@askexenow/exe-os 0.9.53 → 0.9.55

package/dist/bin/exe-doctor.js

@@ -2589,6 +2589,7 @@ var init_database = __esm({
 // src/lib/shard-manager.ts
 var shard_manager_exports = {};
 __export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
   getOpenShardCount: () => getOpenShardCount,
@@ -2655,6 +2656,70 @@ function listShards() {
   if (!existsSync7(SHARDS_DIR)) return [];
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync2(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync3(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
 async function ensureShardSchema(client) {
   await client.execute("PRAGMA journal_mode = WAL");
   await client.execute("PRAGMA busy_timeout = 30000");
@@ -3510,6 +3575,15 @@ function readMachineId() {
     return "";
   }
 }
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto2 = __require("crypto");
+  const iv = crypto2.randomBytes(12);
+  const cipher = crypto2.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
@@ -3528,6 +3602,21 @@ function decryptWithMachineKey(encrypted, machineKey) {
     return null;
   }
 }
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
 async function getMasterKey() {
   const nativeValue = macKeychainGet() ?? linuxSecretGet();
   if (nativeValue) {
@@ -3579,6 +3668,20 @@ async function getMasterKey() {
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
     }
     return key;
   } catch (err) {
@@ -4212,15 +4315,31 @@ function auditHookHealth() {
   const topPatterns = [...patternCounts.entries()].sort((a, b) => b[1] - a[1]).slice(0, 5).map(([pattern, count]) => ({ pattern, count }));
   return { logExists: true, totalLines, errorsLastHour, topPatterns };
 }
+async function auditShards() {
+  try {
+    const { auditShardHealth: auditShardHealth2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
+    const report = await auditShardHealth2();
+    return {
+      total: report.total,
+      ok: report.ok,
+      unreadable: report.unreadable,
+      archived: report.archived,
+      unreadableNames: report.shards.filter((s) => s.unreadable).map((s) => s.name)
+    };
+  } catch {
+    return { total: 0, ok: 0, unreadable: 0, archived: 0, unreadableNames: [] };
+  }
+}
 async function runAudit(client, flags) {
   const runConflicts = flags.conflicts || process.env.EXE_AUDIT_CONFLICTS === "1";
-  const [stats, nullVectors, duplicates, bloated, fts, orphanedProjects] = await Promise.all([
+  const [stats, nullVectors, duplicates, bloated, fts, orphanedProjects, shards] = await Promise.all([
     auditStats(client, flags),
     auditNullVectors(client, flags),
     auditDuplicates(client, flags),
     auditBloated(client, flags),
     auditFts(client),
-    auditOrphanedProjects(client)
+    auditOrphanedProjects(client),
+    auditShards()
   ]);
   let conflicts;
   if (runConflicts) {
@@ -4240,7 +4359,7 @@ async function runAudit(client, flags) {
   }
   const duplicateCount = duplicates.reduce((sum, d) => sum + d.delete_ids.length, 0);
   const hookHealth = auditHookHealth();
-  return { stats, nullVectors, duplicates, duplicateCount, bloated, fts, orphanedProjects, conflicts, hookHealth };
+  return { stats, nullVectors, duplicates, duplicateCount, bloated, fts, orphanedProjects, conflicts, hookHealth, shards };
 }
 function indicator(value, warn) {
   if (value === 0) return "\u{1F7E2}";
@@ -4319,6 +4438,15 @@ function formatReport(report, flags) {
       lines.push(`                     ${p.count}x: ${p.pattern}`);
     }
   }
+  const sh = report.shards;
+  if (sh.total > 0) {
+    if (sh.unreadable === 0) {
+      lines.push(`\u{1F7E2} Shards:           ${fmtNum(sh.ok)} / ${fmtNum(sh.total)} readable`);
+    } else {
+      const names = sh.unreadableNames.slice(0, 5).join(", ");
+      lines.push(`\u{1F534} Shards:           ${fmtNum(sh.unreadable)} unreadable (${names}${sh.unreadableNames.length > 5 ? ", ..." : ""})`);
+    }
+  }
   lines.push("");
   if (flags.verbose) {
     if (report.duplicates.length > 0) {
@@ -4366,6 +4494,9 @@ function formatReport(report, flags) {
   if (!report.fts.inSync) {
     recs.push("Run --fix to rebuild FTS index");
   }
+  if (report.shards.unreadable > 0) {
+    recs.push(`Run --fix to archive ${fmtNum(report.shards.unreadable)} unreadable shard(s); global DB remains authoritative`);
+  }
   if (report.orphanedProjects.length > 0) {
     const names = report.orphanedProjects.map((o) => `"${o.project_name}"`).join(", ");
     recs.push(`Consider /exe-forget for orphaned project${report.orphanedProjects.length > 1 ? "s" : ""} ${names}`);
@@ -4471,6 +4602,17 @@ async function fixBloated(client, bloated, dryRun) {
   }
   return chunksCreated;
 }
+async function fixShards(dryRun) {
+  const { auditShardHealth: auditShardHealth2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
+  const report = await auditShardHealth2({ repair: true, dryRun });
+  return {
+    total: report.total,
+    ok: report.ok,
+    unreadable: report.unreadable,
+    archived: report.archived,
+    unreadableNames: report.shards.filter((s) => s.unreadable).map((s) => s.name)
+  };
+}
 function splitAtSentences(text, maxChunkSize) {
   if (text.length <= maxChunkSize) return [text];
   const chunks = [];
@@ -4546,6 +4688,11 @@ ${mode} Applying repairs...
         console.log("  Done.");
       }
     }
+    if (report.shards.unreadable > 0) {
+      console.log(`${mode} Archiving ${fmtNum(report.shards.unreadable)} unreadable shard(s)...`);
+      const fixed = await fixShards(flags.dryRun);
+      console.log(`  ${flags.dryRun ? "Would archive" : "Archived"} ${fmtNum(flags.dryRun ? fixed.unreadable : fixed.archived)} shard(s).`);
+    }
     console.log(`
 ${mode} Complete.`);
   }
@@ -4564,10 +4711,12 @@ export {
   auditHookHealth,
   auditNullVectors,
   auditOrphanedProjects,
+  auditShards,
   auditStats,
   fixBloated,
   fixDuplicates,
   fixNullVectors,
+  fixShards,
   formatReport,
   main,
   parseFlags,

package/dist/bin/exe-export-behaviors.js

@@ -2963,6 +2963,15 @@ function readMachineId() {
     return "";
   }
 }
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto3 = __require("crypto");
+  const iv = crypto3.randomBytes(12);
+  const cipher = crypto3.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
@@ -2981,6 +2990,21 @@ function decryptWithMachineKey(encrypted, machineKey) {
     return null;
   }
 }
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
 async function getMasterKey() {
   const nativeValue = macKeychainGet() ?? linuxSecretGet();
   if (nativeValue) {
@@ -3032,6 +3056,20 @@ async function getMasterKey() {
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
     }
     return key;
   } catch (err) {
@@ -3304,6 +3342,7 @@ var init_memory_write_governor = __esm({
 // src/lib/shard-manager.ts
 var shard_manager_exports = {};
 __export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
   getOpenShardCount: () => getOpenShardCount,
@@ -3370,6 +3409,70 @@ function listShards() {
   if (!existsSync7(SHARDS_DIR)) return [];
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync2(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync3(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
 async function ensureShardSchema(client) {
   await client.execute("PRAGMA journal_mode = WAL");
   await client.execute("PRAGMA busy_timeout = 30000");

package/dist/bin/exe-forget.js

@@ -2897,6 +2897,15 @@ function readMachineId() {
     return "";
   }
 }
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto2 = __require("crypto");
+  const iv = crypto2.randomBytes(12);
+  const cipher = crypto2.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
@@ -2915,6 +2924,21 @@ function decryptWithMachineKey(encrypted, machineKey) {
     return null;
   }
 }
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
 async function getMasterKey() {
   const nativeValue = macKeychainGet() ?? linuxSecretGet();
   if (nativeValue) {
@@ -2966,6 +2990,20 @@ async function getMasterKey() {
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
     }
     return key;
   } catch (err) {
@@ -3238,6 +3276,7 @@ var init_memory_write_governor = __esm({
 // src/lib/shard-manager.ts
 var shard_manager_exports = {};
 __export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
   getOpenShardCount: () => getOpenShardCount,
@@ -3304,6 +3343,70 @@ function listShards() {
   if (!existsSync7(SHARDS_DIR)) return [];
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync2(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync3(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
 async function ensureShardSchema(client) {
   await client.execute("PRAGMA journal_mode = WAL");
   await client.execute("PRAGMA busy_timeout = 30000");

package/dist/bin/exe-gateway.js

@@ -3611,6 +3611,15 @@ function readMachineId() {
     return "";
   }
 }
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto10 = __require("crypto");
+  const iv = crypto10.randomBytes(12);
+  const cipher = crypto10.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
@@ -3629,6 +3638,21 @@ function decryptWithMachineKey(encrypted, machineKey) {
     return null;
   }
 }
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
 async function getMasterKey() {
   const nativeValue = macKeychainGet() ?? linuxSecretGet();
   if (nativeValue) {
@@ -3680,6 +3704,20 @@ async function getMasterKey() {
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
     }
     return key;
   } catch (err) {
@@ -3897,6 +3935,7 @@ var init_memory_write_governor = __esm({
 // src/lib/shard-manager.ts
 var shard_manager_exports = {};
 __export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
   getOpenShardCount: () => getOpenShardCount,
@@ -3963,6 +4002,70 @@ function listShards() {
   if (!existsSync8(SHARDS_DIR)) return [];
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path9.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync2(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path9.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync3(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
 async function ensureShardSchema(client) {
   await client.execute("PRAGMA journal_mode = WAL");
   await client.execute("PRAGMA busy_timeout = 30000");