@askexenow/exe-os 0.9.62 → 0.9.63

package/dist/bin/exe-doctor.js

@@ -15,70 +15,6 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
-// src/types/memory.ts
-var EMBEDDING_DIM;
-var init_memory = __esm({
-  "src/types/memory.ts"() {
-    "use strict";
-    EMBEDDING_DIM = 1024;
-  }
-});
-
-// src/lib/db-retry.ts
-function isBusyError(err) {
-  if (err instanceof Error) {
-    const msg = err.message.toLowerCase();
-    return msg.includes("sqlite_busy") || msg.includes("database is locked");
-  }
-  return false;
-}
-function delay(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-async function retryOnBusy(fn, label) {
-  let lastError;
-  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
-    try {
-      return await fn();
-    } catch (err) {
-      lastError = err;
-      if (!isBusyError(err) || attempt === MAX_RETRIES) {
-        throw err;
-      }
-      const backoff = BASE_DELAY_MS * Math.pow(2, attempt);
-      const jitter = Math.floor(Math.random() * MAX_JITTER_MS);
-      process.stderr.write(
-        `[exe-os] SQLITE_BUSY ${label} retry ${attempt + 1}/${MAX_RETRIES} \u2014 waiting ${backoff + jitter}ms
-`
-      );
-      await delay(backoff + jitter);
-    }
-  }
-  throw lastError;
-}
-function wrapWithRetry(client) {
-  return new Proxy(client, {
-    get(target, prop, receiver) {
-      if (prop === "execute") {
-        return (sql) => retryOnBusy(() => target.execute(sql), "execute");
-      }
-      if (prop === "batch") {
-        return (stmts, mode) => retryOnBusy(() => target.batch(stmts, mode), "batch");
-      }
-      return Reflect.get(target, prop, receiver);
-    }
-  });
-}
-var MAX_RETRIES, BASE_DELAY_MS, MAX_JITTER_MS;
-var init_db_retry = __esm({
-  "src/lib/db-retry.ts"() {
-    "use strict";
-    MAX_RETRIES = 5;
-    BASE_DELAY_MS = 250;
-    MAX_JITTER_MS = 400;
-  }
-});
-
 // src/lib/secure-files.ts
 import { chmodSync, existsSync, mkdirSync } from "fs";
 import { chmod, mkdir } from "fs/promises";
@@ -302,162 +238,742 @@ var init_config = __esm({
   }
 });
 
-// src/lib/employees.ts
-import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
-import { execSync } from "child_process";
+// src/lib/shard-manager.ts
+var shard_manager_exports = {};
+__export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
+  disposeShards: () => disposeShards,
+  ensureShardSchema: () => ensureShardSchema,
+  getOpenShardCount: () => getOpenShardCount,
+  getReadyShardClient: () => getReadyShardClient,
+  getShardClient: () => getShardClient,
+  getShardsDir: () => getShardsDir,
+  initShardManager: () => initShardManager,
+  isShardingEnabled: () => isShardingEnabled,
+  listShards: () => listShards,
+  shardExists: () => shardExists
+});
 import path2 from "path";
-import os2 from "os";
-function normalizeRole(role) {
-  return (role ?? "").trim().toLowerCase();
-}
-function isCoordinatorRole(role) {
-  return normalizeRole(role) === normalizeRole(COORDINATOR_ROLE);
-}
-function getCoordinatorEmployee(employees) {
-  return employees.find((e) => isCoordinatorRole(e.role));
-}
-function getCoordinatorName(employees = loadEmployeesSync()) {
-  return getCoordinatorEmployee(employees)?.name ?? DEFAULT_COORDINATOR_TEMPLATE_NAME;
-}
-function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync3(employeesPath)) return [];
-  try {
-    return JSON.parse(readFileSync2(employeesPath, "utf-8"));
-  } catch {
-    return [];
-  }
-}
-var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, IDENTITY_DIR;
-var init_employees = __esm({
-  "src/lib/employees.ts"() {
-    "use strict";
-    init_config();
-    EMPLOYEES_PATH = path2.join(EXE_AI_DIR, "exe-employees.json");
-    DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
-    COORDINATOR_ROLE = "COO";
-    IDENTITY_DIR = path2.join(EXE_AI_DIR, "identity");
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync2, statSync } from "fs";
+import { createClient } from "@libsql/client";
+function initShardManager(encryptionKey) {
+  _encryptionKey = encryptionKey;
+  if (!existsSync3(SHARDS_DIR)) {
+    mkdirSync2(SHARDS_DIR, { recursive: true });
   }
-});
-
-// src/lib/database-adapter.ts
-import os3 from "os";
-import path3 from "path";
-import { createRequire } from "module";
-import { pathToFileURL } from "url";
-function quotedIdentifier(identifier) {
-  return `"${identifier.replace(/"/g, '""')}"`;
+  _shardingEnabled = true;
+  if (_evictionTimer) clearInterval(_evictionTimer);
+  _evictionTimer = setInterval(evictIdleShards, EVICTION_INTERVAL_MS);
+  _evictionTimer.unref();
 }
-function unqualifiedTableName(name) {
-  const raw = name.trim().replace(/^"|"$/g, "");
-  const parts = raw.split(".");
-  return parts[parts.length - 1].replace(/^"|"$/g, "").toLowerCase();
+function isShardingEnabled() {
+  return _shardingEnabled;
 }
-function stripTrailingSemicolon(sql) {
-  return sql.trim().replace(/;+\s*$/u, "");
+function getShardsDir() {
+  return SHARDS_DIR;
 }
-function appendClause(sql, clause) {
-  const trimmed = stripTrailingSemicolon(sql);
-  const returningMatch = /\sRETURNING\b[\s\S]*$/iu.exec(trimmed);
-  if (!returningMatch) {
-    return `${trimmed}${clause}`;
+function getShardClient(projectName) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
   }
-  const idx = returningMatch.index;
-  return `${trimmed.slice(0, idx)}${clause}${trimmed.slice(idx)}`;
-}
-function normalizeStatement(stmt) {
-  if (typeof stmt === "string") {
-    return { kind: "positional", sql: stmt, args: [] };
+  const safeName = safeShardName(projectName);
+  if (!safeName || safeName === "unknown") {
+    throw new Error(`Invalid project name for shard: "${projectName}" (resolved to "${safeName}")`);
   }
-  const sql = stmt.sql;
-  if (Array.isArray(stmt.args) || stmt.args === void 0) {
-    return { kind: "positional", sql, args: stmt.args ?? [] };
+  const cached = _shards.get(safeName);
+  if (cached) {
+    _shardLastAccess.set(safeName, Date.now());
+    return cached;
   }
-  return { kind: "named", sql, args: stmt.args };
-}
-function rewriteBooleanLiterals(sql) {
-  let out = sql;
-  for (const column of BOOLEAN_COLUMN_NAMES) {
-    const scoped = `((?:\\b[a-z_][a-z0-9_]*\\.)?${column})`;
-    out = out.replace(new RegExp(`${scoped}\\s*=\\s*0\\b`, "giu"), "$1 = FALSE");
-    out = out.replace(new RegExp(`${scoped}\\s*=\\s*1\\b`, "giu"), "$1 = TRUE");
-    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*0\\b`, "giu"), "$1 != FALSE");
-    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*1\\b`, "giu"), "$1 != TRUE");
-    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*0\\b`, "giu"), "$1 <> FALSE");
-    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*1\\b`, "giu"), "$1 <> TRUE");
+  while (_shards.size >= MAX_OPEN_SHARDS) {
+    evictLRU();
   }
-  return out;
+  const dbPath = path2.join(SHARDS_DIR, `${safeName}.db`);
+  const client = createClient({
+    url: `file:${dbPath}`,
+    encryptionKey: _encryptionKey
+  });
+  _shards.set(safeName, client);
+  _shardLastAccess.set(safeName, Date.now());
+  return client;
 }
-function rewriteInsertOrIgnore(sql) {
-  if (!/^\s*INSERT\s+OR\s+IGNORE\s+INTO\b/iu.test(sql)) {
-    return sql;
-  }
-  const replaced = sql.replace(/^\s*INSERT\s+OR\s+IGNORE\s+INTO\b/iu, "INSERT INTO");
-  return /\bON\s+CONFLICT\b/iu.test(replaced) ? replaced : appendClause(replaced, " ON CONFLICT DO NOTHING");
+function shardExists(projectName) {
+  const safeName = safeShardName(projectName);
+  return existsSync3(path2.join(SHARDS_DIR, `${safeName}.db`));
 }
-function rewriteInsertOrReplace(sql) {
-  const match = /^\s*INSERT\s+OR\s+REPLACE\s+INTO\s+([A-Za-z0-9_."]+)\s*\(([^)]+)\)([\s\S]*)$/iu.exec(sql);
-  if (!match) {
-    return sql;
-  }
-  const rawTable = match[1];
-  const rawColumns = match[2];
-  const remainder = match[3];
-  const tableName = unqualifiedTableName(rawTable);
-  const conflictKeys = UPSERT_KEYS[tableName];
-  if (!conflictKeys?.length) {
-    return sql;
-  }
-  const columns = rawColumns.split(",").map((col) => col.trim().replace(/^"|"$/g, ""));
-  const updateColumns = columns.filter((col) => !conflictKeys.includes(col));
-  const conflictTarget = conflictKeys.map(quotedIdentifier).join(", ");
-  const updateClause = updateColumns.length === 0 ? " DO NOTHING" : ` DO UPDATE SET ${updateColumns.map((col) => `${quotedIdentifier(col)} = EXCLUDED.${quotedIdentifier(col)}`).join(", ")}`;
-  return `INSERT INTO ${rawTable} (${rawColumns})${appendClause(remainder, ` ON CONFLICT (${conflictTarget})${updateClause}`)}`;
+function safeShardName(projectName) {
+  return projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
 }
-function rewriteSql(sql) {
-  let out = sql;
-  out = out.replace(/\bdatetime\(\s*['"]now['"]\s*\)/giu, "CURRENT_TIMESTAMP");
-  out = out.replace(/\bvector32\s*\(\s*\?\s*\)/giu, "?");
-  out = rewriteBooleanLiterals(out);
-  out = rewriteInsertOrReplace(out);
-  out = rewriteInsertOrIgnore(out);
-  return stripTrailingSemicolon(out);
+function listShards() {
+  if (!existsSync3(SHARDS_DIR)) return [];
+  return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
-function toBoolean(value) {
-  if (value === null || value === void 0) return value;
-  if (typeof value === "boolean") return value;
-  if (typeof value === "number") return value !== 0;
-  if (typeof value === "bigint") return value !== 0n;
-  if (typeof value === "string") {
-    const normalized = value.trim().toLowerCase();
-    if (normalized === "0" || normalized === "false") return false;
-    if (normalized === "1" || normalized === "true") return true;
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
   }
-  return Boolean(value);
-}
-function countQuestionMarks(sql, end) {
-  let count = 0;
-  let inSingle = false;
-  let inDouble = false;
-  let inLineComment = false;
-  let inBlockComment = false;
-  for (let i = 0; i < end; i++) {
-    const ch = sql[i];
-    const next = sql[i + 1];
-    if (inLineComment) {
-      if (ch === "\n") inLineComment = false;
-      continue;
-    }
-    if (inBlockComment) {
-      if (ch === "*" && next === "/") {
-        inBlockComment = false;
-        i += 1;
-      }
-      continue;
-    }
-    if (!inSingle && !inDouble && ch === "-" && next === "-") {
-      inLineComment = true;
-      i += 1;
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path2.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path2.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync2(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
+async function ensureShardSchema(client) {
+  await client.execute("PRAGMA journal_mode = WAL");
+  await client.execute("PRAGMA busy_timeout = 30000");
+  try {
+    await client.execute("PRAGMA libsql_vector_search_ef = 128");
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS memories (
+      id            TEXT PRIMARY KEY,
+      agent_id      TEXT NOT NULL,
+      agent_role    TEXT NOT NULL,
+      session_id    TEXT NOT NULL,
+      timestamp     TEXT NOT NULL,
+      tool_name     TEXT NOT NULL,
+      project_name  TEXT NOT NULL,
+      has_error     INTEGER NOT NULL DEFAULT 0,
+      raw_text      TEXT NOT NULL,
+      vector        F32_BLOB(1024),
+      version       INTEGER NOT NULL DEFAULT 0
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_memories_agent ON memories(agent_id);
+    CREATE INDEX IF NOT EXISTS idx_memories_timestamp ON memories(timestamp);
+    CREATE INDEX IF NOT EXISTS idx_memories_agent_project ON memories(agent_id, project_name);
+  `);
+  await client.executeMultiple(`
+    CREATE VIRTUAL TABLE IF NOT EXISTS memories_fts USING fts5(
+      raw_text,
+      content='memories',
+      content_rowid='rowid'
+    );
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_ai AFTER INSERT ON memories BEGIN
+      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_ad AFTER DELETE ON memories BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_au AFTER UPDATE ON memories BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
+    END;
+  `);
+  for (const col of [
+    "ALTER TABLE memories ADD COLUMN task_id TEXT",
+    "ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN author_device_id TEXT",
+    "ALTER TABLE memories ADD COLUMN scope TEXT NOT NULL DEFAULT 'business'",
+    "ALTER TABLE memories ADD COLUMN importance INTEGER DEFAULT 5",
+    "ALTER TABLE memories ADD COLUMN status TEXT DEFAULT 'active'",
+    "ALTER TABLE memories ADD COLUMN wiki_synced INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN graph_extracted INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN content_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN graph_extracted_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN confidence REAL DEFAULT 0.7",
+    "ALTER TABLE memories ADD COLUMN last_accessed TEXT",
+    // Wiki linkage columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN workspace_id TEXT",
+    "ALTER TABLE memories ADD COLUMN document_id TEXT",
+    "ALTER TABLE memories ADD COLUMN user_id TEXT",
+    "ALTER TABLE memories ADD COLUMN char_offset INTEGER",
+    "ALTER TABLE memories ADD COLUMN page_number INTEGER",
+    // Source provenance columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN source_path TEXT",
+    "ALTER TABLE memories ADD COLUMN source_type TEXT DEFAULT 'text'",
+    "ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3",
+    "ALTER TABLE memories ADD COLUMN supersedes_id TEXT",
+    // MS-11: draft staging, MS-6a: memory_type, MS-7: trajectory
+    "ALTER TABLE memories ADD COLUMN draft INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'",
+    "ALTER TABLE memories ADD COLUMN trajectory TEXT",
+    // Metadata enrichment columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN intent TEXT",
+    "ALTER TABLE memories ADD COLUMN outcome TEXT",
+    "ALTER TABLE memories ADD COLUMN domain TEXT",
+    "ALTER TABLE memories ADD COLUMN referenced_entities TEXT",
+    "ALTER TABLE memories ADD COLUMN retrieval_count INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN chain_position TEXT",
+    "ALTER TABLE memories ADD COLUMN review_status TEXT",
+    "ALTER TABLE memories ADD COLUMN context_window_pct INTEGER",
+    "ALTER TABLE memories ADD COLUMN file_paths TEXT",
+    "ALTER TABLE memories ADD COLUMN commit_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN duration_ms INTEGER",
+    "ALTER TABLE memories ADD COLUMN token_cost REAL",
+    "ALTER TABLE memories ADD COLUMN audience TEXT",
+    "ALTER TABLE memories ADD COLUMN language_type TEXT",
+    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT",
+    "ALTER TABLE memories ADD COLUMN deleted_at TEXT"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+  for (const idx of [
+    "CREATE INDEX IF NOT EXISTS idx_memories_tier ON memories(tier)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_supersedes ON memories(supersedes_id) WHERE supersedes_id IS NOT NULL",
+    "CREATE INDEX IF NOT EXISTS idx_memories_scoped_content_hash ON memories(content_hash, agent_id, project_name, memory_type) WHERE content_hash IS NOT NULL"
+  ]) {
+    try {
+      await client.execute(idx);
+    } catch {
+    }
+  }
+  try {
+    await client.execute("CREATE INDEX IF NOT EXISTS idx_memories_status ON memories(status)");
+  } catch {
+  }
+  for (const idx of [
+    "CREATE INDEX IF NOT EXISTS idx_memories_workspace ON memories(workspace_id)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_document ON memories(document_id)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_user ON memories(user_id)"
+  ]) {
+    try {
+      await client.execute(idx);
+    } catch {
+    }
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS entities (
+      id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      type TEXT NOT NULL,
+      first_seen TEXT NOT NULL,
+      last_seen TEXT NOT NULL,
+      properties TEXT DEFAULT '{}',
+      UNIQUE(name, type)
+    );
+
+    CREATE TABLE IF NOT EXISTS relationships (
+      id TEXT PRIMARY KEY,
+      source_entity_id TEXT NOT NULL,
+      target_entity_id TEXT NOT NULL,
+      type TEXT NOT NULL,
+      weight REAL DEFAULT 1.0,
+      timestamp TEXT NOT NULL,
+      properties TEXT DEFAULT '{}',
+      UNIQUE(source_entity_id, target_entity_id, type)
+    );
+
+    CREATE TABLE IF NOT EXISTS entity_memories (
+      entity_id TEXT NOT NULL,
+      memory_id TEXT NOT NULL,
+      PRIMARY KEY (entity_id, memory_id)
+    );
+
+    CREATE TABLE IF NOT EXISTS relationship_memories (
+      relationship_id TEXT NOT NULL,
+      memory_id TEXT NOT NULL,
+      PRIMARY KEY (relationship_id, memory_id)
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_entities_name ON entities(name);
+    CREATE INDEX IF NOT EXISTS idx_entities_type ON entities(type);
+    CREATE INDEX IF NOT EXISTS idx_relationships_source ON relationships(source_entity_id);
+    CREATE INDEX IF NOT EXISTS idx_relationships_target ON relationships(target_entity_id);
+    CREATE INDEX IF NOT EXISTS idx_relationships_type ON relationships(type);
+
+    CREATE TABLE IF NOT EXISTS hyperedges (
+      id TEXT PRIMARY KEY,
+      label TEXT NOT NULL,
+      relation TEXT NOT NULL,
+      confidence REAL DEFAULT 1.0,
+      timestamp TEXT NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS hyperedge_nodes (
+      hyperedge_id TEXT NOT NULL,
+      entity_id TEXT NOT NULL,
+      PRIMARY KEY (hyperedge_id, entity_id)
+    );
+  `);
+  for (const col of [
+    "ALTER TABLE relationships ADD COLUMN confidence REAL DEFAULT 1.0",
+    "ALTER TABLE relationships ADD COLUMN confidence_label TEXT DEFAULT 'extracted'"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+}
+async function getReadyShardClient(projectName) {
+  const safeName = safeShardName(projectName);
+  let client = getShardClient(projectName);
+  try {
+    await ensureShardSchema(client);
+    return client;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    if (!/SQLITE_NOTADB|file is not a database/i.test(message)) throw err;
+    client.close();
+    _shards.delete(safeName);
+    _shardLastAccess.delete(safeName);
+    const dbPath = path2.join(SHARDS_DIR, `${safeName}.db`);
+    if (existsSync3(dbPath)) {
+      const stat = statSync(dbPath);
+      const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+      const archivedPath = path2.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
+      renameSync2(dbPath, archivedPath);
+      process.stderr.write(
+        `[shard-manager] Archived unreadable shard ${safeName}: ${archivedPath} (${stat.size} bytes, mtime ${stat.mtime.toISOString()})
+`
+      );
+    }
+    client = getShardClient(projectName);
+    await ensureShardSchema(client);
+    return client;
+  }
+}
+function evictLRU() {
+  let oldest = null;
+  let oldestTime = Infinity;
+  for (const [name, time] of _shardLastAccess) {
+    if (time < oldestTime) {
+      oldestTime = time;
+      oldest = name;
+    }
+  }
+  if (oldest) {
+    const client = _shards.get(oldest);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(oldest);
+    _shardLastAccess.delete(oldest);
+  }
+}
+function evictIdleShards() {
+  const now = Date.now();
+  const toEvict = [];
+  for (const [name, lastAccess] of _shardLastAccess) {
+    if (now - lastAccess > SHARD_IDLE_MS) {
+      toEvict.push(name);
+    }
+  }
+  for (const name of toEvict) {
+    const client = _shards.get(name);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(name);
+    _shardLastAccess.delete(name);
+  }
+}
+function getOpenShardCount() {
+  return _shards.size;
+}
+function disposeShards() {
+  if (_evictionTimer) {
+    clearInterval(_evictionTimer);
+    _evictionTimer = null;
+  }
+  for (const [, client] of _shards) {
+    client.close();
+  }
+  _shards.clear();
+  _shardLastAccess.clear();
+  _shardingEnabled = false;
+  _encryptionKey = null;
+}
+var SHARDS_DIR, SHARD_IDLE_MS, MAX_OPEN_SHARDS, EVICTION_INTERVAL_MS, _shards, _shardLastAccess, _evictionTimer, _encryptionKey, _shardingEnabled;
+var init_shard_manager = __esm({
+  "src/lib/shard-manager.ts"() {
+    "use strict";
+    init_config();
+    SHARDS_DIR = path2.join(EXE_AI_DIR, "shards");
+    SHARD_IDLE_MS = 5 * 60 * 1e3;
+    MAX_OPEN_SHARDS = 10;
+    EVICTION_INTERVAL_MS = 60 * 1e3;
+    _shards = /* @__PURE__ */ new Map();
+    _shardLastAccess = /* @__PURE__ */ new Map();
+    _evictionTimer = null;
+    _encryptionKey = null;
+    _shardingEnabled = false;
+  }
+});
+
+// src/lib/worker-gate.ts
+var worker_gate_exports = {};
+__export(worker_gate_exports, {
+  MAX_CONCURRENT_WORKERS: () => MAX_CONCURRENT_WORKERS,
+  cleanupWorkerPid: () => cleanupWorkerPid,
+  registerWorkerPid: () => registerWorkerPid,
+  releaseBackfillLock: () => releaseBackfillLock,
+  tryAcquireBackfillLock: () => tryAcquireBackfillLock,
+  tryAcquireWorkerSlot: () => tryAcquireWorkerSlot
+});
+import { readdirSync as readdirSync2, writeFileSync, unlinkSync, mkdirSync as mkdirSync3, existsSync as existsSync4 } from "fs";
+import path3 from "path";
+function tryAcquireWorkerSlot() {
+  try {
+    mkdirSync3(WORKER_PID_DIR, { recursive: true });
+    const reservationId = `res-${process.pid}-${Date.now()}`;
+    const reservationPath = path3.join(WORKER_PID_DIR, `${reservationId}.pid`);
+    writeFileSync(reservationPath, String(process.pid));
+    const files = readdirSync2(WORKER_PID_DIR);
+    let alive = 0;
+    for (const f of files) {
+      if (!f.endsWith(".pid")) continue;
+      if (f.startsWith("res-")) {
+        alive++;
+        continue;
+      }
+      const dashIdx = f.lastIndexOf("-");
+      const pid = parseInt(f.slice(dashIdx + 1).replace(".pid", ""), 10);
+      if (isNaN(pid)) continue;
+      try {
+        process.kill(pid, 0);
+        alive++;
+      } catch {
+        try {
+          unlinkSync(path3.join(WORKER_PID_DIR, f));
+        } catch {
+        }
+      }
+    }
+    if (alive > MAX_CONCURRENT_WORKERS) {
+      try {
+        unlinkSync(reservationPath);
+      } catch {
+      }
+      return false;
+    }
+    try {
+      unlinkSync(reservationPath);
+    } catch {
+    }
+    return true;
+  } catch {
+    return true;
+  }
+}
+function registerWorkerPid(pid) {
+  try {
+    mkdirSync3(WORKER_PID_DIR, { recursive: true });
+    writeFileSync(path3.join(WORKER_PID_DIR, `worker-${pid}.pid`), String(pid));
+  } catch {
+  }
+}
+function cleanupWorkerPid() {
+  try {
+    unlinkSync(path3.join(WORKER_PID_DIR, `worker-${process.pid}.pid`));
+  } catch {
+  }
+}
+function tryAcquireBackfillLock() {
+  try {
+    mkdirSync3(WORKER_PID_DIR, { recursive: true });
+    if (existsSync4(BACKFILL_LOCK)) {
+      try {
+        const pid = parseInt(
+          __require("fs").readFileSync(BACKFILL_LOCK, "utf8").trim(),
+          10
+        );
+        if (!isNaN(pid) && pid > 0) {
+          try {
+            process.kill(pid, 0);
+            return false;
+          } catch {
+          }
+        }
+      } catch {
+      }
+    }
+    writeFileSync(BACKFILL_LOCK, String(process.pid));
+    return true;
+  } catch {
+    return true;
+  }
+}
+function releaseBackfillLock() {
+  try {
+    unlinkSync(BACKFILL_LOCK);
+  } catch {
+  }
+}
+var WORKER_PID_DIR, MAX_CONCURRENT_WORKERS, BACKFILL_LOCK;
+var init_worker_gate = __esm({
+  "src/lib/worker-gate.ts"() {
+    "use strict";
+    init_config();
+    WORKER_PID_DIR = path3.join(EXE_AI_DIR, "worker-pids");
+    MAX_CONCURRENT_WORKERS = 3;
+    BACKFILL_LOCK = path3.join(WORKER_PID_DIR, "backfill.lock");
+  }
+});
+
+// src/lib/db-retry.ts
+function isBusyError(err) {
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    return msg.includes("sqlite_busy") || msg.includes("database is locked");
+  }
+  return false;
+}
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function retryOnBusy(fn, label) {
+  let lastError;
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (!isBusyError(err) || attempt === MAX_RETRIES) {
+        throw err;
+      }
+      const backoff = BASE_DELAY_MS * Math.pow(2, attempt);
+      const jitter = Math.floor(Math.random() * MAX_JITTER_MS);
+      process.stderr.write(
+        `[exe-os] SQLITE_BUSY ${label} retry ${attempt + 1}/${MAX_RETRIES} \u2014 waiting ${backoff + jitter}ms
+`
+      );
+      await delay(backoff + jitter);
+    }
+  }
+  throw lastError;
+}
+function wrapWithRetry(client) {
+  return new Proxy(client, {
+    get(target, prop, receiver) {
+      if (prop === "execute") {
+        return (sql) => retryOnBusy(() => target.execute(sql), "execute");
+      }
+      if (prop === "batch") {
+        return (stmts, mode) => retryOnBusy(() => target.batch(stmts, mode), "batch");
+      }
+      return Reflect.get(target, prop, receiver);
+    }
+  });
+}
+var MAX_RETRIES, BASE_DELAY_MS, MAX_JITTER_MS;
+var init_db_retry = __esm({
+  "src/lib/db-retry.ts"() {
+    "use strict";
+    MAX_RETRIES = 5;
+    BASE_DELAY_MS = 250;
+    MAX_JITTER_MS = 400;
+  }
+});
+
+// src/lib/employees.ts
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { existsSync as existsSync5, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync3, unlinkSync as unlinkSync2, writeFileSync as writeFileSync2 } from "fs";
+import { execSync } from "child_process";
+import path4 from "path";
+import os2 from "os";
+function normalizeRole(role) {
+  return (role ?? "").trim().toLowerCase();
+}
+function isCoordinatorRole(role) {
+  return normalizeRole(role) === normalizeRole(COORDINATOR_ROLE);
+}
+function getCoordinatorEmployee(employees) {
+  return employees.find((e) => isCoordinatorRole(e.role));
+}
+function getCoordinatorName(employees = loadEmployeesSync()) {
+  return getCoordinatorEmployee(employees)?.name ?? DEFAULT_COORDINATOR_TEMPLATE_NAME;
+}
+function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
+  if (!existsSync5(employeesPath)) return [];
+  try {
+    return JSON.parse(readFileSync2(employeesPath, "utf-8"));
+  } catch {
+    return [];
+  }
+}
+var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, IDENTITY_DIR;
+var init_employees = __esm({
+  "src/lib/employees.ts"() {
+    "use strict";
+    init_config();
+    EMPLOYEES_PATH = path4.join(EXE_AI_DIR, "exe-employees.json");
+    DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
+    COORDINATOR_ROLE = "COO";
+    IDENTITY_DIR = path4.join(EXE_AI_DIR, "identity");
+  }
+});
+
+// src/lib/database-adapter.ts
+import os3 from "os";
+import path5 from "path";
+import { createRequire } from "module";
+import { pathToFileURL } from "url";
+function quotedIdentifier(identifier) {
+  return `"${identifier.replace(/"/g, '""')}"`;
+}
+function unqualifiedTableName(name) {
+  const raw = name.trim().replace(/^"|"$/g, "");
+  const parts = raw.split(".");
+  return parts[parts.length - 1].replace(/^"|"$/g, "").toLowerCase();
+}
+function stripTrailingSemicolon(sql) {
+  return sql.trim().replace(/;+\s*$/u, "");
+}
+function appendClause(sql, clause) {
+  const trimmed = stripTrailingSemicolon(sql);
+  const returningMatch = /\sRETURNING\b[\s\S]*$/iu.exec(trimmed);
+  if (!returningMatch) {
+    return `${trimmed}${clause}`;
+  }
+  const idx = returningMatch.index;
+  return `${trimmed.slice(0, idx)}${clause}${trimmed.slice(idx)}`;
+}
+function normalizeStatement(stmt) {
+  if (typeof stmt === "string") {
+    return { kind: "positional", sql: stmt, args: [] };
+  }
+  const sql = stmt.sql;
+  if (Array.isArray(stmt.args) || stmt.args === void 0) {
+    return { kind: "positional", sql, args: stmt.args ?? [] };
+  }
+  return { kind: "named", sql, args: stmt.args };
+}
+function rewriteBooleanLiterals(sql) {
+  let out = sql;
+  for (const column of BOOLEAN_COLUMN_NAMES) {
+    const scoped = `((?:\\b[a-z_][a-z0-9_]*\\.)?${column})`;
+    out = out.replace(new RegExp(`${scoped}\\s*=\\s*0\\b`, "giu"), "$1 = FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*=\\s*1\\b`, "giu"), "$1 = TRUE");
+    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*0\\b`, "giu"), "$1 != FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*1\\b`, "giu"), "$1 != TRUE");
+    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*0\\b`, "giu"), "$1 <> FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*1\\b`, "giu"), "$1 <> TRUE");
+  }
+  return out;
+}
+function rewriteInsertOrIgnore(sql) {
+  if (!/^\s*INSERT\s+OR\s+IGNORE\s+INTO\b/iu.test(sql)) {
+    return sql;
+  }
+  const replaced = sql.replace(/^\s*INSERT\s+OR\s+IGNORE\s+INTO\b/iu, "INSERT INTO");
+  return /\bON\s+CONFLICT\b/iu.test(replaced) ? replaced : appendClause(replaced, " ON CONFLICT DO NOTHING");
+}
+function rewriteInsertOrReplace(sql) {
+  const match = /^\s*INSERT\s+OR\s+REPLACE\s+INTO\s+([A-Za-z0-9_."]+)\s*\(([^)]+)\)([\s\S]*)$/iu.exec(sql);
+  if (!match) {
+    return sql;
+  }
+  const rawTable = match[1];
+  const rawColumns = match[2];
+  const remainder = match[3];
+  const tableName = unqualifiedTableName(rawTable);
+  const conflictKeys = UPSERT_KEYS[tableName];
+  if (!conflictKeys?.length) {
+    return sql;
+  }
+  const columns = rawColumns.split(",").map((col) => col.trim().replace(/^"|"$/g, ""));
+  const updateColumns = columns.filter((col) => !conflictKeys.includes(col));
+  const conflictTarget = conflictKeys.map(quotedIdentifier).join(", ");
+  const updateClause = updateColumns.length === 0 ? " DO NOTHING" : ` DO UPDATE SET ${updateColumns.map((col) => `${quotedIdentifier(col)} = EXCLUDED.${quotedIdentifier(col)}`).join(", ")}`;
+  return `INSERT INTO ${rawTable} (${rawColumns})${appendClause(remainder, ` ON CONFLICT (${conflictTarget})${updateClause}`)}`;
+}
+function rewriteSql(sql) {
+  let out = sql;
+  out = out.replace(/\bdatetime\(\s*['"]now['"]\s*\)/giu, "CURRENT_TIMESTAMP");
+  out = out.replace(/\bvector32\s*\(\s*\?\s*\)/giu, "?");
+  out = rewriteBooleanLiterals(out);
+  out = rewriteInsertOrReplace(out);
+  out = rewriteInsertOrIgnore(out);
+  return stripTrailingSemicolon(out);
+}
+function toBoolean(value) {
+  if (value === null || value === void 0) return value;
+  if (typeof value === "boolean") return value;
+  if (typeof value === "number") return value !== 0;
+  if (typeof value === "bigint") return value !== 0n;
+  if (typeof value === "string") {
+    const normalized = value.trim().toLowerCase();
+    if (normalized === "0" || normalized === "false") return false;
+    if (normalized === "1" || normalized === "true") return true;
+  }
+  return Boolean(value);
+}
+function countQuestionMarks(sql, end) {
+  let count = 0;
+  let inSingle = false;
+  let inDouble = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = 0; i < end; i++) {
+    const ch = sql[i];
+    const next = sql[i + 1];
+    if (inLineComment) {
+      if (ch === "\n") inLineComment = false;
+      continue;
+    }
+    if (inBlockComment) {
+      if (ch === "*" && next === "/") {
+        inBlockComment = false;
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "-" && next === "-") {
+      inLineComment = true;
+      i += 1;
       continue;
     }
     if (!inSingle && !inDouble && ch === "/" && next === "*") {
@@ -653,8 +1169,8 @@ async function loadPrismaClient() {
         }
         return new PrismaClient2();
       }
-      const exeDbRoot = process.env.EXE_DB_ROOT ?? path3.join(os3.homedir(), "exe-db");
-      const requireFromExeDb = createRequire(path3.join(exeDbRoot, "package.json"));
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path5.join(os3.homedir(), "exe-db");
+      const requireFromExeDb = createRequire(path5.join(exeDbRoot, "package.json"));
       const prismaEntry = requireFromExeDb.resolve("@prisma/client");
       const module = await import(pathToFileURL(prismaEntry).href);
       const PrismaClient = module.PrismaClient ?? module.default?.PrismaClient;
@@ -924,10 +1440,19 @@ var init_database_adapter = __esm({
   }
 });
 
+// src/types/memory.ts
+var EMBEDDING_DIM;
+var init_memory = __esm({
+  "src/types/memory.ts"() {
+    "use strict";
+    EMBEDDING_DIM = 1024;
+  }
+});
+
 // src/lib/daemon-auth.ts
 import crypto from "crypto";
-import path4 from "path";
-import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import path6 from "path";
+import { existsSync as existsSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
 function normalizeToken(token) {
   if (!token) return null;
   const trimmed = token.trim();
@@ -935,7 +1460,7 @@ function normalizeToken(token) {
 }
 function readDaemonToken() {
   try {
-    if (!existsSync4(DAEMON_TOKEN_PATH)) return null;
+    if (!existsSync6(DAEMON_TOKEN_PATH)) return null;
     return normalizeToken(readFileSync3(DAEMON_TOKEN_PATH, "utf8"));
   } catch {
     return null;
@@ -946,7 +1471,7 @@ function ensureDaemonToken(seed) {
   if (existing) return existing;
   const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
   ensurePrivateDirSync(EXE_AI_DIR);
-  writeFileSync2(DAEMON_TOKEN_PATH, `${token}
+  writeFileSync3(DAEMON_TOKEN_PATH, `${token}
 `, "utf8");
   enforcePrivateFileSync(DAEMON_TOKEN_PATH);
   return token;
@@ -957,18 +1482,29 @@ var init_daemon_auth = __esm({
     "use strict";
     init_config();
     init_secure_files();
-    DAEMON_TOKEN_PATH = path4.join(EXE_AI_DIR, "exed.token");
+    DAEMON_TOKEN_PATH = path6.join(EXE_AI_DIR, "exed.token");
   }
 });
 
 // src/lib/exe-daemon-client.ts
+var exe_daemon_client_exports = {};
+__export(exe_daemon_client_exports, {
+  connectEmbedDaemon: () => connectEmbedDaemon,
+  disconnectClient: () => disconnectClient,
+  embedBatchViaClient: () => embedBatchViaClient,
+  embedViaClient: () => embedViaClient,
+  isClientConnected: () => isClientConnected,
+  pingDaemon: () => pingDaemon,
+  sendDaemonRequest: () => sendDaemonRequest,
+  sendIngestRequest: () => sendIngestRequest
+});
 import net from "net";
 import os4 from "os";
 import { spawn } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync5, unlinkSync as unlinkSync2, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
-import path5 from "path";
-import { fileURLToPath } from "url";
+import { existsSync as existsSync7, unlinkSync as unlinkSync3, readFileSync as readFileSync4, openSync, closeSync, statSync as statSync2 } from "fs";
+import path7 from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
   if (_buffer.length > MAX_BUFFER) {
@@ -995,7 +1531,7 @@ function handleData(chunk) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync5(PID_PATH)) {
+  if (existsSync7(PID_PATH)) {
     try {
       const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
@@ -1008,21 +1544,21 @@ function cleanupStaleFiles() {
     } catch {
     }
     try {
-      unlinkSync2(PID_PATH);
+      unlinkSync3(PID_PATH);
     } catch {
     }
     try {
-      unlinkSync2(SOCKET_PATH);
+      unlinkSync3(SOCKET_PATH);
     } catch {
     }
   }
 }
 function findPackageRoot() {
-  let dir = path5.dirname(fileURLToPath(import.meta.url));
-  const { root } = path5.parse(dir);
+  let dir = path7.dirname(fileURLToPath2(import.meta.url));
+  const { root } = path7.parse(dir);
   while (dir !== root) {
-    if (existsSync5(path5.join(dir, "package.json"))) return dir;
-    dir = path5.dirname(dir);
+    if (existsSync7(path7.join(dir, "package.json"))) return dir;
+    dir = path7.dirname(dir);
   }
   return null;
 }
@@ -1069,8 +1605,8 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path5.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync5(daemonPath)) {
+  const daemonPath = path7.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync7(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
@@ -1079,7 +1615,7 @@ function spawnDaemon() {
   const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path5.join(path5.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path7.join(path7.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -1116,10 +1652,10 @@ function acquireSpawnLock() {
     return true;
   } catch {
     try {
-      const stat = statSync(SPAWN_LOCK_PATH);
+      const stat = statSync2(SPAWN_LOCK_PATH);
       if (Date.now() - stat.mtimeMs > SPAWN_LOCK_STALE_MS) {
         try {
-          unlinkSync2(SPAWN_LOCK_PATH);
+          unlinkSync3(SPAWN_LOCK_PATH);
         } catch {
         }
         try {
@@ -1136,7 +1672,7 @@ function acquireSpawnLock() {
 }
 function releaseSpawnLock() {
   try {
-    unlinkSync2(SPAWN_LOCK_PATH);
+    unlinkSync3(SPAWN_LOCK_PATH);
   } catch {
   }
 }
@@ -1198,6 +1734,9 @@ async function connectEmbedDaemon() {
   }
   return false;
 }
+function sendRequest(texts, priority) {
+  return sendDaemonRequest({ texts, priority });
+}
 function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
   return new Promise((resolve) => {
     if (!_socket || !_connected) {
@@ -1218,20 +1757,180 @@ function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
       _pending.delete(id);
       resolve({ error: "Write failed" });
     }
-  });
+  });
+}
+async function pingDaemon() {
+  if (!_socket || !_connected) return null;
+  const response = await sendDaemonRequest({ type: "health" }, 5e3);
+  if (response.health) {
+    return response.health;
+  }
+  return null;
+}
+function killAndRespawnDaemon() {
+  if (!acquireSpawnLock()) {
+    process.stderr.write("[exed-client] Another process is already restarting daemon \u2014 skipping\n");
+    if (_socket) {
+      _socket.destroy();
+      _socket = null;
+    }
+    _connected = false;
+    _buffer = "";
+    return;
+  }
+  try {
+    process.stderr.write("[exed-client] Killing daemon for restart...\n");
+    if (existsSync7(PID_PATH)) {
+      try {
+        const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
+        if (pid > 0) {
+          try {
+            process.kill(pid, "SIGKILL");
+          } catch {
+          }
+        }
+      } catch {
+      }
+    }
+    if (_socket) {
+      _socket.destroy();
+      _socket = null;
+    }
+    _connected = false;
+    _buffer = "";
+    try {
+      unlinkSync3(PID_PATH);
+    } catch {
+    }
+    try {
+      unlinkSync3(SOCKET_PATH);
+    } catch {
+    }
+    spawnDaemon();
+  } finally {
+    releaseSpawnLock();
+  }
+}
+function isDaemonTooYoung() {
+  try {
+    const stat = statSync2(PID_PATH);
+    return Date.now() - stat.mtimeMs < MIN_DAEMON_AGE_MS;
+  } catch {
+    return false;
+  }
+}
+async function retryThenRestart(doRequest, label) {
+  const result = await doRequest();
+  if (!result.error) {
+    _consecutiveFailures = 0;
+    return result;
+  }
+  _consecutiveFailures++;
+  for (let i = 0; i < MAX_RETRIES_BEFORE_RESTART; i++) {
+    const delayMs = RETRY_DELAYS_MS[i] ?? 5e3;
+    process.stderr.write(`[exed-client] ${label} failed (${result.error}), retry ${i + 1}/${MAX_RETRIES_BEFORE_RESTART} in ${delayMs}ms
+`);
+    await new Promise((r) => setTimeout(r, delayMs));
+    if (!_connected) {
+      if (!await connectToSocket()) continue;
+    }
+    const retry = await doRequest();
+    if (!retry.error) {
+      _consecutiveFailures = 0;
+      return retry;
+    }
+    _consecutiveFailures++;
+  }
+  if (isDaemonTooYoung()) {
+    process.stderr.write(`[exed-client] ${label}: daemon too young (< ${MIN_DAEMON_AGE_MS / 1e3}s) \u2014 skipping restart
+`);
+    return { error: result.error };
+  }
+  process.stderr.write(`[exed-client] ${label}: ${_consecutiveFailures} consecutive failures \u2014 restarting daemon
+`);
+  killAndRespawnDaemon();
+  const start = Date.now();
+  let delay2 = 200;
+  while (Date.now() - start < CONNECT_TIMEOUT_MS) {
+    await new Promise((r) => setTimeout(r, delay2));
+    if (await connectToSocket()) break;
+    delay2 = Math.min(delay2 * 2, 3e3);
+  }
+  if (!_connected) return { error: "Daemon restart failed" };
+  const final = await doRequest();
+  if (!final.error) _consecutiveFailures = 0;
+  return final;
+}
+async function embedViaClient(text, priority = "high") {
+  if (!_connected && !await connectEmbedDaemon()) return null;
+  _requestCount++;
+  if (_requestCount % HEALTH_CHECK_INTERVAL === 0) {
+    const health = await pingDaemon();
+    if (!health && !isDaemonTooYoung()) {
+      process.stderr.write(`[exed-client] Periodic health check failed at request ${_requestCount} \u2014 restarting daemon
+`);
+      killAndRespawnDaemon();
+      const start = Date.now();
+      let d = 200;
+      while (Date.now() - start < CONNECT_TIMEOUT_MS) {
+        await new Promise((r) => setTimeout(r, d));
+        if (await connectToSocket()) break;
+        d = Math.min(d * 2, 3e3);
+      }
+      if (!_connected) return null;
+    }
+  }
+  const result = await retryThenRestart(
+    () => sendRequest([text], priority),
+    "Embed"
+  );
+  return !result.error && result.vectors?.[0] ? result.vectors[0] : null;
+}
+async function embedBatchViaClient(texts, priority = "high") {
+  if (!_connected && !await connectEmbedDaemon()) return null;
+  _requestCount++;
+  const result = await retryThenRestart(
+    () => sendRequest(texts, priority),
+    "Batch embed"
+  );
+  return !result.error && result.vectors ? result.vectors : null;
+}
+function disconnectClient() {
+  if (_socket) {
+    _socket.destroy();
+    _socket = null;
+  }
+  _connected = false;
+  _buffer = "";
+  for (const [id, entry] of _pending) {
+    clearTimeout(entry.timer);
+    _pending.delete(id);
+    entry.resolve({ error: "Client disconnected" });
+  }
 }
 function isClientConnected() {
   return _connected;
 }
-var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _pending, MAX_BUFFER;
+function sendIngestRequest(payload) {
+  if (!_socket || !_connected) return false;
+  try {
+    const id = randomUUID();
+    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
+    _socket.write(JSON.stringify({ id, token, type: "ingest", ...payload }) + "\n");
+    return true;
+  } catch {
+    return false;
+  }
+}
+var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _requestCount, _consecutiveFailures, HEALTH_CHECK_INTERVAL, MAX_RETRIES_BEFORE_RESTART, RETRY_DELAYS_MS, MIN_DAEMON_AGE_MS, _pending, MAX_BUFFER;
 var init_exe_daemon_client = __esm({
   "src/lib/exe-daemon-client.ts"() {
     "use strict";
     init_config();
     init_daemon_auth();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path5.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path5.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path5.join(EXE_AI_DIR, "exed-spawn.lock");
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path7.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path7.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path7.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
@@ -1239,12 +1938,27 @@ var init_exe_daemon_client = __esm({
     _socket = null;
     _connected = false;
     _buffer = "";
+    _requestCount = 0;
+    _consecutiveFailures = 0;
+    HEALTH_CHECK_INTERVAL = 100;
+    MAX_RETRIES_BEFORE_RESTART = 3;
+    RETRY_DELAYS_MS = [1e3, 3e3, 5e3];
+    MIN_DAEMON_AGE_MS = 3e4;
     _pending = /* @__PURE__ */ new Map();
     MAX_BUFFER = 1e7;
   }
 });
 
 // src/lib/daemon-protocol.ts
+var daemon_protocol_exports = {};
+__export(daemon_protocol_exports, {
+  deserializeArgs: () => deserializeArgs,
+  deserializeResultSet: () => deserializeResultSet,
+  deserializeValue: () => deserializeValue,
+  serializeArgs: () => serializeArgs,
+  serializeResultSet: () => serializeResultSet,
+  serializeValue: () => serializeValue
+});
 function serializeValue(v) {
   if (v === null || v === void 0) return null;
   if (typeof v === "bigint") return Number(v);
@@ -1269,6 +1983,32 @@ function deserializeValue(v) {
   }
   return v;
 }
+function serializeArgs(args) {
+  return args.map(serializeValue);
+}
+function deserializeArgs(args) {
+  return args.map(deserializeValue);
+}
+function serializeResultSet(rs) {
+  const rows = [];
+  for (const row of rs.rows) {
+    const obj = {};
+    for (let i = 0; i < rs.columns.length; i++) {
+      const col = rs.columns[i];
+      if (col !== void 0) {
+        obj[col] = serializeValue(row[i]);
+      }
+    }
+    rows.push(obj);
+  }
+  return {
+    columns: [...rs.columns],
+    columnTypes: [...rs.columnTypes ?? []],
+    rows,
+    rowsAffected: typeof rs.rowsAffected === "bigint" ? Number(rs.rowsAffected) : rs.rowsAffected ?? 0,
+    lastInsertRowid: rs.lastInsertRowid != null ? typeof rs.lastInsertRowid === "bigint" ? Number(rs.lastInsertRowid) : rs.lastInsertRowid : null
+  };
+}
 function deserializeResultSet(srs) {
   const rows = srs.rows.map((obj) => {
     const values = srs.columns.map(
@@ -1458,7 +2198,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
-import { createClient } from "@libsql/client";
+import { createClient as createClient2 } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
     clearInterval(_walCheckpointTimer);
@@ -1483,7 +2223,7 @@ async function initDatabase(config) {
   if (config.encryptionKey) {
     opts.encryptionKey = config.encryptionKey;
   }
-  _client = createClient(opts);
+  _client = createClient2(opts);
   _resilientClient = wrapWithRetry(_client);
   _adapterClient = _resilientClient;
   _client.execute("PRAGMA busy_timeout = 30000").catch(() => {
@@ -2604,309 +3344,33 @@ async function ensureSchema() {
     });
   } catch {
   }
-  try {
-    await client.execute(
-      `CREATE INDEX IF NOT EXISTS idx_memories_draft ON memories(draft) WHERE draft = 1`
-    );
-  } catch {
-  }
-  try {
-    await client.execute({
-      sql: `ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'`,
-      args: []
-    });
-  } catch {
-  }
-  try {
-    await client.execute(
-      `CREATE INDEX IF NOT EXISTS idx_memories_type ON memories(memory_type)`
-    );
-  } catch {
-  }
-  try {
-    await client.execute({
-      sql: `ALTER TABLE memories ADD COLUMN trajectory TEXT`,
-      args: []
-    });
-  } catch {
-  }
-  for (const col of [
-    "ALTER TABLE memories ADD COLUMN intent TEXT",
-    "ALTER TABLE memories ADD COLUMN outcome TEXT",
-    "ALTER TABLE memories ADD COLUMN domain TEXT",
-    "ALTER TABLE memories ADD COLUMN referenced_entities TEXT",
-    "ALTER TABLE memories ADD COLUMN retrieval_count INTEGER DEFAULT 0",
-    "ALTER TABLE memories ADD COLUMN chain_position TEXT",
-    "ALTER TABLE memories ADD COLUMN review_status TEXT",
-    "ALTER TABLE memories ADD COLUMN context_window_pct INTEGER",
-    "ALTER TABLE memories ADD COLUMN file_paths TEXT",
-    "ALTER TABLE memories ADD COLUMN commit_hash TEXT",
-    "ALTER TABLE memories ADD COLUMN duration_ms INTEGER",
-    "ALTER TABLE memories ADD COLUMN token_cost REAL",
-    "ALTER TABLE memories ADD COLUMN audience TEXT",
-    "ALTER TABLE memories ADD COLUMN language_type TEXT",
-    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT"
-  ]) {
-    try {
-      await client.execute(col);
-    } catch {
-    }
-  }
-  try {
-    await client.execute({
-      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
-      args: []
-    });
-  } catch {
-  }
-}
-async function disposeDatabase() {
-  if (_walCheckpointTimer) {
-    clearInterval(_walCheckpointTimer);
-    _walCheckpointTimer = null;
-  }
-  if (_daemonClient) {
-    _daemonClient.close();
-    _daemonClient = null;
-  }
-  if (_adapterClient && _adapterClient !== _resilientClient) {
-    _adapterClient.close();
-  }
-  _adapterClient = null;
-  if (_client) {
-    _client.close();
-    _client = null;
-    _resilientClient = null;
-  }
-}
-var _client, _resilientClient, _walCheckpointTimer, _daemonClient, _adapterClient, initTurso, SOFT_DELETE_RETENTION_DAYS, disposeTurso;
-var init_database = __esm({
-  "src/lib/database.ts"() {
-    "use strict";
-    init_db_retry();
-    init_employees();
-    init_database_adapter();
-    init_memory();
-    _client = null;
-    _resilientClient = null;
-    _walCheckpointTimer = null;
-    _daemonClient = null;
-    _adapterClient = null;
-    initTurso = initDatabase;
-    SOFT_DELETE_RETENTION_DAYS = 7;
-    disposeTurso = disposeDatabase;
-  }
-});
-
-// src/lib/shard-manager.ts
-var shard_manager_exports = {};
-__export(shard_manager_exports, {
-  auditShardHealth: () => auditShardHealth,
-  disposeShards: () => disposeShards,
-  ensureShardSchema: () => ensureShardSchema,
-  getOpenShardCount: () => getOpenShardCount,
-  getReadyShardClient: () => getReadyShardClient,
-  getShardClient: () => getShardClient,
-  getShardsDir: () => getShardsDir,
-  initShardManager: () => initShardManager,
-  isShardingEnabled: () => isShardingEnabled,
-  listShards: () => listShards,
-  shardExists: () => shardExists
-});
-import path7 from "path";
-import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync2 } from "fs";
-import { createClient as createClient2 } from "@libsql/client";
-function initShardManager(encryptionKey) {
-  _encryptionKey = encryptionKey;
-  if (!existsSync7(SHARDS_DIR)) {
-    mkdirSync2(SHARDS_DIR, { recursive: true });
-  }
-  _shardingEnabled = true;
-  if (_evictionTimer) clearInterval(_evictionTimer);
-  _evictionTimer = setInterval(evictIdleShards, EVICTION_INTERVAL_MS);
-  _evictionTimer.unref();
-}
-function isShardingEnabled() {
-  return _shardingEnabled;
-}
-function getShardsDir() {
-  return SHARDS_DIR;
-}
-function getShardClient(projectName) {
-  if (!_encryptionKey) {
-    throw new Error("Shard manager not initialized. Call initShardManager() first.");
-  }
-  const safeName = safeShardName(projectName);
-  if (!safeName || safeName === "unknown") {
-    throw new Error(`Invalid project name for shard: "${projectName}" (resolved to "${safeName}")`);
-  }
-  const cached = _shards.get(safeName);
-  if (cached) {
-    _shardLastAccess.set(safeName, Date.now());
-    return cached;
-  }
-  while (_shards.size >= MAX_OPEN_SHARDS) {
-    evictLRU();
-  }
-  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
-  const client = createClient2({
-    url: `file:${dbPath}`,
-    encryptionKey: _encryptionKey
-  });
-  _shards.set(safeName, client);
-  _shardLastAccess.set(safeName, Date.now());
-  return client;
-}
-function shardExists(projectName) {
-  const safeName = safeShardName(projectName);
-  return existsSync7(path7.join(SHARDS_DIR, `${safeName}.db`));
-}
-function safeShardName(projectName) {
-  return projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
-}
-function listShards() {
-  if (!existsSync7(SHARDS_DIR)) return [];
-  return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
-}
-async function auditShardHealth(options = {}) {
-  if (!_encryptionKey) {
-    throw new Error("Shard manager not initialized. Call initShardManager() first.");
-  }
-  const repair = options.repair === true;
-  const dryRun = options.dryRun === true;
-  const names = listShards();
-  const shards = [];
-  for (const name of names) {
-    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
-    const stat = statSync2(dbPath);
-    const item = {
-      name,
-      path: dbPath,
-      ok: false,
-      unreadable: false,
-      error: null,
-      size: stat.size,
-      mtime: stat.mtime.toISOString(),
-      memoryCount: null
-    };
-    const client = createClient2({
-      url: `file:${dbPath}`,
-      encryptionKey: _encryptionKey
-    });
-    try {
-      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
-      const hasMemories = await client.execute(
-        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
-      );
-      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
-        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
-        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
-      }
-      item.ok = true;
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      item.error = message;
-      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
-      if (item.unreadable && repair && !dryRun) {
-        client.close();
-        _shards.delete(name);
-        _shardLastAccess.delete(name);
-        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
-        renameSync3(dbPath, archivedPath);
-        item.archivedPath = archivedPath;
-      }
-    } finally {
-      try {
-        client.close();
-      } catch {
-      }
-    }
-    shards.push(item);
-  }
-  return {
-    total: shards.length,
-    ok: shards.filter((s) => s.ok).length,
-    unreadable: shards.filter((s) => s.unreadable).length,
-    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
-    shards
-  };
-}
-async function ensureShardSchema(client) {
-  await client.execute("PRAGMA journal_mode = WAL");
-  await client.execute("PRAGMA busy_timeout = 30000");
-  try {
-    await client.execute("PRAGMA libsql_vector_search_ef = 128");
-  } catch {
-  }
-  await client.executeMultiple(`
-    CREATE TABLE IF NOT EXISTS memories (
-      id            TEXT PRIMARY KEY,
-      agent_id      TEXT NOT NULL,
-      agent_role    TEXT NOT NULL,
-      session_id    TEXT NOT NULL,
-      timestamp     TEXT NOT NULL,
-      tool_name     TEXT NOT NULL,
-      project_name  TEXT NOT NULL,
-      has_error     INTEGER NOT NULL DEFAULT 0,
-      raw_text      TEXT NOT NULL,
-      vector        F32_BLOB(1024),
-      version       INTEGER NOT NULL DEFAULT 0
+  try {
+    await client.execute(
+      `CREATE INDEX IF NOT EXISTS idx_memories_draft ON memories(draft) WHERE draft = 1`
     );
-
-    CREATE INDEX IF NOT EXISTS idx_memories_agent ON memories(agent_id);
-    CREATE INDEX IF NOT EXISTS idx_memories_timestamp ON memories(timestamp);
-    CREATE INDEX IF NOT EXISTS idx_memories_agent_project ON memories(agent_id, project_name);
-  `);
-  await client.executeMultiple(`
-    CREATE VIRTUAL TABLE IF NOT EXISTS memories_fts USING fts5(
-      raw_text,
-      content='memories',
-      content_rowid='rowid'
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute(
+      `CREATE INDEX IF NOT EXISTS idx_memories_type ON memories(memory_type)`
     );
-
-    CREATE TRIGGER IF NOT EXISTS memories_fts_ai AFTER INSERT ON memories BEGIN
-      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
-    END;
-
-    CREATE TRIGGER IF NOT EXISTS memories_fts_ad AFTER DELETE ON memories BEGIN
-      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
-    END;
-
-    CREATE TRIGGER IF NOT EXISTS memories_fts_au AFTER UPDATE ON memories BEGIN
-      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
-      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
-    END;
-  `);
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN trajectory TEXT`,
+      args: []
+    });
+  } catch {
+  }
   for (const col of [
-    "ALTER TABLE memories ADD COLUMN task_id TEXT",
-    "ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0",
-    "ALTER TABLE memories ADD COLUMN author_device_id TEXT",
-    "ALTER TABLE memories ADD COLUMN scope TEXT NOT NULL DEFAULT 'business'",
-    "ALTER TABLE memories ADD COLUMN importance INTEGER DEFAULT 5",
-    "ALTER TABLE memories ADD COLUMN status TEXT DEFAULT 'active'",
-    "ALTER TABLE memories ADD COLUMN wiki_synced INTEGER DEFAULT 0",
-    "ALTER TABLE memories ADD COLUMN graph_extracted INTEGER DEFAULT 0",
-    "ALTER TABLE memories ADD COLUMN content_hash TEXT",
-    "ALTER TABLE memories ADD COLUMN graph_extracted_hash TEXT",
-    "ALTER TABLE memories ADD COLUMN confidence REAL DEFAULT 0.7",
-    "ALTER TABLE memories ADD COLUMN last_accessed TEXT",
-    // Wiki linkage columns (must match database.ts)
-    "ALTER TABLE memories ADD COLUMN workspace_id TEXT",
-    "ALTER TABLE memories ADD COLUMN document_id TEXT",
-    "ALTER TABLE memories ADD COLUMN user_id TEXT",
-    "ALTER TABLE memories ADD COLUMN char_offset INTEGER",
-    "ALTER TABLE memories ADD COLUMN page_number INTEGER",
-    // Source provenance columns (must match database.ts)
-    "ALTER TABLE memories ADD COLUMN source_path TEXT",
-    "ALTER TABLE memories ADD COLUMN source_type TEXT DEFAULT 'text'",
-    "ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3",
-    "ALTER TABLE memories ADD COLUMN supersedes_id TEXT",
-    // MS-11: draft staging, MS-6a: memory_type, MS-7: trajectory
-    "ALTER TABLE memories ADD COLUMN draft INTEGER DEFAULT 0",
-    "ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'",
-    "ALTER TABLE memories ADD COLUMN trajectory TEXT",
-    // Metadata enrichment columns (must match database.ts)
     "ALTER TABLE memories ADD COLUMN intent TEXT",
     "ALTER TABLE memories ADD COLUMN outcome TEXT",
     "ALTER TABLE memories ADD COLUMN domain TEXT",
@@ -2921,195 +3385,528 @@ async function ensureShardSchema(client) {
     "ALTER TABLE memories ADD COLUMN token_cost REAL",
     "ALTER TABLE memories ADD COLUMN audience TEXT",
     "ALTER TABLE memories ADD COLUMN language_type TEXT",
-    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT",
-    "ALTER TABLE memories ADD COLUMN deleted_at TEXT"
+    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT"
   ]) {
     try {
       await client.execute(col);
     } catch {
     }
   }
-  for (const idx of [
-    "CREATE INDEX IF NOT EXISTS idx_memories_tier ON memories(tier)",
-    "CREATE INDEX IF NOT EXISTS idx_memories_supersedes ON memories(supersedes_id) WHERE supersedes_id IS NOT NULL",
-    "CREATE INDEX IF NOT EXISTS idx_memories_scoped_content_hash ON memories(content_hash, agent_id, project_name, memory_type) WHERE content_hash IS NOT NULL"
-  ]) {
-    try {
-      await client.execute(idx);
-    } catch {
-    }
+  try {
+    await client.execute({
+      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
+      args: []
+    });
+  } catch {
+  }
+}
+async function disposeDatabase() {
+  if (_walCheckpointTimer) {
+    clearInterval(_walCheckpointTimer);
+    _walCheckpointTimer = null;
+  }
+  if (_daemonClient) {
+    _daemonClient.close();
+    _daemonClient = null;
+  }
+  if (_adapterClient && _adapterClient !== _resilientClient) {
+    _adapterClient.close();
+  }
+  _adapterClient = null;
+  if (_client) {
+    _client.close();
+    _client = null;
+    _resilientClient = null;
+  }
+}
+var _client, _resilientClient, _walCheckpointTimer, _daemonClient, _adapterClient, initTurso, SOFT_DELETE_RETENTION_DAYS, disposeTurso;
+var init_database = __esm({
+  "src/lib/database.ts"() {
+    "use strict";
+    init_db_retry();
+    init_employees();
+    init_database_adapter();
+    init_memory();
+    _client = null;
+    _resilientClient = null;
+    _walCheckpointTimer = null;
+    _daemonClient = null;
+    _adapterClient = null;
+    initTurso = initDatabase;
+    SOFT_DELETE_RETENTION_DAYS = 7;
+    disposeTurso = disposeDatabase;
+  }
+});
+
+// src/lib/keychain.ts
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { existsSync as existsSync8 } from "fs";
+import { execSync as execSync2 } from "child_process";
+import path8 from "path";
+import os5 from "os";
+function getKeyDir() {
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path8.join(os5.homedir(), ".exe-os");
+}
+function getKeyPath() {
+  return path8.join(getKeyDir(), "master.key");
+}
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync2(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync2(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync2(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync2(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync2(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function tryKeytar() {
+  try {
+    return await import("keytar");
+  } catch {
+    return null;
+  }
+}
+function deriveMachineKey() {
+  try {
+    const crypto2 = __require("crypto");
+    const material = [
+      os5.hostname(),
+      os5.userInfo().username,
+      os5.arch(),
+      os5.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto2.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync6 } = __require("fs");
+    return readFileSync6("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto2 = __require("crypto");
+  const iv = crypto2.randomBytes(12);
+  const cipher = crypto2.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto2 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto2.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
   }
-  try {
-    await client.execute("CREATE INDEX IF NOT EXISTS idx_memories_status ON memories(status)");
-  } catch {
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
+async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
   }
-  for (const idx of [
-    "CREATE INDEX IF NOT EXISTS idx_memories_workspace ON memories(workspace_id)",
-    "CREATE INDEX IF NOT EXISTS idx_memories_document ON memories(document_id)",
-    "CREATE INDEX IF NOT EXISTS idx_memories_user ON memories(user_id)"
-  ]) {
+  const keytar = await tryKeytar();
+  if (keytar) {
     try {
-      await client.execute(idx);
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+        }
+        return Buffer.from(keytarValue, "base64");
+      }
     } catch {
     }
   }
-  await client.executeMultiple(`
-    CREATE TABLE IF NOT EXISTS entities (
-      id TEXT PRIMARY KEY,
-      name TEXT NOT NULL,
-      type TEXT NOT NULL,
-      first_seen TEXT NOT NULL,
-      last_seen TEXT NOT NULL,
-      properties TEXT DEFAULT '{}',
-      UNIQUE(name, type)
-    );
-
-    CREATE TABLE IF NOT EXISTS relationships (
-      id TEXT PRIMARY KEY,
-      source_entity_id TEXT NOT NULL,
-      target_entity_id TEXT NOT NULL,
-      type TEXT NOT NULL,
-      weight REAL DEFAULT 1.0,
-      timestamp TEXT NOT NULL,
-      properties TEXT DEFAULT '{}',
-      UNIQUE(source_entity_id, target_entity_id, type)
-    );
-
-    CREATE TABLE IF NOT EXISTS entity_memories (
-      entity_id TEXT NOT NULL,
-      memory_id TEXT NOT NULL,
-      PRIMARY KEY (entity_id, memory_id)
-    );
-
-    CREATE TABLE IF NOT EXISTS relationship_memories (
-      relationship_id TEXT NOT NULL,
-      memory_id TEXT NOT NULL,
-      PRIMARY KEY (relationship_id, memory_id)
-    );
-
-    CREATE INDEX IF NOT EXISTS idx_entities_name ON entities(name);
-    CREATE INDEX IF NOT EXISTS idx_entities_type ON entities(type);
-    CREATE INDEX IF NOT EXISTS idx_relationships_source ON relationships(source_entity_id);
-    CREATE INDEX IF NOT EXISTS idx_relationships_target ON relationships(target_entity_id);
-    CREATE INDEX IF NOT EXISTS idx_relationships_type ON relationships(type);
-
-    CREATE TABLE IF NOT EXISTS hyperedges (
-      id TEXT PRIMARY KEY,
-      label TEXT NOT NULL,
-      relation TEXT NOT NULL,
-      confidence REAL DEFAULT 1.0,
-      timestamp TEXT NOT NULL
-    );
-
-    CREATE TABLE IF NOT EXISTS hyperedge_nodes (
-      hyperedge_id TEXT NOT NULL,
-      entity_id TEXT NOT NULL,
-      PRIMARY KEY (hyperedge_id, entity_id)
+  const keyPath = getKeyPath();
+  if (!existsSync8(keyPath)) {
+    process.stderr.write(
+      `[keychain] Key not found at ${keyPath} (HOME=${os5.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
+`
     );
-  `);
-  for (const col of [
-    "ALTER TABLE relationships ADD COLUMN confidence REAL DEFAULT 1.0",
-    "ALTER TABLE relationships ADD COLUMN confidence_label TEXT DEFAULT 'extracted'"
-  ]) {
-    try {
-      await client.execute(col);
-    } catch {
-    }
+    return null;
   }
-}
-async function getReadyShardClient(projectName) {
-  const safeName = safeShardName(projectName);
-  let client = getShardClient(projectName);
   try {
-    await ensureShardSchema(client);
-    return client;
+    const content = (await readFile3(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
+    }
+    return key;
   } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    if (!/SQLITE_NOTADB|file is not a database/i.test(message)) throw err;
-    client.close();
-    _shards.delete(safeName);
-    _shardLastAccess.delete(safeName);
-    const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
-    if (existsSync7(dbPath)) {
-      const stat = statSync2(dbPath);
-      const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-      const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
-      renameSync3(dbPath, archivedPath);
-      process.stderr.write(
-        `[shard-manager] Archived unreadable shard ${safeName}: ${archivedPath} (${stat.size} bytes, mtime ${stat.mtime.toISOString()})
+    process.stderr.write(
+      `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
 `
-      );
-    }
-    client = getShardClient(projectName);
-    await ensureShardSchema(client);
-    return client;
+    );
+    return null;
   }
 }
-function evictLRU() {
-  let oldest = null;
-  let oldestTime = Infinity;
-  for (const [name, time] of _shardLastAccess) {
-    if (time < oldestTime) {
-      oldestTime = time;
-      oldest = name;
-    }
+var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
+var init_keychain = __esm({
+  "src/lib/keychain.ts"() {
+    "use strict";
+    SERVICE = "exe-mem";
+    ACCOUNT = "master-key";
+    ENCRYPTED_PREFIX = "enc:";
   }
-  if (oldest) {
-    const client = _shards.get(oldest);
-    if (client) {
-      client.close();
-    }
-    _shards.delete(oldest);
-    _shardLastAccess.delete(oldest);
+});
+
+// src/lib/state-bus.ts
+var StateBus, orgBus;
+var init_state_bus = __esm({
+  "src/lib/state-bus.ts"() {
+    "use strict";
+    StateBus = class {
+      handlers = /* @__PURE__ */ new Map();
+      globalHandlers = /* @__PURE__ */ new Set();
+      /** Emit an event to all subscribers */
+      emit(event) {
+        const typeHandlers = this.handlers.get(event.type);
+        if (typeHandlers) {
+          for (const handler of typeHandlers) {
+            try {
+              handler(event);
+            } catch {
+            }
+          }
+        }
+        for (const handler of this.globalHandlers) {
+          try {
+            handler(event);
+          } catch {
+          }
+        }
+      }
+      /** Subscribe to a specific event type */
+      on(type, handler) {
+        if (!this.handlers.has(type)) {
+          this.handlers.set(type, /* @__PURE__ */ new Set());
+        }
+        this.handlers.get(type).add(handler);
+      }
+      /** Subscribe to ALL events */
+      onAny(handler) {
+        this.globalHandlers.add(handler);
+      }
+      /** Unsubscribe from a specific event type */
+      off(type, handler) {
+        this.handlers.get(type)?.delete(handler);
+      }
+      /** Unsubscribe from ALL events */
+      offAny(handler) {
+        this.globalHandlers.delete(handler);
+      }
+      /** Remove all listeners */
+      clear() {
+        this.handlers.clear();
+        this.globalHandlers.clear();
+      }
+    };
+    orgBus = new StateBus();
   }
+});
+
+// src/lib/memory-write-governor.ts
+import { createHash } from "crypto";
+function normalizeMemoryText(text) {
+  return text.replace(/\r\n/g, "\n").replace(/[ \t]+$/gm, "").replace(/\n{4,}/g, "\n\n\n").trim();
+}
+function classifyMemoryType(input) {
+  if (input.memory_type && input.memory_type.trim()) return input.memory_type.trim();
+  const tool = input.tool_name.toLowerCase();
+  const text = input.raw_text.toLowerCase();
+  if (tool.includes("store_decision") || tool.includes("decision")) return "decision";
+  if (tool.includes("commit") || text.includes("adr-") || text.includes("architectural decision")) return "adr";
+  if (tool.includes("store_behavior") || tool.includes("behavior")) return "behavior";
+  if (tool.includes("global_procedure") || text.includes("organization-wide procedures")) return "procedure";
+  if (tool.includes("checkpoint") || text.startsWith("context checkpoint")) return "checkpoint";
+  if (tool.includes("sessionsummary") || tool.includes("session-summary")) return "summary";
+  if (tool.includes("sessionend") || text.startsWith("session ended")) return "summary";
+  if (tool.includes("send_whatsapp") || tool.includes("conversation")) return "conversation";
+  if (tool === "store_memory" || tool === "manual") return "observation";
+  return "raw";
+}
+function shouldDropMemory(text) {
+  const normalized = normalizeMemoryText(text);
+  if (normalized.length < 10) return { drop: true, reason: "too_short" };
+  if (NOISE_DROP_PATTERNS.some((pattern) => pattern.test(normalized))) {
+    return { drop: true, reason: "known_boilerplate_noise" };
+  }
+  return { drop: false };
+}
+function shouldSkipEmbedding(input) {
+  const type = classifyMemoryType(input);
+  if (HIGH_VALUE_SUPERSESSION_TYPES.has(type)) return false;
+  if (type === "raw" && input.raw_text.length > 2e4) return true;
+  if (SKIP_EMBED_PATTERNS.some((pattern) => pattern.test(input.raw_text))) return true;
+  return false;
 }
-function evictIdleShards() {
-  const now = Date.now();
-  const toEvict = [];
-  for (const [name, lastAccess] of _shardLastAccess) {
-    if (now - lastAccess > SHARD_IDLE_MS) {
-      toEvict.push(name);
-    }
-  }
-  for (const name of toEvict) {
-    const client = _shards.get(name);
-    if (client) {
-      client.close();
-    }
-    _shards.delete(name);
-    _shardLastAccess.delete(name);
-  }
+function hashMemoryContent(text) {
+  return createHash("sha256").update(normalizeMemoryText(text)).digest("hex");
 }
-function getOpenShardCount() {
-  return _shards.size;
+function scopedDedupArgs(input) {
+  return [input.contentHash, input.agentId, input.projectName, input.memoryType];
 }
-function disposeShards() {
-  if (_evictionTimer) {
-    clearInterval(_evictionTimer);
-    _evictionTimer = null;
-  }
-  for (const [, client] of _shards) {
-    client.close();
+function governMemoryRecord(record) {
+  const normalized = normalizeMemoryText(record.raw_text);
+  const memoryType = classifyMemoryType({
+    raw_text: normalized,
+    agent_id: record.agent_id,
+    project_name: record.project_name,
+    tool_name: record.tool_name,
+    memory_type: record.memory_type
+  });
+  const drop = shouldDropMemory(normalized);
+  const skipEmbedding = shouldSkipEmbedding({
+    raw_text: normalized,
+    agent_id: record.agent_id,
+    project_name: record.project_name,
+    tool_name: record.tool_name,
+    memory_type: memoryType
+  });
+  return {
+    record: {
+      ...record,
+      raw_text: normalized,
+      memory_type: memoryType,
+      vector: skipEmbedding ? null : record.vector
+    },
+    contentHash: hashMemoryContent(normalized),
+    shouldDrop: drop.drop,
+    dropReason: drop.reason,
+    skipEmbedding,
+    hygiene: {
+      dedup: true,
+      supersession: HIGH_VALUE_SUPERSESSION_TYPES.has(memoryType)
+    }
+  };
+}
+async function findScopedDuplicate(input) {
+  const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+  const client = getClient2();
+  const args = scopedDedupArgs(input);
+  let sql = `SELECT id FROM memories
+             WHERE content_hash = ?
+               AND agent_id = ?
+               AND project_name = ?
+               AND COALESCE(memory_type, 'raw') = ?
+               AND COALESCE(status, 'active') != 'deleted'`;
+  if (input.excludeId) {
+    sql += " AND id != ?";
+    args.push(input.excludeId);
+  }
+  sql += " ORDER BY timestamp DESC LIMIT 1";
+  const result = await client.execute({ sql, args });
+  return result.rows[0]?.id ? String(result.rows[0].id) : null;
+}
+async function runPostWriteMemoryHygiene(memoryId) {
+  try {
+    const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+    const client = getClient2();
+    const current = await client.execute({
+      sql: `SELECT id, agent_id, project_name, memory_type, content_hash, supersedes_id,
+                   importance, timestamp
+            FROM memories
+            WHERE id = ?
+            LIMIT 1`,
+      args: [memoryId]
+    });
+    const row = current.rows[0];
+    if (!row) return;
+    const memoryType = String(row.memory_type ?? "raw");
+    const contentHash = row.content_hash ? String(row.content_hash) : null;
+    const agentId = String(row.agent_id);
+    const projectName = String(row.project_name);
+    if (contentHash) {
+      await client.execute({
+        sql: `UPDATE memories
+              SET status = 'deleted',
+                  outcome = COALESCE(outcome, 'superseded')
+              WHERE id != ?
+                AND content_hash = ?
+                AND agent_id = ?
+                AND project_name = ?
+                AND COALESCE(memory_type, 'raw') = ?
+                AND COALESCE(status, 'active') = 'active'`,
+        args: [memoryId, contentHash, agentId, projectName, memoryType]
+      });
+    }
+    const supersedesId = row.supersedes_id ? String(row.supersedes_id) : null;
+    if (supersedesId && HIGH_VALUE_SUPERSESSION_TYPES.has(memoryType)) {
+      const old = await client.execute({
+        sql: `SELECT importance FROM memories WHERE id = ? LIMIT 1`,
+        args: [supersedesId]
+      });
+      const oldImportance = Number(old.rows[0]?.importance ?? 0);
+      const newImportance = Number(row.importance ?? 0);
+      await client.batch([
+        {
+          sql: `UPDATE memories
+                SET status = 'archived',
+                    outcome = COALESCE(outcome, 'superseded')
+                WHERE id = ?`,
+          args: [supersedesId]
+        },
+        {
+          sql: `UPDATE memories
+                SET importance = MAX(COALESCE(importance, 5), ?),
+                    parent_memory_id = COALESCE(parent_memory_id, ?)
+                WHERE id = ?`,
+          args: [Math.max(oldImportance, newImportance), supersedesId, memoryId]
+        }
+      ], "write");
+    }
+  } catch (err) {
+    process.stderr.write(
+      `[memory-governor] post-write hygiene failed for ${memoryId}: ${err instanceof Error ? err.message : String(err)}
+`
+    );
   }
-  _shards.clear();
-  _shardLastAccess.clear();
-  _shardingEnabled = false;
-  _encryptionKey = null;
 }
-var SHARDS_DIR, SHARD_IDLE_MS, MAX_OPEN_SHARDS, EVICTION_INTERVAL_MS, _shards, _shardLastAccess, _evictionTimer, _encryptionKey, _shardingEnabled;
-var init_shard_manager = __esm({
-  "src/lib/shard-manager.ts"() {
+function schedulePostWriteMemoryHygiene(memoryIds) {
+  if (process.env.EXE_SKIP_MEMORY_HYGIENE === "1") return;
+  if (memoryIds.length === 0) return;
+  const run = () => {
+    void Promise.all(memoryIds.map((id) => runPostWriteMemoryHygiene(id)));
+  };
+  if (typeof setImmediate === "function") setImmediate(run);
+  else setTimeout(run, 0);
+}
+var HIGH_VALUE_SUPERSESSION_TYPES, NOISE_DROP_PATTERNS, SKIP_EMBED_PATTERNS;
+var init_memory_write_governor = __esm({
+  "src/lib/memory-write-governor.ts"() {
     "use strict";
-    init_config();
-    SHARDS_DIR = path7.join(EXE_AI_DIR, "shards");
-    SHARD_IDLE_MS = 5 * 60 * 1e3;
-    MAX_OPEN_SHARDS = 10;
-    EVICTION_INTERVAL_MS = 60 * 1e3;
-    _shards = /* @__PURE__ */ new Map();
-    _shardLastAccess = /* @__PURE__ */ new Map();
-    _evictionTimer = null;
-    _encryptionKey = null;
-    _shardingEnabled = false;
+    HIGH_VALUE_SUPERSESSION_TYPES = /* @__PURE__ */ new Set([
+      "decision",
+      "adr",
+      "behavior",
+      "procedure"
+    ]);
+    NOISE_DROP_PATTERNS = [
+      /^\s*\[📋\s+\d+\s+reviews?\s+pending\b/im,
+      /^\s*<system-reminder>[\s\S]*?<\/system-reminder>\s*$/im,
+      /^\s*The UserPromptSubmit hook checks the DB for new tasks/im,
+      /^\s*Intercom is a speedup, not delivery/im,
+      /^\s*Context bar reads as USAGE not remaining/im
+    ];
+    SKIP_EMBED_PATTERNS = [
+      /tmux capture-pane\b/i,
+      /docker ps\b/i,
+      /docker images\b/i,
+      /git status\b/i,
+      /grep .*node_modules/i,
+      /npm (install|ci)\b[\s\S]*(added \d+ packages|audited \d+ packages)/i
+    ];
   }
 });
 
@@ -3368,595 +4165,969 @@ ${p.content}`).join("\n\n");
   }
 });
 
-// src/lib/worker-gate.ts
-var worker_gate_exports = {};
-__export(worker_gate_exports, {
-  MAX_CONCURRENT_WORKERS: () => MAX_CONCURRENT_WORKERS,
-  cleanupWorkerPid: () => cleanupWorkerPid,
-  registerWorkerPid: () => registerWorkerPid,
-  releaseBackfillLock: () => releaseBackfillLock,
-  tryAcquireBackfillLock: () => tryAcquireBackfillLock,
-  tryAcquireWorkerSlot: () => tryAcquireWorkerSlot
+// src/lib/memory-cards.ts
+var memory_cards_exports = {};
+__export(memory_cards_exports, {
+  extractMemoryCards: () => extractMemoryCards,
+  insertMemoryCardsForBatch: () => insertMemoryCardsForBatch,
+  searchMemoryCards: () => searchMemoryCards
 });
-import { readdirSync as readdirSync2, writeFileSync as writeFileSync3, unlinkSync as unlinkSync3, mkdirSync as mkdirSync3, existsSync as existsSync8 } from "fs";
-import path8 from "path";
-function tryAcquireWorkerSlot() {
-  try {
-    mkdirSync3(WORKER_PID_DIR, { recursive: true });
-    const reservationId = `res-${process.pid}-${Date.now()}`;
-    const reservationPath = path8.join(WORKER_PID_DIR, `${reservationId}.pid`);
-    writeFileSync3(reservationPath, String(process.pid));
-    const files = readdirSync2(WORKER_PID_DIR);
-    let alive = 0;
-    for (const f of files) {
-      if (!f.endsWith(".pid")) continue;
-      if (f.startsWith("res-")) {
-        alive++;
-        continue;
-      }
-      const dashIdx = f.lastIndexOf("-");
-      const pid = parseInt(f.slice(dashIdx + 1).replace(".pid", ""), 10);
-      if (isNaN(pid)) continue;
-      try {
-        process.kill(pid, 0);
-        alive++;
-      } catch {
-        try {
-          unlinkSync3(path8.join(WORKER_PID_DIR, f));
-        } catch {
-        }
-      }
-    }
-    if (alive > MAX_CONCURRENT_WORKERS) {
-      try {
-        unlinkSync3(reservationPath);
-      } catch {
-      }
-      return false;
-    }
-    try {
-      unlinkSync3(reservationPath);
-    } catch {
-    }
-    return true;
-  } catch {
-    return true;
-  }
-}
-function registerWorkerPid(pid) {
-  try {
-    mkdirSync3(WORKER_PID_DIR, { recursive: true });
-    writeFileSync3(path8.join(WORKER_PID_DIR, `worker-${pid}.pid`), String(pid));
-  } catch {
-  }
-}
-function cleanupWorkerPid() {
-  try {
-    unlinkSync3(path8.join(WORKER_PID_DIR, `worker-${process.pid}.pid`));
-  } catch {
-  }
-}
-function tryAcquireBackfillLock() {
-  try {
-    mkdirSync3(WORKER_PID_DIR, { recursive: true });
-    if (existsSync8(BACKFILL_LOCK)) {
-      try {
-        const pid = parseInt(
-          __require("fs").readFileSync(BACKFILL_LOCK, "utf8").trim(),
-          10
-        );
-        if (!isNaN(pid) && pid > 0) {
-          try {
-            process.kill(pid, 0);
-            return false;
-          } catch {
-          }
-        }
-      } catch {
-      }
-    }
-    writeFileSync3(BACKFILL_LOCK, String(process.pid));
-    return true;
-  } catch {
-    return true;
+import { createHash as createHash2 } from "crypto";
+function stableId(memoryId, type, content) {
+  return createHash2("sha256").update(`${memoryId}:${type}:${content}`).digest("hex").slice(0, 32);
+}
+function cleanText(text) {
+  return text.replace(/```[\s\S]*?```/g, " ").replace(/<[^>]+>/g, " ").replace(/\s+/g, " ").trim();
+}
+function splitSentences(text) {
+  return cleanText(text).split(/(?<=[.!?])\s+|\n+/).map((s) => s.trim()).filter((s) => s.length >= 24 && s.length <= MAX_SENTENCE_CHARS);
+}
+function inferCardType(sentence, toolName) {
+  const lower = sentence.toLowerCase();
+  if (toolName === "store_decision" || /\b(decided|decision|adr|approved|rejected)\b/.test(lower)) return "decision";
+  if (/\b(prefers|preference|likes|dislikes|wants|doesn't want|does not want)\b/.test(lower)) return "preference";
+  if (/\b(changed|updated|replaced|now|no longer|instead|supersedes)\b/.test(lower)) return "belief_update";
+  if (toolName && ["Read", "Write", "Edit", "Bash"].includes(toolName)) return "code";
+  if (/\b(meeting|deadline|shipped|launched|completed|failed|blocked|assigned|created)\b/.test(lower)) return "event";
+  return "fact";
+}
+function extractSubject(sentence, agentId) {
+  const explicit = sentence.match(/\b([A-Z][a-zA-Z0-9_-]{2,}(?:\s+[A-Z][a-zA-Z0-9_-]{2,})?)\b/);
+  return explicit?.[1] ?? agentId;
+}
+function predicateFor(type) {
+  switch (type) {
+    case "preference":
+      return "prefers";
+    case "belief_update":
+      return "updated";
+    case "decision":
+      return "decided";
+    case "event":
+      return "happened";
+    case "code":
+      return "implemented";
+    default:
+      return "states";
+  }
+}
+function extractMemoryCards(row) {
+  const sentences = splitSentences(row.raw_text);
+  const cards = [];
+  for (const sentence of sentences) {
+    const type = inferCardType(sentence, row.tool_name);
+    const subject = extractSubject(sentence, row.agent_id);
+    const content = sentence.length > MAX_SENTENCE_CHARS ? `${sentence.slice(0, MAX_SENTENCE_CHARS - 1)}\u2026` : sentence;
+    cards.push({
+      id: stableId(row.id, type, content),
+      memory_id: row.id,
+      agent_id: row.agent_id,
+      session_id: row.session_id,
+      project_name: row.project_name ?? null,
+      timestamp: row.timestamp,
+      card_type: type,
+      subject,
+      predicate: predicateFor(type),
+      object: content,
+      content,
+      source_ref: row.id,
+      confidence: type === "fact" ? 0.55 : 0.65
+    });
+    if (cards.length >= MAX_CARDS_PER_MEMORY) break;
   }
+  return cards;
 }
-function releaseBackfillLock() {
-  try {
-    unlinkSync3(BACKFILL_LOCK);
-  } catch {
-  }
+async function insertMemoryCardsForBatch(rows) {
+  const cards = rows.flatMap(extractMemoryCards);
+  if (cards.length === 0) return 0;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const client = getClient();
+  const stmts = cards.map((card) => ({
+    sql: `INSERT OR IGNORE INTO memory_cards
+          (id, memory_id, agent_id, session_id, project_name, timestamp, card_type,
+           subject, predicate, object, content, source_ref, confidence, active, created_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 1, ?)`,
+    args: [
+      card.id,
+      card.memory_id,
+      card.agent_id,
+      card.session_id,
+      card.project_name,
+      card.timestamp,
+      card.card_type,
+      card.subject,
+      card.predicate,
+      card.object,
+      card.content,
+      card.source_ref,
+      card.confidence,
+      now
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return cards.length;
+}
+function buildMatchExpr(queryText) {
+  const terms = queryText.toLowerCase().split(/\s+/).filter((t) => t.length >= 3).map((t) => t.replace(/[^a-z0-9_]/g, "")).filter((t) => t.length >= 3).slice(0, 12);
+  if (terms.length === 0) return null;
+  return terms.map((t) => `${t}*`).join(terms.length >= 3 ? " AND " : " OR ");
+}
+async function searchMemoryCards(queryText, agentId, options) {
+  const limit = options?.limit ?? 10;
+  const matchExpr = buildMatchExpr(queryText);
+  if (!matchExpr) return [];
+  let sql = `SELECT c.id, c.memory_id, c.agent_id, c.session_id, c.project_name,
+                    c.timestamp, c.card_type, c.content, c.source_ref, c.confidence
+             FROM memory_cards c
+             JOIN memory_cards_fts fts ON c.rowid = fts.rowid
+             WHERE memory_cards_fts MATCH ?
+               AND c.agent_id = ?
+               AND COALESCE(c.active, 1) = 1`;
+  const args = [matchExpr, agentId];
+  if (options?.projectName) {
+    sql += ` AND c.project_name = ?`;
+    args.push(options.projectName);
+  }
+  if (options?.since) {
+    sql += ` AND c.timestamp >= ?`;
+    args.push(options.since);
+  }
+  sql += ` ORDER BY rank LIMIT ?`;
+  args.push(limit);
+  const result = await getClient().execute({ sql, args });
+  return result.rows.map((row) => ({
+    id: `card:${String(row.id)}`,
+    agent_id: String(row.agent_id),
+    agent_role: "memory_card",
+    session_id: String(row.session_id),
+    timestamp: String(row.timestamp),
+    tool_name: `memory_card:${String(row.card_type)}`,
+    project_name: row.project_name == null ? "" : String(row.project_name),
+    has_error: false,
+    raw_text: `[${String(row.card_type)}] ${String(row.content)}
+Source memory: ${String(row.source_ref ?? row.memory_id)}`,
+    vector: [],
+    importance: 6,
+    status: "active",
+    confidence: Number(row.confidence ?? 0.6),
+    last_accessed: String(row.timestamp)
+  }));
 }
-var WORKER_PID_DIR, MAX_CONCURRENT_WORKERS, BACKFILL_LOCK;
-var init_worker_gate = __esm({
-  "src/lib/worker-gate.ts"() {
+var MAX_CARDS_PER_MEMORY, MAX_SENTENCE_CHARS;
+var init_memory_cards = __esm({
+  "src/lib/memory-cards.ts"() {
     "use strict";
-    init_config();
-    WORKER_PID_DIR = path8.join(EXE_AI_DIR, "worker-pids");
-    MAX_CONCURRENT_WORKERS = 3;
-    BACKFILL_LOCK = path8.join(WORKER_PID_DIR, "backfill.lock");
+    init_database();
+    MAX_CARDS_PER_MEMORY = 6;
+    MAX_SENTENCE_CHARS = 360;
   }
 });
 
-// src/lib/db-backup.ts
-var db_backup_exports = {};
-__export(db_backup_exports, {
-  createBackup: () => createBackup,
-  findActiveDb: () => findActiveDb,
-  getBackupDir: () => getBackupDir,
-  getLatestBackup: () => getLatestBackup,
-  hasBackupToday: () => hasBackupToday,
-  listBackups: () => listBackups,
-  rotateBackups: () => rotateBackups
+// src/lib/store.ts
+var store_exports = {};
+__export(store_exports, {
+  attachDocumentMetadata: () => attachDocumentMetadata,
+  buildRawVisibilityFilter: () => buildRawVisibilityFilter,
+  buildWikiScopeFilter: () => buildWikiScopeFilter,
+  classifyTier: () => classifyTier,
+  disposeStore: () => disposeStore,
+  flushBatch: () => flushBatch,
+  flushTier3: () => flushTier3,
+  getMemoryCardinality: () => getMemoryCardinality,
+  initStore: () => initStore,
+  reserveVersions: () => reserveVersions,
+  searchMemories: () => searchMemories,
+  updateMemoryStatus: () => updateMemoryStatus,
+  vectorToBlob: () => vectorToBlob,
+  writeMemory: () => writeMemory
 });
-import { copyFileSync, existsSync as existsSync9, mkdirSync as mkdirSync4, readdirSync as readdirSync3, unlinkSync as unlinkSync4, statSync as statSync3 } from "fs";
-import path9 from "path";
-function findActiveDb() {
-  for (const name of DB_NAMES) {
-    const p = path9.join(EXE_AI_DIR, name);
-    if (existsSync9(p)) return p;
+function isBusyError2(err) {
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    return msg.includes("sqlite_busy") || msg.includes("database is locked");
   }
-  return null;
+  return false;
 }
-function createBackup(reason = "manual") {
-  const dbPath = findActiveDb();
-  if (!dbPath) return null;
-  mkdirSync4(BACKUP_DIR, { recursive: true });
-  const dbName = path9.basename(dbPath, ".db");
-  const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
-  const backupName = `${dbName}-${reason}-${timestamp}.db`;
-  const backupPath = path9.join(BACKUP_DIR, backupName);
-  copyFileSync(dbPath, backupPath);
-  const walPath = dbPath + "-wal";
-  if (existsSync9(walPath)) {
-    try {
-      copyFileSync(walPath, backupPath + "-wal");
-    } catch {
-    }
-  }
-  const shmPath = dbPath + "-shm";
-  if (existsSync9(shmPath)) {
+async function retryOnBusy2(fn, label) {
+  for (let attempt = 0; attempt <= INIT_MAX_RETRIES; attempt++) {
     try {
-      copyFileSync(shmPath, backupPath + "-shm");
-    } catch {
-    }
-  }
-  return backupPath;
-}
-function rotateBackups(keepDays = DEFAULT_KEEP_DAYS) {
-  if (!existsSync9(BACKUP_DIR)) return 0;
-  const cutoff = Date.now() - keepDays * 24 * 60 * 60 * 1e3;
-  let deleted = 0;
-  try {
-    const files = readdirSync3(BACKUP_DIR);
-    for (const file of files) {
-      if (!file.endsWith(".db") && !file.endsWith(".db-wal") && !file.endsWith(".db-shm")) continue;
-      const filePath = path9.join(BACKUP_DIR, file);
-      try {
-        const stat = statSync3(filePath);
-        if (stat.mtimeMs < cutoff) {
-          unlinkSync4(filePath);
-          deleted++;
-        }
-      } catch {
-      }
+      return await fn();
+    } catch (err) {
+      if (!isBusyError2(err) || attempt === INIT_MAX_RETRIES) throw err;
+      process.stderr.write(
+        `[store] SQLITE_BUSY during ${label}, retry ${attempt + 1}/${INIT_MAX_RETRIES}
+`
+      );
+      await new Promise((r) => setTimeout(r, INIT_RETRY_DELAY_MS * (attempt + 1)));
     }
-  } catch {
-  }
-  return deleted;
-}
-function listBackups() {
-  if (!existsSync9(BACKUP_DIR)) return [];
-  try {
-    const files = readdirSync3(BACKUP_DIR).filter((f) => f.endsWith(".db") && !f.endsWith("-wal") && !f.endsWith("-shm"));
-    return files.map((name) => {
-      const p = path9.join(BACKUP_DIR, name);
-      const stat = statSync3(p);
-      return { path: p, name, size: stat.size, date: stat.mtime };
-    }).sort((a, b) => b.date.getTime() - a.date.getTime());
-  } catch {
-    return [];
   }
+  throw new Error("unreachable");
 }
-function hasBackupToday(reason) {
-  const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
-  const backups = listBackups();
-  return backups.some((b) => b.name.includes(reason) && b.name.includes(today.replace(/-/g, "-")));
-}
-function getLatestBackup() {
-  const backups = listBackups();
-  return backups.length > 0 ? backups[0].path : null;
-}
-function getBackupDir() {
-  return BACKUP_DIR;
-}
-var BACKUP_DIR, DEFAULT_KEEP_DAYS, DB_NAMES;
-var init_db_backup = __esm({
-  "src/lib/db-backup.ts"() {
-    "use strict";
-    init_config();
-    BACKUP_DIR = path9.join(EXE_AI_DIR, "backups");
-    DEFAULT_KEEP_DAYS = 3;
-    DB_NAMES = ["memories.db", "exe-mem.db", "exe-os.db", "exe.db"];
+async function initStore(options) {
+  if (_flushTimer !== null) {
+    clearInterval(_flushTimer);
+    _flushTimer = null;
   }
-});
-
-// src/bin/exe-doctor.ts
-import os6 from "os";
-
-// src/lib/store.ts
-init_memory();
-init_database();
-
-// src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync6 } from "fs";
-import { execSync as execSync2 } from "child_process";
-import path6 from "path";
-import os5 from "os";
-var SERVICE = "exe-mem";
-var ACCOUNT = "master-key";
-function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path6.join(os5.homedir(), ".exe-os");
-}
-function getKeyPath() {
-  return path6.join(getKeyDir(), "master.key");
-}
-function macKeychainGet() {
-  if (process.platform !== "darwin") return null;
+  _pendingRecords = [];
+  _flushing = false;
+  _batchSize = options?.batchSize ?? 20;
+  _flushIntervalMs = options?.flushIntervalMs ?? 1e4;
+  let dbPath = options?.dbPath;
+  if (!dbPath) {
+    const config = await loadConfig();
+    dbPath = config.dbPath;
+  }
+  let masterKey = options?.masterKey ?? null;
+  if (!masterKey) {
+    masterKey = await getMasterKey();
+    if (!masterKey) {
+      throw new Error(
+        "No encryption key found. Run /exe-setup to generate one."
+      );
+    }
+  }
+  const hexKey = masterKey.toString("hex");
+  await initTurso({
+    dbPath,
+    encryptionKey: hexKey
+  });
+  await retryOnBusy2(() => ensureSchema(), "ensureSchema");
   try {
-    return execSync2(
-      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
-      { encoding: "utf-8", timeout: 5e3 }
-    ).trim();
+    const { initDaemonClient: initDaemonClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+    await initDaemonClient2();
   } catch {
-    return null;
   }
-}
-function macKeychainSet(value) {
-  if (process.platform !== "darwin") return false;
-  try {
+  if (!options?.lightweight) {
     try {
-      execSync2(
-        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
-        { timeout: 5e3 }
-      );
+      const { initShardManager: initShardManager2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
+      initShardManager2(hexKey);
     } catch {
     }
-    execSync2(
-      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
-      { timeout: 5e3 }
+    const client = getClient();
+    const vResult = await retryOnBusy2(
+      () => client.execute("SELECT MAX(version) as max_v FROM memories"),
+      "version-query"
     );
-    return true;
-  } catch {
-    return false;
+    _nextVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
+    try {
+      const { loadGlobalProcedures: loadGlobalProcedures2 } = await Promise.resolve().then(() => (init_global_procedures(), global_procedures_exports));
+      await loadGlobalProcedures2();
+    } catch {
+    }
   }
 }
-function linuxSecretGet() {
-  if (process.platform !== "linux") return null;
-  try {
-    return execSync2(
-      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
-      { encoding: "utf-8", timeout: 5e3 }
-    ).trim();
-  } catch {
-    return null;
-  }
+function classifyTier(record) {
+  if (record.tool_name === "commit_to_long_term_memory" && (record.importance ?? 0) >= 8) return 1;
+  if (["store_memory", "manual"].includes(record.tool_name ?? "") && (record.importance ?? 0) >= 5) return 2;
+  return 3;
+}
+function inferFilePaths(record) {
+  if (!["Read", "Write", "Edit"].includes(record.tool_name)) return null;
+  const firstLine = record.raw_text.split("\n")[0] ?? "";
+  const match = firstLine.match(/(\/[\w./-]+\.\w+)/);
+  return match ? JSON.stringify([match[1]]) : null;
+}
+function inferCommitHash(record) {
+  if (record.tool_name !== "Bash") return null;
+  const match = record.raw_text.match(/\b([a-f0-9]{7,40})\b/);
+  return match ? match[1] : null;
+}
+function inferLanguageType(record) {
+  const text = record.raw_text;
+  if (!text || text.length < 10) return null;
+  const trimmed = text.trimStart();
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) return "json";
+  if (/\b(SELECT|INSERT|UPDATE|DELETE|CREATE TABLE|ALTER TABLE)\b/i.test(text)) return "sql";
+  if (/\b(function |const |import |export |class |def |async |=>)\b/.test(text)) return "code";
+  if (trimmed.startsWith("#") || trimmed.startsWith("*")) return "prose";
+  return "mixed";
+}
+function inferDomain(record) {
+  const proj = (record.project_name ?? "").toLowerCase();
+  if (proj.includes("marketing") || proj.includes("content")) return "marketing";
+  if (proj.includes("crm") || proj.includes("customer")) return "customer";
+  return null;
 }
-function linuxSecretSet(value) {
-  if (process.platform !== "linux") return false;
-  try {
-    execSync2(
-      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
-      { timeout: 5e3 }
+async function writeMemory(record) {
+  if (record.vector !== null && record.vector.length !== EMBEDDING_DIM) {
+    throw new Error(
+      `Expected ${EMBEDDING_DIM}-dim vector, got ${record.vector.length}`
     );
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function tryKeytar() {
-  try {
-    return await import("keytar");
-  } catch {
-    return null;
   }
-}
-var ENCRYPTED_PREFIX = "enc:";
-function deriveMachineKey() {
-  try {
-    const crypto2 = __require("crypto");
-    const material = [
-      os5.hostname(),
-      os5.userInfo().username,
-      os5.arch(),
-      os5.platform(),
-      // Machine ID on Linux (stable across reboots)
-      process.platform === "linux" ? readMachineId() : ""
-    ].join("|");
-    return crypto2.createHash("sha256").update(material).digest();
-  } catch {
-    return null;
+  const governed = governMemoryRecord(record);
+  if (governed.shouldDrop) return;
+  record = governed.record;
+  const contentHash = governed.contentHash;
+  const memoryType = record.memory_type ?? "raw";
+  if (_pendingRecords.some(
+    (r) => r.content_hash === contentHash && r.agent_id === record.agent_id && r.project_name === record.project_name && (r.memory_type ?? "raw") === memoryType
+  )) {
+    return;
   }
-}
-function readMachineId() {
   try {
-    const { readFileSync: readFileSync6 } = __require("fs");
-    return readFileSync6("/etc/machine-id", "utf-8").trim();
+    const existing = await findScopedDuplicate({
+      contentHash,
+      agentId: record.agent_id,
+      projectName: record.project_name,
+      memoryType
+    });
+    if (existing) return;
   } catch {
-    return "";
   }
-}
-function encryptWithMachineKey(plaintext, machineKey) {
-  const crypto2 = __require("crypto");
-  const iv = crypto2.randomBytes(12);
-  const cipher = crypto2.createCipheriv("aes-256-gcm", machineKey, iv);
-  let encrypted = cipher.update(plaintext, "utf-8", "base64");
-  encrypted += cipher.final("base64");
-  const authTag = cipher.getAuthTag().toString("base64");
-  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
-}
-function decryptWithMachineKey(encrypted, machineKey) {
-  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
-  try {
-    const crypto2 = __require("crypto");
-    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
-    if (parts.length !== 3) return null;
-    const [ivB64, tagB64, cipherB64] = parts;
-    const iv = Buffer.from(ivB64, "base64");
-    const authTag = Buffer.from(tagB64, "base64");
-    const decipher = crypto2.createDecipheriv("aes-256-gcm", machineKey, iv);
-    decipher.setAuthTag(authTag);
-    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
-    decrypted += decipher.final("utf-8");
-    return decrypted;
-  } catch {
-    return null;
+  const dbRow = {
+    id: record.id,
+    agent_id: record.agent_id,
+    agent_role: record.agent_role,
+    session_id: record.session_id,
+    timestamp: record.timestamp,
+    tool_name: record.tool_name,
+    project_name: record.project_name,
+    has_error: record.has_error ? 1 : 0,
+    raw_text: record.raw_text,
+    vector: record.vector,
+    version: 0,
+    // Placeholder — assigned atomically at flush time
+    task_id: record.task_id ?? null,
+    importance: record.importance ?? 5,
+    status: record.status ?? "active",
+    confidence: record.confidence ?? 0.7,
+    last_accessed: record.last_accessed ?? record.timestamp,
+    workspace_id: record.workspace_id ?? null,
+    document_id: record.document_id ?? null,
+    user_id: record.user_id ?? null,
+    char_offset: record.char_offset ?? null,
+    page_number: record.page_number ?? null,
+    source_path: record.source_path ?? null,
+    source_type: record.source_type ?? null,
+    tier: record.tier ?? classifyTier(record),
+    supersedes_id: record.supersedes_id ?? null,
+    draft: record.draft ? 1 : 0,
+    memory_type: memoryType,
+    trajectory: record.trajectory ? JSON.stringify(record.trajectory) : null,
+    content_hash: contentHash,
+    intent: record.intent ?? null,
+    outcome: record.outcome ?? null,
+    domain: record.domain ?? inferDomain(record),
+    referenced_entities: record.referenced_entities ?? null,
+    retrieval_count: record.retrieval_count ?? 0,
+    chain_position: record.chain_position ?? null,
+    review_status: record.review_status ?? null,
+    context_window_pct: record.context_window_pct ?? null,
+    file_paths: record.file_paths ?? inferFilePaths(record),
+    commit_hash: record.commit_hash ?? inferCommitHash(record),
+    duration_ms: record.duration_ms ?? null,
+    token_cost: record.token_cost ?? null,
+    audience: record.audience ?? null,
+    language_type: record.language_type ?? inferLanguageType(record),
+    parent_memory_id: record.parent_memory_id ?? null
+  };
+  _pendingRecords.push(dbRow);
+  orgBus.emit({
+    type: "memory_stored",
+    agentId: record.agent_id,
+    project: record.project_name,
+    timestamp: record.timestamp
+  });
+  const MAX_PENDING = 1e3;
+  if (_pendingRecords.length > MAX_PENDING) {
+    const dropped = _pendingRecords.length - MAX_PENDING;
+    _pendingRecords = _pendingRecords.slice(-MAX_PENDING);
+    console.warn(`[store] Dropped ${dropped} oldest pending records (overflow)`);
+  }
+  if (_flushTimer === null) {
+    _flushTimer = setInterval(() => {
+      void flushBatch();
+    }, _flushIntervalMs);
+    if (_flushTimer && typeof _flushTimer === "object" && "unref" in _flushTimer) {
+      _flushTimer.unref();
+    }
   }
-}
-async function writeMachineBoundFileFallback(b64) {
-  const dir = getKeyDir();
-  await mkdir3(dir, { recursive: true });
-  const keyPath = getKeyPath();
-  const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  if (_pendingRecords.length >= _batchSize) {
+    await flushBatch();
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
 }
-async function getMasterKey() {
-  const nativeValue = macKeychainGet() ?? linuxSecretGet();
-  if (nativeValue) {
-    return Buffer.from(nativeValue, "base64");
-  }
-  const keytar = await tryKeytar();
-  if (keytar) {
+async function flushBatch() {
+  if (_flushing || _pendingRecords.length === 0) return 0;
+  _flushing = true;
+  try {
+    const batch = _pendingRecords.slice(0);
+    const client = getClient();
+    const vResult = await client.execute("SELECT MAX(version) as max_v FROM memories");
+    let baseVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
+    for (const row of batch) {
+      row.version = baseVersion++;
+    }
+    _nextVersion = baseVersion;
+    const buildStmt = (row) => {
+      const hasVector = row.vector !== null;
+      const taskId = row.task_id ?? null;
+      const importance = row.importance ?? 5;
+      const status = row.status ?? "active";
+      const confidence = row.confidence ?? 0.7;
+      const lastAccessed = row.last_accessed ?? row.timestamp;
+      const workspaceId = row.workspace_id ?? null;
+      const documentId = row.document_id ?? null;
+      const userId = row.user_id ?? null;
+      const charOffset = row.char_offset ?? null;
+      const pageNumber = row.page_number ?? null;
+      const sourcePath = row.source_path ?? null;
+      const sourceType = row.source_type ?? null;
+      const tier = row.tier ?? 3;
+      const supersedesId = row.supersedes_id ?? null;
+      const draft = row.draft ? 1 : 0;
+      const memoryType = row.memory_type ?? "raw";
+      const trajectory = row.trajectory ?? null;
+      const contentHash = row.content_hash ?? null;
+      const intent = row.intent ?? null;
+      const outcome = row.outcome ?? null;
+      const domain = row.domain ?? null;
+      const referencedEntities = row.referenced_entities ?? null;
+      const retrievalCount = row.retrieval_count ?? 0;
+      const chainPosition = row.chain_position ?? null;
+      const reviewStatus = row.review_status ?? null;
+      const contextWindowPct = row.context_window_pct ?? null;
+      const filePaths = row.file_paths ?? null;
+      const commitHash = row.commit_hash ?? null;
+      const durationMs = row.duration_ms ?? null;
+      const tokenCost = row.token_cost ?? null;
+      const audience = row.audience ?? null;
+      const languageType = row.language_type ?? null;
+      const parentMemoryId = row.parent_memory_id ?? null;
+      const cols = `id, agent_id, agent_role, session_id, timestamp,
+               tool_name, project_name,
+               has_error, raw_text, vector, version, task_id, importance, status,
+               confidence, last_accessed,
+               workspace_id, document_id, user_id, char_offset, page_number,
+               source_path, source_type, tier, supersedes_id, draft, memory_type, trajectory, content_hash,
+               intent, outcome, domain, referenced_entities, retrieval_count,
+               chain_position, review_status, context_window_pct, file_paths, commit_hash,
+               duration_ms, token_cost, audience, language_type, parent_memory_id`;
+      const metaArgs = [
+        intent,
+        outcome,
+        domain,
+        referencedEntities,
+        retrievalCount,
+        chainPosition,
+        reviewStatus,
+        contextWindowPct,
+        filePaths,
+        commitHash,
+        durationMs,
+        tokenCost,
+        audience,
+        languageType,
+        parentMemoryId
+      ];
+      const baseArgs = [
+        row.id,
+        row.agent_id,
+        row.agent_role,
+        row.session_id,
+        row.timestamp,
+        row.tool_name,
+        row.project_name,
+        row.has_error,
+        row.raw_text
+      ];
+      const sharedArgs = [
+        row.version,
+        taskId,
+        importance,
+        status,
+        confidence,
+        lastAccessed,
+        workspaceId,
+        documentId,
+        userId,
+        charOffset,
+        pageNumber,
+        sourcePath,
+        sourceType,
+        tier,
+        supersedesId,
+        draft,
+        memoryType,
+        trajectory,
+        contentHash
+      ];
+      return {
+        sql: hasVector ? `INSERT OR IGNORE INTO memories (${cols})
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, vector32(?), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)` : `INSERT OR IGNORE INTO memories (${cols})
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+        args: hasVector ? [...baseArgs, vectorToBlob(row.vector), ...sharedArgs, ...metaArgs] : [...baseArgs, ...sharedArgs, ...metaArgs]
+      };
+    };
+    const globalClient = getClient();
+    const globalStmts = batch.map(buildStmt);
+    await globalClient.batch(globalStmts, "write");
     try {
-      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (keytarValue) {
-        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
-        if (migrated) {
-          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+      const { insertMemoryCardsForBatch: insertMemoryCardsForBatch2 } = await Promise.resolve().then(() => (init_memory_cards(), memory_cards_exports));
+      await insertMemoryCardsForBatch2(batch);
+    } catch {
+    }
+    schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
+    _pendingRecords.splice(0, batch.length);
+    try {
+      const { isShardingEnabled: isShardingEnabled2, getReadyShardClient: getReadyShardClient2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
+      if (isShardingEnabled2()) {
+        const byProject = /* @__PURE__ */ new Map();
+        let skippedUnknown = 0;
+        for (const row of batch) {
+          const proj = row.project_name?.trim();
+          if (!proj) {
+            skippedUnknown++;
+            continue;
+          }
+          if (!byProject.has(proj)) byProject.set(proj, []);
+          byProject.get(proj).push(row);
+        }
+        if (skippedUnknown > 0) {
+          process.stderr.write(
+            `[store] Shard skip: ${skippedUnknown} record(s) with empty project_name (kept in main DB only)
+`
+          );
+        }
+        for (const [project, rows] of byProject) {
+          try {
+            const shardClient = await getReadyShardClient2(project);
+            const shardStmts = rows.map(buildStmt);
+            await shardClient.batch(shardStmts, "write");
+          } catch (err) {
+            const fullError = err instanceof Error ? `${err.name}: ${err.message}${err.stack ? `
+${err.stack.split("\n").slice(1, 3).join("\n")}` : ""}` : String(err);
+            process.stderr.write(
+              `[store] Shard write failed for ${project} (${rows.length} records): ${fullError}
+`
+            );
+          }
         }
-        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
+    return batch.length;
+  } finally {
+    _flushing = false;
   }
-  const keyPath = getKeyPath();
-  if (!existsSync6(keyPath)) {
-    process.stderr.write(
-      `[keychain] Key not found at ${keyPath} (HOME=${os5.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
-`
-    );
-    return null;
+}
+function buildWikiScopeFilter(options, columnPrefix) {
+  const args = [];
+  let clause = "";
+  if (options?.workspaceId !== void 0) {
+    clause += ` AND ${columnPrefix}workspace_id = ?`;
+    args.push(options.workspaceId);
+  }
+  if (options?.userId === void 0) {
+    clause += ` AND ${columnPrefix}user_id IS NULL`;
+  } else if (options.userId === null) {
+    clause += ` AND ${columnPrefix}user_id IS NULL`;
+  } else {
+    clause += ` AND (${columnPrefix}user_id = ? OR ${columnPrefix}user_id IS NULL)`;
+    args.push(options.userId);
   }
-  try {
-    const content = (await readFile3(keyPath, "utf-8")).trim();
-    let b64Value;
-    if (content.startsWith(ENCRYPTED_PREFIX)) {
-      const machineKey = deriveMachineKey();
-      if (!machineKey) {
-        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
-        return null;
-      }
-      const decrypted = decryptWithMachineKey(content, machineKey);
-      if (!decrypted) {
-        process.stderr.write(
-          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
-        );
-        return null;
-      }
-      b64Value = decrypted;
-    } else {
-      b64Value = content;
-    }
-    const key = Buffer.from(b64Value, "base64");
-    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
-    if (migrated) {
-      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
-      try {
-        await unlink(keyPath);
-        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
-      } catch {
-      }
-    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
-      const fallback = await writeMachineBoundFileFallback(b64Value);
-      if (fallback === "encrypted") {
-        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
-      } else {
-        process.stderr.write(
-          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
-        );
-      }
-    }
-    return key;
-  } catch (err) {
-    process.stderr.write(
-      `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
-`
-    );
-    return null;
+  return { clause, args };
+}
+function buildRawVisibilityFilter(options, columnPrefix) {
+  if (options?.includeRaw === false) {
+    return {
+      clause: ` AND COALESCE(${columnPrefix}memory_type, 'raw') != 'raw'`,
+      args: []
+    };
   }
+  return { clause: "", args: [] };
 }
-
-// src/lib/store.ts
-init_config();
-
-// src/lib/state-bus.ts
-var StateBus = class {
-  handlers = /* @__PURE__ */ new Map();
-  globalHandlers = /* @__PURE__ */ new Set();
-  /** Emit an event to all subscribers */
-  emit(event) {
-    const typeHandlers = this.handlers.get(event.type);
-    if (typeHandlers) {
-      for (const handler of typeHandlers) {
-        try {
-          handler(event);
-        } catch {
-        }
-      }
+async function searchMemories(queryVector, agentId, options) {
+  let client;
+  try {
+    const { isShardingEnabled: isShardingEnabled2, shardExists: shardExists2, getReadyShardClient: getReadyShardClient2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
+    if (isShardingEnabled2() && options?.projectName && shardExists2(options.projectName)) {
+      client = await getReadyShardClient2(options.projectName);
+    } else {
+      client = getClient();
     }
-    for (const handler of this.globalHandlers) {
-      try {
-        handler(event);
-      } catch {
-      }
+  } catch {
+    client = getClient();
+  }
+  const limit = options?.limit ?? 10;
+  const statusFilter = options?.includeArchived ? "" : `
+               AND COALESCE(status, 'active') = 'active'`;
+  const draftFilter = options?.includeDrafts ? "" : `
+               AND (draft = 0 OR draft IS NULL)`;
+  let sql = `SELECT id, agent_id, agent_role, session_id, timestamp,
+                    tool_name, project_name,
+                    has_error, raw_text, vector, importance, status,
+                    confidence, last_accessed,
+                    workspace_id, document_id, user_id,
+                    char_offset, page_number,
+                    source_path, source_type
+             FROM memories
+             WHERE agent_id = ?
+               AND vector IS NOT NULL${statusFilter}${draftFilter}
+               AND COALESCE(confidence, 0.7) >= 0.3`;
+  const args = [agentId];
+  const scope = buildWikiScopeFilter(options, "");
+  sql += scope.clause;
+  args.push(...scope.args);
+  const rawVisibility = buildRawVisibilityFilter(options, "");
+  sql += rawVisibility.clause;
+  args.push(...rawVisibility.args);
+  if (options?.projectName) {
+    sql += ` AND project_name = ?`;
+    args.push(options.projectName);
+  }
+  if (options?.toolName) {
+    sql += ` AND tool_name = ?`;
+    args.push(options.toolName);
+  }
+  if (options?.hasError !== void 0) {
+    sql += ` AND has_error = ?`;
+    args.push(options.hasError ? 1 : 0);
+  }
+  if (options?.since) {
+    sql += ` AND timestamp >= ?`;
+    args.push(options.since);
+  }
+  if (options?.memoryTypes && options.memoryTypes.length > 0) {
+    const uniqueTypes = [...new Set(options.memoryTypes)];
+    sql += ` AND memory_type IN (${uniqueTypes.map(() => "?").join(",")})`;
+    args.push(...uniqueTypes);
+  } else if (options?.memoryType) {
+    sql += ` AND memory_type = ?`;
+    args.push(options.memoryType);
+  }
+  sql += ` ORDER BY vector_distance_cos(vector, vector32(?))`;
+  args.push(vectorToBlob(queryVector));
+  sql += ` LIMIT ?`;
+  args.push(limit);
+  const result = await client.execute({ sql, args });
+  return result.rows.map((row) => ({
+    id: row.id,
+    agent_id: row.agent_id,
+    agent_role: row.agent_role,
+    session_id: row.session_id,
+    timestamp: row.timestamp,
+    tool_name: row.tool_name,
+    project_name: row.project_name,
+    has_error: row.has_error === 1,
+    raw_text: row.raw_text,
+    vector: row.vector == null ? [] : Array.isArray(row.vector) ? row.vector : Array.from(row.vector),
+    importance: row.importance ?? 5,
+    status: row.status ?? "active",
+    confidence: row.confidence ?? 0.7,
+    last_accessed: row.last_accessed ?? row.timestamp,
+    workspace_id: row.workspace_id ?? null,
+    document_id: row.document_id ?? null,
+    user_id: row.user_id ?? null,
+    char_offset: row.char_offset ?? null,
+    page_number: row.page_number ?? null,
+    source_path: row.source_path ?? null,
+    source_type: row.source_type ?? null
+  }));
+}
+async function attachDocumentMetadata(records) {
+  const docIds = [
+    ...new Set(
+      records.map((r) => r.document_id).filter((id) => typeof id === "string" && id.length > 0)
+    )
+  ];
+  if (docIds.length === 0) return records;
+  try {
+    const client = getClient();
+    const placeholders = docIds.map(() => "?").join(",");
+    const result = await client.execute({
+      sql: `SELECT id, filename, mime, source_type, uploaded_at
+            FROM documents
+            WHERE id IN (${placeholders})`,
+      args: docIds
+    });
+    const byId = /* @__PURE__ */ new Map();
+    for (const row of result.rows) {
+      const id = row.id;
+      byId.set(id, {
+        document_id: id,
+        filename: row.filename,
+        mime: row.mime ?? null,
+        source_type: row.source_type ?? null,
+        uploaded_at: row.uploaded_at
+      });
     }
-  }
-  /** Subscribe to a specific event type */
-  on(type, handler) {
-    if (!this.handlers.has(type)) {
-      this.handlers.set(type, /* @__PURE__ */ new Set());
+    for (const record of records) {
+      if (!record.document_id) continue;
+      record.document_metadata = byId.get(record.document_id) ?? null;
     }
-    this.handlers.get(type).add(handler);
-  }
-  /** Subscribe to ALL events */
-  onAny(handler) {
-    this.globalHandlers.add(handler);
-  }
-  /** Unsubscribe from a specific event type */
-  off(type, handler) {
-    this.handlers.get(type)?.delete(handler);
-  }
-  /** Unsubscribe from ALL events */
-  offAny(handler) {
-    this.globalHandlers.delete(handler);
-  }
-  /** Remove all listeners */
-  clear() {
-    this.handlers.clear();
-    this.globalHandlers.clear();
-  }
-};
-var orgBus = new StateBus();
-
-// src/lib/memory-write-governor.ts
-import { createHash } from "crypto";
-
-// src/lib/store.ts
-var INIT_MAX_RETRIES = 3;
-var INIT_RETRY_DELAY_MS = 1e3;
-function isBusyError2(err) {
-  if (err instanceof Error) {
-    const msg = err.message.toLowerCase();
-    return msg.includes("sqlite_busy") || msg.includes("database is locked");
+  } catch {
   }
-  return false;
+  return records;
 }
-async function retryOnBusy2(fn, label) {
-  for (let attempt = 0; attempt <= INIT_MAX_RETRIES; attempt++) {
-    try {
-      return await fn();
-    } catch (err) {
-      if (!isBusyError2(err) || attempt === INIT_MAX_RETRIES) throw err;
-      process.stderr.write(
-        `[store] SQLITE_BUSY during ${label}, retry ${attempt + 1}/${INIT_MAX_RETRIES}
-`
-      );
-      await new Promise((r) => setTimeout(r, INIT_RETRY_DELAY_MS * (attempt + 1)));
-    }
+async function flushTier3(agentId, options) {
+  const client = getClient();
+  const maxAge = options?.maxAgeHours ?? 72;
+  const cutoff = new Date(Date.now() - maxAge * 36e5).toISOString();
+  if (options?.dryRun) {
+    const result2 = await client.execute({
+      sql: `SELECT COUNT(*) as cnt FROM memories
+            WHERE agent_id = ? AND tier = 3 AND status = 'active' AND timestamp < ?`,
+      args: [agentId, cutoff]
+    });
+    return { archived: Number(result2.rows[0]?.cnt ?? 0) };
   }
-  throw new Error("unreachable");
+  const result = await client.execute({
+    sql: `UPDATE memories SET status = 'archived'
+          WHERE agent_id = ? AND tier = 3 AND status = 'active' AND timestamp < ?`,
+    args: [agentId, cutoff]
+  });
+  return { archived: result.rowsAffected };
 }
-var _pendingRecords = [];
-var _batchSize = 20;
-var _flushIntervalMs = 1e4;
-var _flushTimer = null;
-var _flushing = false;
-var _nextVersion = 1;
-async function initStore(options) {
+async function disposeStore() {
   if (_flushTimer !== null) {
     clearInterval(_flushTimer);
     _flushTimer = null;
   }
+  if (_pendingRecords.length > 0) {
+    await flushBatch();
+  }
+  await disposeTurso();
   _pendingRecords = [];
-  _flushing = false;
-  _batchSize = options?.batchSize ?? 20;
-  _flushIntervalMs = options?.flushIntervalMs ?? 1e4;
-  let dbPath = options?.dbPath;
-  if (!dbPath) {
-    const config = await loadConfig();
-    dbPath = config.dbPath;
+  _nextVersion = 1;
+}
+function vectorToBlob(vector) {
+  const f32 = vector instanceof Float32Array ? vector : new Float32Array(vector);
+  return JSON.stringify(Array.from(f32));
+}
+async function updateMemoryStatus(id, status) {
+  const client = getClient();
+  await client.execute({
+    sql: `UPDATE memories SET status = ? WHERE id = ?`,
+    args: [status, id]
+  });
+}
+function reserveVersions(count) {
+  const reserved = [];
+  for (let i = 0; i < count; i++) {
+    reserved.push(_nextVersion++);
   }
-  let masterKey = options?.masterKey ?? null;
-  if (!masterKey) {
-    masterKey = await getMasterKey();
-    if (!masterKey) {
-      throw new Error(
-        "No encryption key found. Run /exe-setup to generate one."
-      );
-    }
+  return reserved;
+}
+async function getMemoryCardinality(agentId) {
+  try {
+    const client = getClient();
+    const result = await client.execute({
+      sql: `SELECT COUNT(*) as cnt FROM memories WHERE agent_id = ? AND COALESCE(status, 'active') = 'active'`,
+      args: [agentId]
+    });
+    return Number(result.rows[0]?.cnt) || 0;
+  } catch {
+    return 0;
+  }
+}
+var INIT_MAX_RETRIES, INIT_RETRY_DELAY_MS, _pendingRecords, _batchSize, _flushIntervalMs, _flushTimer, _flushing, _nextVersion;
+var init_store = __esm({
+  "src/lib/store.ts"() {
+    "use strict";
+    init_memory();
+    init_database();
+    init_keychain();
+    init_config();
+    init_state_bus();
+    init_memory_write_governor();
+    INIT_MAX_RETRIES = 3;
+    INIT_RETRY_DELAY_MS = 1e3;
+    _pendingRecords = [];
+    _batchSize = 20;
+    _flushIntervalMs = 1e4;
+    _flushTimer = null;
+    _flushing = false;
+    _nextVersion = 1;
+  }
+});
+
+// src/bin/fast-db-init.ts
+var fast_db_init_exports = {};
+__export(fast_db_init_exports, {
+  fastDbInit: () => fastDbInit
+});
+async function fastDbInit() {
+  const { isInitialized: isInitialized2, getClient: getClient2, setExternalClient: setExternalClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+  if (isInitialized2()) {
+    return getClient2();
   }
-  const hexKey = masterKey.toString("hex");
-  await initTurso({
-    dbPath,
-    encryptionKey: hexKey
-  });
-  await retryOnBusy2(() => ensureSchema(), "ensureSchema");
   try {
-    const { initDaemonClient: initDaemonClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
-    await initDaemonClient2();
+    const { connectEmbedDaemon: connectEmbedDaemon2, sendDaemonRequest: sendDaemonRequest2, isClientConnected: isClientConnected2 } = await Promise.resolve().then(() => (init_exe_daemon_client(), exe_daemon_client_exports));
+    const { deserializeResultSet: deserializeResultSet2 } = await Promise.resolve().then(() => (init_daemon_protocol(), daemon_protocol_exports));
+    await connectEmbedDaemon2();
+    if (isClientConnected2()) {
+      const daemonClient = {
+        async execute(stmt) {
+          const sql = typeof stmt === "string" ? stmt : stmt.sql;
+          const args = typeof stmt === "string" ? [] : Array.isArray(stmt.args) ? stmt.args : [];
+          const resp = await sendDaemonRequest2({ type: "db-execute", sql, args });
+          if (resp.error) throw new Error(String(resp.error));
+          if (resp.db) return deserializeResultSet2(resp.db);
+          throw new Error("Unexpected daemon response");
+        },
+        async batch(stmts, mode) {
+          const statements = stmts.map((s) => {
+            const sql = typeof s === "string" ? s : s.sql;
+            const args = typeof s === "string" ? [] : Array.isArray(s.args) ? s.args : [];
+            return { sql, args };
+          });
+          const resp = await sendDaemonRequest2({ type: "db-batch", statements, mode: mode ?? "deferred" });
+          if (resp.error) throw new Error(String(resp.error));
+          const batchResults = resp["db-batch"];
+          if (batchResults) return batchResults.map(deserializeResultSet2);
+          throw new Error("Unexpected daemon batch response");
+        },
+        async transaction(_mode) {
+          throw new Error("Transactions not supported via daemon socket");
+        },
+        async executeMultiple(_sql) {
+          throw new Error("executeMultiple not supported via daemon socket");
+        },
+        async migrate(_stmts) {
+          throw new Error("migrate not supported via daemon socket");
+        },
+        sync() {
+          return Promise.resolve(void 0);
+        },
+        close() {
+        },
+        get closed() {
+          return false;
+        },
+        get protocol() {
+          return "file";
+        }
+      };
+      setExternalClient2(daemonClient);
+      return daemonClient;
+    }
   } catch {
   }
-  if (!options?.lightweight) {
+  const { initStore: initStore2 } = await Promise.resolve().then(() => (init_store(), store_exports));
+  await initStore2({ lightweight: true });
+  return getClient2();
+}
+var init_fast_db_init = __esm({
+  "src/bin/fast-db-init.ts"() {
+    "use strict";
+  }
+});
+
+// src/lib/db-backup.ts
+var db_backup_exports = {};
+__export(db_backup_exports, {
+  createBackup: () => createBackup,
+  findActiveDb: () => findActiveDb,
+  getBackupDir: () => getBackupDir,
+  getLatestBackup: () => getLatestBackup,
+  hasBackupToday: () => hasBackupToday,
+  listBackups: () => listBackups,
+  rotateBackups: () => rotateBackups
+});
+import { copyFileSync, existsSync as existsSync9, mkdirSync as mkdirSync4, readdirSync as readdirSync3, unlinkSync as unlinkSync4, statSync as statSync3 } from "fs";
+import path9 from "path";
+function findActiveDb() {
+  for (const name of DB_NAMES) {
+    const p = path9.join(EXE_AI_DIR, name);
+    if (existsSync9(p)) return p;
+  }
+  return null;
+}
+function createBackup(reason = "manual") {
+  const dbPath = findActiveDb();
+  if (!dbPath) return null;
+  mkdirSync4(BACKUP_DIR, { recursive: true });
+  const dbName = path9.basename(dbPath, ".db");
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
+  const backupName = `${dbName}-${reason}-${timestamp}.db`;
+  const backupPath = path9.join(BACKUP_DIR, backupName);
+  copyFileSync(dbPath, backupPath);
+  const walPath = dbPath + "-wal";
+  if (existsSync9(walPath)) {
     try {
-      const { initShardManager: initShardManager2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
-      initShardManager2(hexKey);
+      copyFileSync(walPath, backupPath + "-wal");
     } catch {
     }
-    const client = getClient();
-    const vResult = await retryOnBusy2(
-      () => client.execute("SELECT MAX(version) as max_v FROM memories"),
-      "version-query"
-    );
-    _nextVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
+  }
+  const shmPath = dbPath + "-shm";
+  if (existsSync9(shmPath)) {
     try {
-      const { loadGlobalProcedures: loadGlobalProcedures2 } = await Promise.resolve().then(() => (init_global_procedures(), global_procedures_exports));
-      await loadGlobalProcedures2();
+      copyFileSync(shmPath, backupPath + "-shm");
     } catch {
     }
   }
+  return backupPath;
+}
+function rotateBackups(keepDays = DEFAULT_KEEP_DAYS) {
+  if (!existsSync9(BACKUP_DIR)) return 0;
+  const cutoff = Date.now() - keepDays * 24 * 60 * 60 * 1e3;
+  let deleted = 0;
+  try {
+    const files = readdirSync3(BACKUP_DIR);
+    for (const file of files) {
+      if (!file.endsWith(".db") && !file.endsWith(".db-wal") && !file.endsWith(".db-shm")) continue;
+      const filePath = path9.join(BACKUP_DIR, file);
+      try {
+        const stat = statSync3(filePath);
+        if (stat.mtimeMs < cutoff) {
+          unlinkSync4(filePath);
+          deleted++;
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return deleted;
+}
+function listBackups() {
+  if (!existsSync9(BACKUP_DIR)) return [];
+  try {
+    const files = readdirSync3(BACKUP_DIR).filter((f) => f.endsWith(".db") && !f.endsWith("-wal") && !f.endsWith("-shm"));
+    return files.map((name) => {
+      const p = path9.join(BACKUP_DIR, name);
+      const stat = statSync3(p);
+      return { path: p, name, size: stat.size, date: stat.mtime };
+    }).sort((a, b) => b.date.getTime() - a.date.getTime());
+  } catch {
+    return [];
+  }
+}
+function hasBackupToday(reason) {
+  const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  const backups = listBackups();
+  return backups.some((b) => b.name.includes(reason) && b.name.includes(today.replace(/-/g, "-")));
 }
+function getLatestBackup() {
+  const backups = listBackups();
+  return backups.length > 0 ? backups[0].path : null;
+}
+function getBackupDir() {
+  return BACKUP_DIR;
+}
+var BACKUP_DIR, DEFAULT_KEEP_DAYS, DB_NAMES;
+var init_db_backup = __esm({
+  "src/lib/db-backup.ts"() {
+    "use strict";
+    init_config();
+    BACKUP_DIR = path9.join(EXE_AI_DIR, "backups");
+    DEFAULT_KEEP_DAYS = 3;
+    DB_NAMES = ["memories.db", "exe-mem.db", "exe-os.db", "exe.db"];
+  }
+});
 
 // src/bin/exe-doctor.ts
-init_database();
+import os6 from "os";
 
 // src/lib/is-main.ts
 import { realpathSync } from "fs";
-import { fileURLToPath as fileURLToPath2 } from "url";
+import { fileURLToPath } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
-    const modulePath = realpathSync(fileURLToPath2(importMetaUrl));
+    const modulePath = realpathSync(fileURLToPath(importMetaUrl));
     return scriptPath === modulePath;
   } catch {
     return importMetaUrl === `file://${process.argv[1]}` || importMetaUrl === new URL(process.argv[1], "file://").href;
@@ -4229,6 +5400,140 @@ async function detectConflicts(client, projectFilter, agentFilter2) {
   };
 }
 
+// src/adapters/runtime-hook-manifest.ts
+var EXE_HOOKS = {
+  postToolCombined: "dist/hooks/post-tool-combined.js",
+  sessionStart: "dist/hooks/session-start.js",
+  promptSubmit: "dist/hooks/prompt-submit.js",
+  heartbeat: "dist/hooks/exe-heartbeat-hook.js",
+  stop: "dist/hooks/stop.js",
+  preToolUse: "dist/hooks/pre-tool-use.js",
+  subagentStop: "dist/hooks/subagent-stop.js",
+  preCompact: "dist/hooks/pre-compact.js",
+  postCompact: "dist/hooks/post-compact.js",
+  sessionEnd: "dist/hooks/session-end.js",
+  notification: "dist/hooks/notification.js",
+  instructionsLoaded: "dist/hooks/instructions-loaded.js"
+};
+var EXE_HOOK_MANIFEST = [
+  {
+    key: "postToolCombined",
+    event: "PostToolUse",
+    commandMarker: EXE_HOOKS.postToolCombined,
+    owner: "exe-os",
+    purpose: "Single PostToolUse entrypoint for ingestion, error recall, summaries, and bug detection.",
+    runtimes: ["claude", "codex", "opencode"],
+    checkpointRole: "none"
+  },
+  {
+    key: "sessionStart",
+    event: "SessionStart",
+    commandMarker: EXE_HOOKS.sessionStart,
+    owner: "exe-os",
+    purpose: "Loads agent identity, procedures, and boot context.",
+    runtimes: ["claude", "codex", "opencode"],
+    checkpointRole: "none"
+  },
+  {
+    key: "promptSubmit",
+    event: "UserPromptSubmit",
+    commandMarker: EXE_HOOKS.promptSubmit,
+    owner: "exe-os",
+    purpose: "Injects current tasks, pending reviews, and local context before each prompt.",
+    runtimes: ["claude", "codex", "opencode"],
+    checkpointRole: "none"
+  },
+  {
+    key: "heartbeat",
+    event: "UserPromptSubmit",
+    commandMarker: EXE_HOOKS.heartbeat,
+    owner: "exe-os",
+    purpose: "Lightweight heartbeat/status sidecar for Claude Code sessions.",
+    runtimes: ["claude"],
+    checkpointRole: "none"
+  },
+  {
+    key: "stop",
+    event: "Stop",
+    commandMarker: EXE_HOOKS.stop,
+    owner: "exe-os",
+    purpose: "Finalizes task state, capacity signals, and emergency checkpointing.",
+    runtimes: ["claude", "codex", "opencode"],
+    checkpointRole: "capacity_checkpoint"
+  },
+  {
+    key: "preToolUse",
+    event: "PreToolUse",
+    commandMarker: EXE_HOOKS.preToolUse,
+    owner: "exe-os",
+    purpose: "Preflight guardrails before shell/tool execution.",
+    runtimes: ["claude", "codex", "opencode"],
+    checkpointRole: "none"
+  },
+  {
+    key: "subagentStop",
+    event: "SubagentStop",
+    commandMarker: EXE_HOOKS.subagentStop,
+    owner: "exe-os",
+    purpose: "Captures subagent completion context.",
+    runtimes: ["claude"],
+    checkpointRole: "none"
+  },
+  {
+    key: "preCompact",
+    event: "PreCompact",
+    commandMarker: EXE_HOOKS.preCompact,
+    owner: "exe-os",
+    purpose: "Writes active-task snapshot and compaction recovery context.",
+    runtimes: ["claude"],
+    checkpointRole: "recovery_context"
+  },
+  {
+    key: "postCompact",
+    event: "PostCompact",
+    commandMarker: EXE_HOOKS.postCompact,
+    owner: "exe-os",
+    purpose: "Rehydrates recovery context after compaction.",
+    runtimes: ["claude"],
+    checkpointRole: "recovery_context"
+  },
+  {
+    key: "sessionEnd",
+    event: "SessionEnd",
+    commandMarker: EXE_HOOKS.sessionEnd,
+    owner: "exe-os",
+    purpose: "Stores session-end checkpoint and triages orphaned in-progress tasks.",
+    runtimes: ["claude"],
+    checkpointRole: "session_summary"
+  },
+  {
+    key: "notification",
+    event: "Notification",
+    commandMarker: EXE_HOOKS.notification,
+    owner: "exe-os",
+    purpose: "Captures runtime notifications and nudges.",
+    runtimes: ["claude"],
+    checkpointRole: "none"
+  },
+  {
+    key: "instructionsLoaded",
+    event: "InstructionsLoaded",
+    commandMarker: EXE_HOOKS.instructionsLoaded,
+    owner: "exe-os",
+    purpose: "Applies runtime instruction post-processing.",
+    runtimes: ["claude"],
+    checkpointRole: "none"
+  }
+];
+var LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS = [
+  "dist/hooks/ingest.js",
+  "dist/hooks/error-recall.js",
+  "dist/hooks/ingest-worker.js"
+];
+function manifestEntryForCommand(command) {
+  return EXE_HOOK_MANIFEST.find((entry) => command.includes(entry.commandMarker));
+}
+
 // src/bin/exe-doctor.ts
 function parseFlags(argv) {
   const flags = { fix: false, dryRun: false, verbose: false, conflicts: false };
@@ -4427,6 +5732,121 @@ function auditHookHealth() {
   const topPatterns = [...patternCounts.entries()].sort((a, b) => b[1] - a[1]).slice(0, 5).map(([pattern, count]) => ({ pattern, count }));
   return { logExists: true, totalLines, errorsLastHour, topPatterns };
 }
+function safeReadJson(filePath) {
+  if (!existsSync10(filePath)) return null;
+  try {
+    return JSON.parse(readFileSync5(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function collectHookCommandsFromClaudeSettings(settings) {
+  const hooks = settings?.hooks;
+  if (!hooks || typeof hooks !== "object") return [];
+  const commands = [];
+  for (const [event, groups] of Object.entries(hooks)) {
+    if (!Array.isArray(groups)) continue;
+    for (const group of groups) {
+      const hooksForGroup = group?.hooks;
+      if (!Array.isArray(hooksForGroup)) continue;
+      for (const hook of hooksForGroup) {
+        const command = hook?.command;
+        if (typeof command === "string") commands.push({ event, command });
+      }
+    }
+  }
+  return commands;
+}
+function collectHookCommandsFromCodexHooks(config) {
+  const commands = [];
+  if (!config || typeof config !== "object") return commands;
+  const root = config;
+  for (const [event, value] of Object.entries(root)) {
+    const entries = Array.isArray(value) ? value : value && typeof value === "object" ? Object.values(value) : [];
+    for (const entry of entries) {
+      if (typeof entry === "string") commands.push({ event, command: entry });
+      const command = entry?.command;
+      if (typeof command === "string") commands.push({ event, command });
+    }
+  }
+  return commands;
+}
+function buildHookOwnershipIssues(runtime, commands) {
+  const issues = [];
+  for (const marker of LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS) {
+    const count = commands.filter((cmd) => cmd.command.includes(marker)).length;
+    if (count > 0) {
+      issues.push({
+        runtime,
+        event: "PostToolUse",
+        marker,
+        count,
+        message: `Legacy split PostToolUse hook still installed: ${marker}`
+      });
+    }
+  }
+  for (const entry of EXE_HOOK_MANIFEST.filter((hook) => hook.runtimes.includes(runtime))) {
+    const matching = commands.filter((cmd) => cmd.command.includes(entry.commandMarker));
+    if (matching.length > 1) {
+      issues.push({
+        runtime,
+        event: entry.event,
+        marker: entry.commandMarker,
+        count: matching.length,
+        message: `Duplicate exe-os hook owner for ${entry.event}: ${entry.commandMarker}`
+      });
+    }
+    for (const cmd of matching) {
+      if (cmd.event !== entry.event) {
+        issues.push({
+          runtime,
+          event: cmd.event,
+          marker: entry.commandMarker,
+          count: 1,
+          message: `exe-os hook ${entry.commandMarker} is registered under ${cmd.event}, expected ${entry.event}`
+        });
+      }
+    }
+  }
+  for (const cmd of commands) {
+    if (!cmd.command.includes("dist/hooks/")) continue;
+    if (!cmd.command.includes("exe-os")) continue;
+    const entry = manifestEntryForCommand(cmd.command);
+    const isLegacy = LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS.some((marker) => cmd.command.includes(marker));
+    if (!entry && !isLegacy) {
+      issues.push({
+        runtime,
+        event: cmd.event,
+        marker: "dist/hooks/",
+        count: 1,
+        message: `Unknown exe-os hook command not present in ownership manifest: ${cmd.command.slice(0, 160)}`
+      });
+    }
+  }
+  return issues;
+}
+function auditHookOwnership() {
+  const home = process.env.HOME ?? process.env.USERPROFILE ?? "";
+  const checkedFiles = [];
+  const issues = [];
+  const claudeSettingsPath = path10.join(home, ".claude", "settings.json");
+  const claudeSettings = safeReadJson(claudeSettingsPath);
+  if (claudeSettings) {
+    checkedFiles.push(claudeSettingsPath);
+    issues.push(...buildHookOwnershipIssues("claude", collectHookCommandsFromClaudeSettings(claudeSettings)));
+  }
+  const codexHooksPath = path10.join(home, ".codex", "hooks.json");
+  const codexHooks = safeReadJson(codexHooksPath);
+  if (codexHooks) {
+    checkedFiles.push(codexHooksPath);
+    issues.push(...buildHookOwnershipIssues("codex", collectHookCommandsFromCodexHooks(codexHooks)));
+  }
+  return {
+    checkedFiles,
+    issues,
+    staleLegacyHooks: issues.filter((issue) => issue.message.includes("Legacy split"))
+  };
+}
 async function auditShards() {
   try {
     const { auditShardHealth: auditShardHealth2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
@@ -4471,7 +5891,8 @@ async function runAudit(client, flags) {
   }
   const duplicateCount = duplicates.reduce((sum, d) => sum + d.delete_ids.length, 0);
   const hookHealth = auditHookHealth();
-  return { stats, nullVectors, duplicates, duplicateCount, bloated, fts, orphanedProjects, conflicts, hookHealth, shards };
+  const hookOwnership = auditHookOwnership();
+  return { stats, nullVectors, duplicates, duplicateCount, bloated, fts, orphanedProjects, conflicts, hookHealth, hookOwnership, shards };
 }
 function indicator(value, warn) {
   if (value === 0) return "\u{1F7E2}";
@@ -4550,6 +5971,15 @@ function formatReport(report, flags) {
       lines.push(`                     ${p.count}x: ${p.pattern}`);
     }
   }
+  const ho = report.hookOwnership;
+  if (ho.issues.length === 0) {
+    lines.push(`\u{1F7E2} Hook ownership:  ${ho.checkedFiles.length > 0 ? "manifest clean" : "no local hook config found"}`);
+  } else {
+    lines.push(`\u{1F534} Hook ownership:  ${fmtNum(ho.issues.length)} issue(s)`);
+    for (const issue of ho.issues.slice(0, 5)) {
+      lines.push(`                     [${issue.runtime}/${issue.event}] ${issue.message}`);
+    }
+  }
   const sh = report.shards;
   if (sh.total > 0) {
     if (sh.unreadable === 0) {
@@ -4619,6 +6049,9 @@ function formatReport(report, flags) {
   if (report.conflicts.superseded > 0) {
     recs.push(`${fmtNum(report.conflicts.superseded)} superseded memories can be deactivated`);
   }
+  if (report.hookOwnership.issues.length > 0) {
+    recs.push(`Run exe-os install to refresh hook config; remove stale exe-os hook commands if they remain`);
+  }
   if (recs.length > 0) {
     lines.push("Recommendations:");
     for (const r of recs) {
@@ -4752,8 +6185,8 @@ function splitAtSentences(text, maxChunkSize) {
 }
 async function main(argv = process.argv.slice(2)) {
   const flags = parseFlags(argv);
-  await initStore();
-  const client = getClient();
+  const { fastDbInit: fastDbInit2 } = await Promise.resolve().then(() => (init_fast_db_init(), fast_db_init_exports));
+  const client = await fastDbInit2();
   const report = await runAudit(client, flags);
   console.log(formatReport(report, flags));
   if (flags.fix || flags.dryRun) {
@@ -4821,6 +6254,7 @@ export {
   auditDuplicates,
   auditFts,
   auditHookHealth,
+  auditHookOwnership,
   auditNullVectors,
   auditOrphanedProjects,
   auditShards,