input.severity}`,
+    `filed_by: ${input.agentId} (${input.agentRole})`,
+    `package_version: ${input.packageVersion}`,
+    `project: ${input.projectName ?? "unknown"}`,
+    `created_at: ${(/* @__PURE__ */ new Date()).toISOString()}`,
+    "",
+    section("Summary", input.summary),
+    section("Customer impact", input.customerImpact),
+    "## Reproduction steps",
+    "",
+    formatList(input.reproductionSteps),
+    "",
+    section("Expected behavior", input.expected),
+    section("Actual behavior", input.actual),
+    "## Files changed / suspected",
+    "",
+    formatList(input.filesChanged),
+    "",
+    section("Local workaround / hotfix", input.workaround),
+    section("Local patch diff", input.localPatchDiff)
+  ].join("\n");
+}
+async function maybeSendUpstream(payload) {
+  const config2 = await loadConfig();
+  const endpoint = config2.support?.bugReportEndpoint || process.env.EXE_BUG_REPORT_ENDPOINT;
+  const token = config2.support?.bugReportToken || process.env.EXE_BUG_REPORT_TOKEN;
+  if (!endpoint) {
+    return "not_configured";
+  }
+  try {
+    const parsed = new URL(endpoint);
+    if (parsed.protocol !== "https:" && !["localhost", "127.0.0.1", "::1"].includes(parsed.hostname)) {
+      return "failed: insecure endpoint rejected";
+    }
+    const response = await fetch(parsed, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        ...token ? { authorization: `Bearer ${token}` } : {}
+      },
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!response.ok) return `failed: HTTP ${response.status}`;
+    return "sent";
+  } catch (err) {
+    return `failed: ${err instanceof Error ? err.message : String(err)}`;
+  }
+}
+function registerCreateBugReport(server) {
+  server.registerTool(
+    "create_bug_report",
+    {
+      title: "Create Bug Report",
+      description: "Classify and file an exe-os issue as upstream_bug, customer_customization, emergency_hotfix, or unclear. Writes a local report, stores memory, and optionally sends to AskExe support when a support endpoint is configured.",
+      inputSchema: {
+        title: z82.string().min(3).describe("Short descriptive title"),
+        classification: CLASSIFICATION.describe(
+          "upstream_bug = platform defect; customer_customization = local preference; emergency_hotfix = temporary local patch; unclear = needs maintainer triage"
+        ),
+        severity: SEVERITY.default("p2").describe("p0 critical \u2192 p3 low"),
+        summary: z82.string().min(10).describe("What happened and why it matters"),
+        customer_impact: z82.string().optional().describe("How this affects the customer/founder"),
+        reproduction_steps: z82.array(z82.string()).optional().describe("Steps to reproduce"),
+        expected: z82.string().optional().describe("Expected behavior"),
+        actual: z82.string().optional().describe("Actual behavior"),
+        files_changed: z82.array(z82.string()).optional().describe("Files changed or suspected"),
+        workaround: z82.string().optional().describe("Temporary local workaround/hotfix, if any"),
+        local_patch_diff: z82.string().optional().describe("Small local diff or patch summary"),
+        package_version: z82.string().optional().describe("Installed @askexenow/exe-os version"),
+        project_name: z82.string().optional().describe("Project/customer context"),
+        send_upstream: z82.boolean().default(true).describe("Attempt to POST to configured AskExe support endpoint")
+      }
+    },
+    async ({
+      title,
+      classification,
+      severity,
+      summary,
+      customer_impact,
+      reproduction_steps,
+      expected,
+      actual,
+      files_changed,
+      workaround,
+      local_patch_diff,
+      package_version,
+      project_name,
+      send_upstream
+    }) => {
+      const { agentId, agentRole } = getActiveAgent();
+      const id = crypto19.randomUUID();
+      const version = package_version ?? "unknown";
+      const markdown = buildMarkdown({
+        id,
+        title,
+        classification,
+        severity,
+        agentId,
+        agentRole,
+        packageVersion: version,
+        summary,
+        customerImpact: customer_impact,
+        expected,
+        actual,
+        workaround,
+        localPatchDiff: local_patch_diff,
+        reproductionSteps: reproduction_steps,
+        filesChanged: files_changed,
+        projectName: project_name
+      });
+      const outDir = path49.join(EXE_AI_DIR, "bug-reports");
+      await mkdir6(outDir, { recursive: true });
+      const reportPath = path49.join(outDir, `${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}-${slugify2(title)}-${id.slice(0, 8)}.md`);
+      await writeFile7(reportPath, markdown, "utf-8");
+      let vector = null;
+      try {
+        vector = await embed(markdown);
+      } catch {
+        vector = null;
+      }
+      await writeMemory({
+        id,
+        agent_id: agentId,
+        agent_role: agentRole,
+        session_id: process.env.SESSION_ID ?? "manual",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        tool_name: "create_bug_report",
+        project_name: project_name ?? "support",
+        has_error: classification === "upstream_bug" || classification === "emergency_hotfix",
+        raw_text: markdown,
+        vector,
+        source_path: reportPath,
+        source_type: "bug_report",
+        memory_type: "bug_report",
+        tier: 1,
+        importance: severity === "p0" ? 10 : severity === "p1" ? 9 : 7,
+        intent: "report",
+        domain: "support",
+        file_paths: files_changed ? JSON.stringify(files_changed) : null
+      });
+      await flushBatch();
+      const upstreamStatus = send_upstream ? await maybeSendUpstream({
+        id,
+        title,
+        classification,
+        severity,
+        summary,
+        customer_impact,
+        reproduction_steps,
+        expected,
+        actual,
+        files_changed,
+        workaround,
+        local_patch_diff,
+        package_version: version,
+        project_name,
+        agent_id: agentId,
+        agent_role: agentRole,
+        report_path: reportPath,
+        markdown
+      }) : "skipped";
+      return {
+        content: [
+          {
+            type: "text",
+            text: `Bug report created.
+ID: ${id}
+Classification: ${classification}
+Local report: ${reportPath}
+Memory stored: ${id}
+Upstream status: ${upstreamStatus}`
+          }
+        ]
+      };
+    }
+  );
+}
+var CLASSIFICATION, SEVERITY;
+var init_create_bug_report = __esm({
+  "src/mcp/tools/create-bug-report.ts"() {
+    "use strict";
+    init_embedder();
+    init_active_agent();
+    init_config();
+    init_store();
+    CLASSIFICATION = z82.enum([
+      "upstream_bug",
+      "customer_customization",
+      "emergency_hotfix",
+      "unclear"
+    ]);
+    SEVERITY = z82.enum(["p0", "p1", "p2", "p3"]);
+  }
+});
+
 // src/mcp/tool-gates.ts
 function isToolAllowed(registerFnName) {
   const role = process.env.AGENT_ROLE;
@@ -26855,6 +27080,7 @@ var init_tool_gates = __esm({
       registerBehavior: "core",
       registerStoreDecision: "core",
       registerGetDecision: "core",
+      registerCreateBugReport: "core",
       registerIdentity: "core",
       registerGetIdentity: "core",
       registerUpdateIdentity: "core",
@@ -26887,6 +27113,7 @@ var init_tool_gates = __esm({
       registerExportGraph: "graph-write",
       // wiki
       registerWiki: "wiki",
+      registerCreateWikiPage: "wiki",
       registerListWikiPages: "wiki",
       registerGetWikiPage: "wiki",
       // crm
@@ -27060,6 +27287,7 @@ function registerAllTools(server) {
   }
   gate("registerStoreDecision", registerStoreDecision);
   gate("registerGetDecision", registerGetDecision);
+  gate("registerCreateBugReport", registerCreateBugReport);
   gate("registerGetAgentSpend", registerGetAgentSpend);
   gate("registerGetGraphStats", registerGetGraphStats);
   gate("registerGetEntityNeighbors", registerGetEntityNeighbors);
@@ -27181,6 +27409,7 @@ var init_register_tools = __esm({
     init_list_licenses();
     init_activate_license();
     init_query_company_brain();
+    init_create_bug_report();
     init_tool_gates();
   }
 });
@@ -27406,7 +27635,7 @@ __export(task_enforcement_exports, {
   sendNudge: () => sendNudge
 });
 import { writeFileSync as writeFileSync22 } from "fs";
-import path49 from "path";
+import path50 from "path";
 function writeAuditEntry(entry) {
   try {
     const line = JSON.stringify(entry) + "\n";
@@ -27581,7 +27810,7 @@ var init_task_enforcement = __esm({
       "What do you need?"
     ];
     MANAGER_ROLES = ["COO", "CTO"];
-    AUDIT_LOG_PATH = path49.join(
+    AUDIT_LOG_PATH = path50.join(
       process.env.HOME ?? process.env.USERPROFILE ?? "/tmp",
       ".exe-os",
       "enforcement-audit.jsonl"
@@ -27599,9 +27828,9 @@ __export(update_check_exports, {
 });
 import { execSync as execSync15 } from "child_process";
 import { readFileSync as readFileSync31 } from "fs";
-import path50 from "path";
+import path51 from "path";
 function getLocalVersion(packageRoot) {
-  const pkgPath = path50.join(packageRoot, "package.json");
+  const pkgPath = path51.join(packageRoot, "package.json");
   const pkg = JSON.parse(readFileSync31(pkgPath, "utf-8"));
   return pkg.version;
 }
@@ -27645,16 +27874,16 @@ __export(ws_auth_exports, {
   deriveWsAuthToken: () => deriveWsAuthToken,
   hashAuthToken: () => hashAuthToken
 });
-import crypto19 from "crypto";
+import crypto20 from "crypto";
 function deriveWsAuthToken(masterKey) {
-  return Buffer.from(crypto19.hkdfSync("sha256", masterKey, "", WS_AUTH_HKDF_INFO, 32));
+  return Buffer.from(crypto20.hkdfSync("sha256", masterKey, "", WS_AUTH_HKDF_INFO, 32));
 }
 function deriveOrgId(masterKey) {
-  const raw = Buffer.from(crypto19.hkdfSync("sha256", masterKey, "", ORG_ID_HKDF_INFO, 32));
-  return crypto19.createHash("sha256").update(raw).digest("hex").slice(0, 32);
+  const raw = Buffer.from(crypto20.hkdfSync("sha256", masterKey, "", ORG_ID_HKDF_INFO, 32));
+  return crypto20.createHash("sha256").update(raw).digest("hex").slice(0, 32);
 }
 function hashAuthToken(token) {
-  return crypto19.createHash("sha256").update(token).digest("hex");
+  return crypto20.createHash("sha256").update(token).digest("hex");
 }
 var WS_AUTH_HKDF_INFO, ORG_ID_HKDF_INFO;
 var init_ws_auth = __esm({
@@ -27672,10 +27901,10 @@ __export(device_registry_exports, {
   resolveTargetDevice: () => resolveTargetDevice,
   setFriendlyName: () => setFriendlyName
 });
-import crypto20 from "crypto";
+import crypto21 from "crypto";
 import os21 from "os";
 import { readFileSync as readFileSync32, writeFileSync as writeFileSync23, mkdirSync as mkdirSync18, existsSync as existsSync38 } from "fs";
-import path51 from "path";
+import path52 from "path";
 function getDeviceInfo() {
   if (existsSync38(DEVICE_JSON_PATH)) {
     try {
@@ -27689,11 +27918,11 @@ function getDeviceInfo() {
   }
   const hostname = os21.hostname();
   const info = {
-    deviceId: crypto20.randomUUID(),
+    deviceId: crypto21.randomUUID(),
     friendlyName: hostname.replace(/\./g, "-").toLowerCase(),
     hostname
   };
-  mkdirSync18(path51.dirname(DEVICE_JSON_PATH), { recursive: true });
+  mkdirSync18(path52.dirname(DEVICE_JSON_PATH), { recursive: true });
   writeFileSync23(DEVICE_JSON_PATH, JSON.stringify(info, null, 2));
   return info;
 }
@@ -27734,7 +27963,7 @@ var init_device_registry = __esm({
   "src/lib/device-registry.ts"() {
     "use strict";
     init_config();
-    DEVICE_JSON_PATH = path51.join(EXE_AI_DIR, "device.json");
+    DEVICE_JSON_PATH = path52.join(EXE_AI_DIR, "device.json");
   }
 });
 
@@ -27951,7 +28180,7 @@ import net2 from "net";
 import { createServer as createHttpServer } from "http";
 import { randomUUID as randomUUID9 } from "crypto";
 import { writeFileSync as writeFileSync24, unlinkSync as unlinkSync13, mkdirSync as mkdirSync19, existsSync as existsSync39, readFileSync as readFileSync33, chmodSync as chmodSync2 } from "fs";
-import path52 from "path";
+import path53 from "path";
 
 // src/lib/orchestration-metrics.ts
 init_config();
@@ -28023,8 +28252,8 @@ function initMetrics() {
 
 // src/lib/exe-daemon.ts
 init_memory_write_governor();
-var SOCKET_PATH2 = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path52.join(EXE_AI_DIR, "exed.sock");
-var PID_PATH3 = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path52.join(EXE_AI_DIR, "exed.pid");
+var SOCKET_PATH2 = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path53.join(EXE_AI_DIR, "exed.sock");
+var PID_PATH3 = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path53.join(EXE_AI_DIR, "exed.pid");
 var MODEL_FILE = "jina-embeddings-v5-small-q4_k_m.gguf";
 var IDLE_TIMEOUT_MS2 = 15 * 60 * 1e3;
 var REVIEW_POLL_INTERVAL_MS = 60 * 1e3;
@@ -28052,7 +28281,7 @@ function enqueue(queue, entry) {
   queue.push(entry);
 }
 async function loadModel() {
-  const modelPath = path52.join(MODELS_DIR, MODEL_FILE);
+  const modelPath = path53.join(MODELS_DIR, MODEL_FILE);
   if (!existsSync39(modelPath)) {
     process.stderr.write(`[exed] No model at ${modelPath} \u2014 running without embeddings (VPS mode).
 `);
@@ -28451,14 +28680,14 @@ function startMemoryQueueDrain() {
 `);
 }
 function startServer() {
-  mkdirSync19(path52.dirname(SOCKET_PATH2), { recursive: true });
+  mkdirSync19(path53.dirname(SOCKET_PATH2), { recursive: true });
   try {
-    chmodSync2(path52.dirname(SOCKET_PATH2), 448);
+    chmodSync2(path53.dirname(SOCKET_PATH2), 448);
   } catch {
   }
   _daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV2] ?? null);
   for (const oldFile of ["embed.sock", "embed.pid"]) {
-    const oldPath = path52.join(path52.dirname(SOCKET_PATH2), oldFile);
+    const oldPath = path53.join(path53.dirname(SOCKET_PATH2), oldFile);
     try {
       if (oldFile.endsWith(".pid")) {
         const pid = parseInt(readFileSync33(oldPath, "utf8").trim(), 10);
@@ -28934,7 +29163,7 @@ function startGraphExtraction() {
 `);
 }
 var AGENT_STATS_INTERVAL_MS = 60 * 1e3;
-var AGENT_STATS_PATH = path52.join(EXE_AI_DIR, "agent-stats.json");
+var AGENT_STATS_PATH = path53.join(EXE_AI_DIR, "agent-stats.json");
 async function writeAgentStats() {
   fired("agent_stats");
   if (!await ensureStoreForPolling()) return;
@@ -29111,11 +29340,11 @@ function startIntercomQueueDrain() {
       const hasInProgressTask = (session) => {
         try {
           const { baseAgentName: ban } = (init_employees(), __toCommonJS(employees_exports));
-          const path53 = __require("path");
+          const path54 = __require("path");
           const { existsSync: existsSync40 } = __require("fs");
           const os23 = __require("os");
           const agent = ban(session.split("-")[0] ?? session);
-          const markerPath = path53.join(os23.homedir(), ".exe-os", "session-cache", `current-task-${agent}.json`);
+          const markerPath = path54.join(os23.homedir(), ".exe-os", "session-cache", `current-task-${agent}.json`);
           return existsSync40(markerPath);
         } catch {
           return false;

package/dist/lib/hybrid-search.js

@@ -3644,6 +3644,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "NEVER: (1) Access the database directly \u2014 it's SQLCipher encrypted, always fails. Use MCP tools only. (2) Manually spawn tmux sessions \u2014 create_task handles it. (3) Run git checkout main \u2014 agents work in worktrees. (4) Modify another agent's in-progress task. (5) Push to remote \u2014 the COO reviews and pushes. (6) Skip update_task(done) \u2014 it's the ONLY way your work gets reviewed. (7) Run git init."
       },
+      {
+        title: "Customer patch triage \u2014 upstream bug vs customization",
+        domain: "support",
+        priority: "p0",
+        content: "Before editing platform code for a customer issue, classify it. Upstream bug = reproducible exe-os/platform defect; call create_bug_report with repro/version/workaround and avoid permanent local patches unless founder approves. Customer customization = identity, behavior, procedure, config, branding, workflow; store it in customer-owned layers, not platform code. Emergency hotfix = temporary only; document files/diff and re-check after npm update."
+      },
       // --- Operations ---
       {
         title: "Managers must supervise deployed workers",
@@ -3712,7 +3718,7 @@ var init_platform_procedures = __esm({
         title: "MCP tools \u2014 identity, behavior, and decisions",
         domain: "tool-use",
         priority: "p1",
-        content: "get_identity: read an agent's exe.md (Layer 1 identity). update_identity: write an agent's exe.md. Identity > behavior \u2014 use for permanent rules. store_behavior: record a correction or pattern for an agent (Layer 2 expertise). list_behaviors: view an agent's active behaviors. deactivate_behavior: soft-delete a stale or conflicting behavior. store_decision: record an ADR (architectural decision record). get_decision: retrieve a past decision by query."
+        content: "get_identity: read an agent's exe.md (Layer 1 identity). update_identity: write an agent's exe.md. Identity > behavior \u2014 use for permanent rules. store_behavior: record a correction or pattern for an agent (Layer 2 expertise). list_behaviors: view an agent's active behaviors. deactivate_behavior: soft-delete a stale or conflicting behavior. store_decision: record an ADR (architectural decision record). get_decision: retrieve a past decision by query. create_bug_report: classify/file upstream bugs, customer customizations, and emergency hotfixes."
       },
       {
         title: "MCP tools \u2014 communication and messaging",

package/dist/lib/schedules.js

@@ -3006,6 +3006,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "NEVER: (1) Access the database directly \u2014 it's SQLCipher encrypted, always fails. Use MCP tools only. (2) Manually spawn tmux sessions \u2014 create_task handles it. (3) Run git checkout main \u2014 agents work in worktrees. (4) Modify another agent's in-progress task. (5) Push to remote \u2014 the COO reviews and pushes. (6) Skip update_task(done) \u2014 it's the ONLY way your work gets reviewed. (7) Run git init."
       },
+      {
+        title: "Customer patch triage \u2014 upstream bug vs customization",
+        domain: "support",
+        priority: "p0",
+        content: "Before editing platform code for a customer issue, classify it. Upstream bug = reproducible exe-os/platform defect; call create_bug_report with repro/version/workaround and avoid permanent local patches unless founder approves. Customer customization = identity, behavior, procedure, config, branding, workflow; store it in customer-owned layers, not platform code. Emergency hotfix = temporary only; document files/diff and re-check after npm update."
+      },
       // --- Operations ---
       {
         title: "Managers must supervise deployed workers",
@@ -3074,7 +3080,7 @@ var init_platform_procedures = __esm({
         title: "MCP tools \u2014 identity, behavior, and decisions",
         domain: "tool-use",
         priority: "p1",
-        content: "get_identity: read an agent's exe.md (Layer 1 identity). update_identity: write an agent's exe.md. Identity > behavior \u2014 use for permanent rules. store_behavior: record a correction or pattern for an agent (Layer 2 expertise). list_behaviors: view an agent's active behaviors. deactivate_behavior: soft-delete a stale or conflicting behavior. store_decision: record an ADR (architectural decision record). get_decision: retrieve a past decision by query."
+        content: "get_identity: read an agent's exe.md (Layer 1 identity). update_identity: write an agent's exe.md. Identity > behavior \u2014 use for permanent rules. store_behavior: record a correction or pattern for an agent (Layer 2 expertise). list_behaviors: view an agent's active behaviors. deactivate_behavior: soft-delete a stale or conflicting behavior. store_decision: record an ADR (architectural decision record). get_decision: retrieve a past decision by query. create_bug_report: classify/file upstream bugs, customer customizations, and emergency hotfixes."
       },
       {
         title: "MCP tools \u2014 communication and messaging",

package/dist/lib/store.js

@@ -3006,6 +3006,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "NEVER: (1) Access the database directly \u2014 it's SQLCipher encrypted, always fails. Use MCP tools only. (2) Manually spawn tmux sessions \u2014 create_task handles it. (3) Run git checkout main \u2014 agents work in worktrees. (4) Modify another agent's in-progress task. (5) Push to remote \u2014 the COO reviews and pushes. (6) Skip update_task(done) \u2014 it's the ONLY way your work gets reviewed. (7) Run git init."
       },
+      {
+        title: "Customer patch triage \u2014 upstream bug vs customization",
+        domain: "support",
+        priority: "p0",
+        content: "Before editing platform code for a customer issue, classify it. Upstream bug = reproducible exe-os/platform defect; call create_bug_report with repro/version/workaround and avoid permanent local patches unless founder approves. Customer customization = identity, behavior, procedure, config, branding, workflow; store it in customer-owned layers, not platform code. Emergency hotfix = temporary only; document files/diff and re-check after npm update."
+      },
       // --- Operations ---
       {
         title: "Managers must supervise deployed workers",
@@ -3074,7 +3080,7 @@ var init_platform_procedures = __esm({
         title: "MCP tools \u2014 identity, behavior, and decisions",
         domain: "tool-use",
         priority: "p1",
-        content: "get_identity: read an agent's exe.md (Layer 1 identity). update_identity: write an agent's exe.md. Identity > behavior \u2014 use for permanent rules. store_behavior: record a correction or pattern for an agent (Layer 2 expertise). list_behaviors: view an agent's active behaviors. deactivate_behavior: soft-delete a stale or conflicting behavior. store_decision: record an ADR (architectural decision record). get_decision: retrieve a past decision by query."
+        content: "get_identity: read an agent's exe.md (Layer 1 identity). update_identity: write an agent's exe.md. Identity > behavior \u2014 use for permanent rules. store_behavior: record a correction or pattern for an agent (Layer 2 expertise). list_behaviors: view an agent's active behaviors. deactivate_behavior: soft-delete a stale or conflicting behavior. store_decision: record an ADR (architectural decision record). get_decision: retrieve a past decision by query. create_bug_report: classify/file upstream bugs, customer customizations, and emergency hotfixes."
       },
       {
         title: "MCP tools \u2014 communication and messaging",