@askexenow/exe-os 0.9.53 → 0.9.55

package/dist/bin/git-sweep.js

@@ -6586,6 +6586,15 @@ function readMachineId() {
     return "";
   }
 }
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto7 = __require("crypto");
+  const iv = crypto7.randomBytes(12);
+  const cipher = crypto7.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
@@ -6604,6 +6613,21 @@ function decryptWithMachineKey(encrypted, machineKey) {
     return null;
   }
 }
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir4(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile5(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile5(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
 async function getMasterKey() {
   const nativeValue = macKeychainGet() ?? linuxSecretGet();
   if (nativeValue) {
@@ -6655,6 +6679,20 @@ async function getMasterKey() {
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
     }
     return key;
   } catch (err) {
@@ -6872,6 +6910,7 @@ var init_memory_write_governor = __esm({
 // src/lib/shard-manager.ts
 var shard_manager_exports = {};
 __export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
   getOpenShardCount: () => getOpenShardCount,
@@ -6938,6 +6977,70 @@ function listShards() {
   if (!existsSync16(SHARDS_DIR)) return [];
   return readdirSync4(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun2 = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path19.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync2(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun2) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path19.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync4(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
 async function ensureShardSchema(client) {
   await client.execute("PRAGMA journal_mode = WAL");
   await client.execute("PRAGMA busy_timeout = 30000");

package/dist/bin/graph-backfill.js

@@ -2589,6 +2589,7 @@ var init_database = __esm({
 // src/lib/shard-manager.ts
 var shard_manager_exports = {};
 __export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
   getOpenShardCount: () => getOpenShardCount,
@@ -2655,6 +2656,70 @@ function listShards() {
   if (!existsSync7(SHARDS_DIR)) return [];
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync2(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync3(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
 async function ensureShardSchema(client) {
   await client.execute("PRAGMA journal_mode = WAL");
   await client.execute("PRAGMA busy_timeout = 30000");
@@ -3294,6 +3359,15 @@ function readMachineId() {
     return "";
   }
 }
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto3 = __require("crypto");
+  const iv = crypto3.randomBytes(12);
+  const cipher = crypto3.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
@@ -3312,6 +3386,21 @@ function decryptWithMachineKey(encrypted, machineKey) {
     return null;
   }
 }
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
 async function getMasterKey() {
   const nativeValue = macKeychainGet() ?? linuxSecretGet();
   if (nativeValue) {
@@ -3363,6 +3452,20 @@ async function getMasterKey() {
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
     }
     return key;
   } catch (err) {

package/dist/bin/graph-export.js

@@ -2897,6 +2897,15 @@ function readMachineId() {
     return "";
   }
 }
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto2 = __require("crypto");
+  const iv = crypto2.randomBytes(12);
+  const cipher = crypto2.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
@@ -2915,6 +2924,21 @@ function decryptWithMachineKey(encrypted, machineKey) {
     return null;
   }
 }
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
 async function getMasterKey() {
   const nativeValue = macKeychainGet() ?? linuxSecretGet();
   if (nativeValue) {
@@ -2966,6 +2990,20 @@ async function getMasterKey() {
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
     }
     return key;
   } catch (err) {
@@ -3238,6 +3276,7 @@ var init_memory_write_governor = __esm({
 // src/lib/shard-manager.ts
 var shard_manager_exports = {};
 __export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
   getOpenShardCount: () => getOpenShardCount,
@@ -3304,6 +3343,70 @@ function listShards() {
   if (!existsSync7(SHARDS_DIR)) return [];
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync2(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync3(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
 async function ensureShardSchema(client) {
   await client.execute("PRAGMA journal_mode = WAL");
   await client.execute("PRAGMA busy_timeout = 30000");

package/dist/bin/intercom-check.js

@@ -2996,6 +2996,15 @@ function readMachineId() {
     return "";
   }
 }
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto8 = __require("crypto");
+  const iv = crypto8.randomBytes(12);
+  const cipher = crypto8.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
@@ -3014,6 +3023,21 @@ function decryptWithMachineKey(encrypted, machineKey) {
     return null;
   }
 }
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
 async function getMasterKey() {
   const nativeValue = macKeychainGet() ?? linuxSecretGet();
   if (nativeValue) {
@@ -3065,6 +3089,20 @@ async function getMasterKey() {
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
     }
     return key;
   } catch (err) {
@@ -3337,6 +3375,7 @@ var init_memory_write_governor = __esm({
 // src/lib/shard-manager.ts
 var shard_manager_exports = {};
 __export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
   getOpenShardCount: () => getOpenShardCount,
@@ -3403,6 +3442,70 @@ function listShards() {
   if (!existsSync7(SHARDS_DIR)) return [];
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync2(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync3(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
 async function ensureShardSchema(client) {
   await client.execute("PRAGMA journal_mode = WAL");
   await client.execute("PRAGMA busy_timeout = 30000");

package/dist/bin/scan-tasks.js

@@ -6657,6 +6657,15 @@ function readMachineId() {
     return "";
   }
 }
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto7 = __require("crypto");
+  const iv = crypto7.randomBytes(12);
+  const cipher = crypto7.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
@@ -6675,6 +6684,21 @@ function decryptWithMachineKey(encrypted, machineKey) {
     return null;
   }
 }
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir4(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile5(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile5(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
 async function getMasterKey() {
   const nativeValue = macKeychainGet() ?? linuxSecretGet();
   if (nativeValue) {
@@ -6726,6 +6750,20 @@ async function getMasterKey() {
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
     }
     return key;
   } catch (err) {
@@ -6943,6 +6981,7 @@ var init_memory_write_governor = __esm({
 // src/lib/shard-manager.ts
 var shard_manager_exports = {};
 __export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
   getOpenShardCount: () => getOpenShardCount,
@@ -7009,6 +7048,70 @@ function listShards() {
   if (!existsSync16(SHARDS_DIR)) return [];
   return readdirSync4(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path19.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync2(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path19.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync4(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
 async function ensureShardSchema(client) {
   await client.execute("PRAGMA journal_mode = WAL");
   await client.execute("PRAGMA busy_timeout = 30000");