@askexenow/exe-os 0.9.63 → 0.9.64

package/dist/bin/exe-doctor.js

@@ -15,6 +15,70 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/types/memory.ts
+var EMBEDDING_DIM;
+var init_memory = __esm({
+  "src/types/memory.ts"() {
+    "use strict";
+    EMBEDDING_DIM = 1024;
+  }
+});
+
+// src/lib/db-retry.ts
+function isBusyError(err) {
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    return msg.includes("sqlite_busy") || msg.includes("database is locked");
+  }
+  return false;
+}
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function retryOnBusy(fn, label) {
+  let lastError;
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (!isBusyError(err) || attempt === MAX_RETRIES) {
+        throw err;
+      }
+      const backoff = BASE_DELAY_MS * Math.pow(2, attempt);
+      const jitter = Math.floor(Math.random() * MAX_JITTER_MS);
+      process.stderr.write(
+        `[exe-os] SQLITE_BUSY ${label} retry ${attempt + 1}/${MAX_RETRIES} \u2014 waiting ${backoff + jitter}ms
+`
+      );
+      await delay(backoff + jitter);
+    }
+  }
+  throw lastError;
+}
+function wrapWithRetry(client) {
+  return new Proxy(client, {
+    get(target, prop, receiver) {
+      if (prop === "execute") {
+        return (sql) => retryOnBusy(() => target.execute(sql), "execute");
+      }
+      if (prop === "batch") {
+        return (stmts, mode) => retryOnBusy(() => target.batch(stmts, mode), "batch");
+      }
+      return Reflect.get(target, prop, receiver);
+    }
+  });
+}
+var MAX_RETRIES, BASE_DELAY_MS, MAX_JITTER_MS;
+var init_db_retry = __esm({
+  "src/lib/db-retry.ts"() {
+    "use strict";
+    MAX_RETRIES = 5;
+    BASE_DELAY_MS = 250;
+    MAX_JITTER_MS = 400;
+  }
+});
+
 // src/lib/secure-files.ts
 import { chmodSync, existsSync, mkdirSync } from "fs";
 import { chmod, mkdir } from "fs/promises";
@@ -238,669 +302,89 @@ var init_config = __esm({
   }
 });
 
-// src/lib/shard-manager.ts
-var shard_manager_exports = {};
-__export(shard_manager_exports, {
-  auditShardHealth: () => auditShardHealth,
-  disposeShards: () => disposeShards,
-  ensureShardSchema: () => ensureShardSchema,
-  getOpenShardCount: () => getOpenShardCount,
-  getReadyShardClient: () => getReadyShardClient,
-  getShardClient: () => getShardClient,
-  getShardsDir: () => getShardsDir,
-  initShardManager: () => initShardManager,
-  isShardingEnabled: () => isShardingEnabled,
-  listShards: () => listShards,
-  shardExists: () => shardExists
-});
+// src/lib/employees.ts
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
+import { execSync } from "child_process";
 import path2 from "path";
-import { existsSync as existsSync3, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync2, statSync } from "fs";
-import { createClient } from "@libsql/client";
-function initShardManager(encryptionKey) {
-  _encryptionKey = encryptionKey;
-  if (!existsSync3(SHARDS_DIR)) {
-    mkdirSync2(SHARDS_DIR, { recursive: true });
-  }
-  _shardingEnabled = true;
-  if (_evictionTimer) clearInterval(_evictionTimer);
-  _evictionTimer = setInterval(evictIdleShards, EVICTION_INTERVAL_MS);
-  _evictionTimer.unref();
+import os2 from "os";
+function normalizeRole(role) {
+  return (role ?? "").trim().toLowerCase();
 }
-function isShardingEnabled() {
-  return _shardingEnabled;
+function isCoordinatorRole(role) {
+  return normalizeRole(role) === normalizeRole(COORDINATOR_ROLE);
 }
-function getShardsDir() {
-  return SHARDS_DIR;
+function getCoordinatorEmployee(employees) {
+  return employees.find((e) => isCoordinatorRole(e.role));
 }
-function getShardClient(projectName) {
-  if (!_encryptionKey) {
-    throw new Error("Shard manager not initialized. Call initShardManager() first.");
-  }
-  const safeName = safeShardName(projectName);
-  if (!safeName || safeName === "unknown") {
-    throw new Error(`Invalid project name for shard: "${projectName}" (resolved to "${safeName}")`);
-  }
-  const cached = _shards.get(safeName);
-  if (cached) {
-    _shardLastAccess.set(safeName, Date.now());
-    return cached;
+function getCoordinatorName(employees = loadEmployeesSync()) {
+  return getCoordinatorEmployee(employees)?.name ?? DEFAULT_COORDINATOR_TEMPLATE_NAME;
+}
+function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
+  if (!existsSync3(employeesPath)) return [];
+  try {
+    return JSON.parse(readFileSync2(employeesPath, "utf-8"));
+  } catch {
+    return [];
   }
-  while (_shards.size >= MAX_OPEN_SHARDS) {
-    evictLRU();
+}
+var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, IDENTITY_DIR;
+var init_employees = __esm({
+  "src/lib/employees.ts"() {
+    "use strict";
+    init_config();
+    EMPLOYEES_PATH = path2.join(EXE_AI_DIR, "exe-employees.json");
+    DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
+    COORDINATOR_ROLE = "COO";
+    IDENTITY_DIR = path2.join(EXE_AI_DIR, "identity");
   }
-  const dbPath = path2.join(SHARDS_DIR, `${safeName}.db`);
-  const client = createClient({
-    url: `file:${dbPath}`,
-    encryptionKey: _encryptionKey
-  });
-  _shards.set(safeName, client);
-  _shardLastAccess.set(safeName, Date.now());
-  return client;
+});
+
+// src/lib/database-adapter.ts
+import os3 from "os";
+import path3 from "path";
+import { createRequire } from "module";
+import { pathToFileURL } from "url";
+function quotedIdentifier(identifier) {
+  return `"${identifier.replace(/"/g, '""')}"`;
 }
-function shardExists(projectName) {
-  const safeName = safeShardName(projectName);
-  return existsSync3(path2.join(SHARDS_DIR, `${safeName}.db`));
+function unqualifiedTableName(name) {
+  const raw = name.trim().replace(/^"|"$/g, "");
+  const parts = raw.split(".");
+  return parts[parts.length - 1].replace(/^"|"$/g, "").toLowerCase();
 }
-function safeShardName(projectName) {
-  return projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
+function stripTrailingSemicolon(sql) {
+  return sql.trim().replace(/;+\s*$/u, "");
 }
-function listShards() {
-  if (!existsSync3(SHARDS_DIR)) return [];
-  return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
+function appendClause(sql, clause) {
+  const trimmed = stripTrailingSemicolon(sql);
+  const returningMatch = /\sRETURNING\b[\s\S]*$/iu.exec(trimmed);
+  if (!returningMatch) {
+    return `${trimmed}${clause}`;
+  }
+  const idx = returningMatch.index;
+  return `${trimmed.slice(0, idx)}${clause}${trimmed.slice(idx)}`;
 }
-async function auditShardHealth(options = {}) {
-  if (!_encryptionKey) {
-    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+function normalizeStatement(stmt) {
+  if (typeof stmt === "string") {
+    return { kind: "positional", sql: stmt, args: [] };
   }
-  const repair = options.repair === true;
-  const dryRun = options.dryRun === true;
-  const names = listShards();
-  const shards = [];
-  for (const name of names) {
-    const dbPath = path2.join(SHARDS_DIR, `${name}.db`);
-    const stat = statSync(dbPath);
-    const item = {
-      name,
-      path: dbPath,
-      ok: false,
-      unreadable: false,
-      error: null,
-      size: stat.size,
-      mtime: stat.mtime.toISOString(),
-      memoryCount: null
-    };
-    const client = createClient({
-      url: `file:${dbPath}`,
-      encryptionKey: _encryptionKey
-    });
-    try {
-      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
-      const hasMemories = await client.execute(
-        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
-      );
-      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
-        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
-        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
-      }
-      item.ok = true;
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      item.error = message;
-      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
-      if (item.unreadable && repair && !dryRun) {
-        client.close();
-        _shards.delete(name);
-        _shardLastAccess.delete(name);
-        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-        const archivedPath = path2.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
-        renameSync2(dbPath, archivedPath);
-        item.archivedPath = archivedPath;
-      }
-    } finally {
-      try {
-        client.close();
-      } catch {
-      }
-    }
-    shards.push(item);
+  const sql = stmt.sql;
+  if (Array.isArray(stmt.args) || stmt.args === void 0) {
+    return { kind: "positional", sql, args: stmt.args ?? [] };
   }
-  return {
-    total: shards.length,
-    ok: shards.filter((s) => s.ok).length,
-    unreadable: shards.filter((s) => s.unreadable).length,
-    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
-    shards
-  };
+  return { kind: "named", sql, args: stmt.args };
 }
-async function ensureShardSchema(client) {
-  await client.execute("PRAGMA journal_mode = WAL");
-  await client.execute("PRAGMA busy_timeout = 30000");
-  try {
-    await client.execute("PRAGMA libsql_vector_search_ef = 128");
-  } catch {
-  }
-  await client.executeMultiple(`
-    CREATE TABLE IF NOT EXISTS memories (
-      id            TEXT PRIMARY KEY,
-      agent_id      TEXT NOT NULL,
-      agent_role    TEXT NOT NULL,
-      session_id    TEXT NOT NULL,
-      timestamp     TEXT NOT NULL,
-      tool_name     TEXT NOT NULL,
-      project_name  TEXT NOT NULL,
-      has_error     INTEGER NOT NULL DEFAULT 0,
-      raw_text      TEXT NOT NULL,
-      vector        F32_BLOB(1024),
-      version       INTEGER NOT NULL DEFAULT 0
-    );
-
-    CREATE INDEX IF NOT EXISTS idx_memories_agent ON memories(agent_id);
-    CREATE INDEX IF NOT EXISTS idx_memories_timestamp ON memories(timestamp);
-    CREATE INDEX IF NOT EXISTS idx_memories_agent_project ON memories(agent_id, project_name);
-  `);
-  await client.executeMultiple(`
-    CREATE VIRTUAL TABLE IF NOT EXISTS memories_fts USING fts5(
-      raw_text,
-      content='memories',
-      content_rowid='rowid'
-    );
-
-    CREATE TRIGGER IF NOT EXISTS memories_fts_ai AFTER INSERT ON memories BEGIN
-      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
-    END;
-
-    CREATE TRIGGER IF NOT EXISTS memories_fts_ad AFTER DELETE ON memories BEGIN
-      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
-    END;
-
-    CREATE TRIGGER IF NOT EXISTS memories_fts_au AFTER UPDATE ON memories BEGIN
-      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
-      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
-    END;
-  `);
-  for (const col of [
-    "ALTER TABLE memories ADD COLUMN task_id TEXT",
-    "ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0",
-    "ALTER TABLE memories ADD COLUMN author_device_id TEXT",
-    "ALTER TABLE memories ADD COLUMN scope TEXT NOT NULL DEFAULT 'business'",
-    "ALTER TABLE memories ADD COLUMN importance INTEGER DEFAULT 5",
-    "ALTER TABLE memories ADD COLUMN status TEXT DEFAULT 'active'",
-    "ALTER TABLE memories ADD COLUMN wiki_synced INTEGER DEFAULT 0",
-    "ALTER TABLE memories ADD COLUMN graph_extracted INTEGER DEFAULT 0",
-    "ALTER TABLE memories ADD COLUMN content_hash TEXT",
-    "ALTER TABLE memories ADD COLUMN graph_extracted_hash TEXT",
-    "ALTER TABLE memories ADD COLUMN confidence REAL DEFAULT 0.7",
-    "ALTER TABLE memories ADD COLUMN last_accessed TEXT",
-    // Wiki linkage columns (must match database.ts)
-    "ALTER TABLE memories ADD COLUMN workspace_id TEXT",
-    "ALTER TABLE memories ADD COLUMN document_id TEXT",
-    "ALTER TABLE memories ADD COLUMN user_id TEXT",
-    "ALTER TABLE memories ADD COLUMN char_offset INTEGER",
-    "ALTER TABLE memories ADD COLUMN page_number INTEGER",
-    // Source provenance columns (must match database.ts)
-    "ALTER TABLE memories ADD COLUMN source_path TEXT",
-    "ALTER TABLE memories ADD COLUMN source_type TEXT DEFAULT 'text'",
-    "ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3",
-    "ALTER TABLE memories ADD COLUMN supersedes_id TEXT",
-    // MS-11: draft staging, MS-6a: memory_type, MS-7: trajectory
-    "ALTER TABLE memories ADD COLUMN draft INTEGER DEFAULT 0",
-    "ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'",
-    "ALTER TABLE memories ADD COLUMN trajectory TEXT",
-    // Metadata enrichment columns (must match database.ts)
-    "ALTER TABLE memories ADD COLUMN intent TEXT",
-    "ALTER TABLE memories ADD COLUMN outcome TEXT",
-    "ALTER TABLE memories ADD COLUMN domain TEXT",
-    "ALTER TABLE memories ADD COLUMN referenced_entities TEXT",
-    "ALTER TABLE memories ADD COLUMN retrieval_count INTEGER DEFAULT 0",
-    "ALTER TABLE memories ADD COLUMN chain_position TEXT",
-    "ALTER TABLE memories ADD COLUMN review_status TEXT",
-    "ALTER TABLE memories ADD COLUMN context_window_pct INTEGER",
-    "ALTER TABLE memories ADD COLUMN file_paths TEXT",
-    "ALTER TABLE memories ADD COLUMN commit_hash TEXT",
-    "ALTER TABLE memories ADD COLUMN duration_ms INTEGER",
-    "ALTER TABLE memories ADD COLUMN token_cost REAL",
-    "ALTER TABLE memories ADD COLUMN audience TEXT",
-    "ALTER TABLE memories ADD COLUMN language_type TEXT",
-    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT",
-    "ALTER TABLE memories ADD COLUMN deleted_at TEXT"
-  ]) {
-    try {
-      await client.execute(col);
-    } catch {
-    }
-  }
-  for (const idx of [
-    "CREATE INDEX IF NOT EXISTS idx_memories_tier ON memories(tier)",
-    "CREATE INDEX IF NOT EXISTS idx_memories_supersedes ON memories(supersedes_id) WHERE supersedes_id IS NOT NULL",
-    "CREATE INDEX IF NOT EXISTS idx_memories_scoped_content_hash ON memories(content_hash, agent_id, project_name, memory_type) WHERE content_hash IS NOT NULL"
-  ]) {
-    try {
-      await client.execute(idx);
-    } catch {
-    }
-  }
-  try {
-    await client.execute("CREATE INDEX IF NOT EXISTS idx_memories_status ON memories(status)");
-  } catch {
-  }
-  for (const idx of [
-    "CREATE INDEX IF NOT EXISTS idx_memories_workspace ON memories(workspace_id)",
-    "CREATE INDEX IF NOT EXISTS idx_memories_document ON memories(document_id)",
-    "CREATE INDEX IF NOT EXISTS idx_memories_user ON memories(user_id)"
-  ]) {
-    try {
-      await client.execute(idx);
-    } catch {
-    }
-  }
-  await client.executeMultiple(`
-    CREATE TABLE IF NOT EXISTS entities (
-      id TEXT PRIMARY KEY,
-      name TEXT NOT NULL,
-      type TEXT NOT NULL,
-      first_seen TEXT NOT NULL,
-      last_seen TEXT NOT NULL,
-      properties TEXT DEFAULT '{}',
-      UNIQUE(name, type)
-    );
-
-    CREATE TABLE IF NOT EXISTS relationships (
-      id TEXT PRIMARY KEY,
-      source_entity_id TEXT NOT NULL,
-      target_entity_id TEXT NOT NULL,
-      type TEXT NOT NULL,
-      weight REAL DEFAULT 1.0,
-      timestamp TEXT NOT NULL,
-      properties TEXT DEFAULT '{}',
-      UNIQUE(source_entity_id, target_entity_id, type)
-    );
-
-    CREATE TABLE IF NOT EXISTS entity_memories (
-      entity_id TEXT NOT NULL,
-      memory_id TEXT NOT NULL,
-      PRIMARY KEY (entity_id, memory_id)
-    );
-
-    CREATE TABLE IF NOT EXISTS relationship_memories (
-      relationship_id TEXT NOT NULL,
-      memory_id TEXT NOT NULL,
-      PRIMARY KEY (relationship_id, memory_id)
-    );
-
-    CREATE INDEX IF NOT EXISTS idx_entities_name ON entities(name);
-    CREATE INDEX IF NOT EXISTS idx_entities_type ON entities(type);
-    CREATE INDEX IF NOT EXISTS idx_relationships_source ON relationships(source_entity_id);
-    CREATE INDEX IF NOT EXISTS idx_relationships_target ON relationships(target_entity_id);
-    CREATE INDEX IF NOT EXISTS idx_relationships_type ON relationships(type);
-
-    CREATE TABLE IF NOT EXISTS hyperedges (
-      id TEXT PRIMARY KEY,
-      label TEXT NOT NULL,
-      relation TEXT NOT NULL,
-      confidence REAL DEFAULT 1.0,
-      timestamp TEXT NOT NULL
-    );
-
-    CREATE TABLE IF NOT EXISTS hyperedge_nodes (
-      hyperedge_id TEXT NOT NULL,
-      entity_id TEXT NOT NULL,
-      PRIMARY KEY (hyperedge_id, entity_id)
-    );
-  `);
-  for (const col of [
-    "ALTER TABLE relationships ADD COLUMN confidence REAL DEFAULT 1.0",
-    "ALTER TABLE relationships ADD COLUMN confidence_label TEXT DEFAULT 'extracted'"
-  ]) {
-    try {
-      await client.execute(col);
-    } catch {
-    }
-  }
-}
-async function getReadyShardClient(projectName) {
-  const safeName = safeShardName(projectName);
-  let client = getShardClient(projectName);
-  try {
-    await ensureShardSchema(client);
-    return client;
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    if (!/SQLITE_NOTADB|file is not a database/i.test(message)) throw err;
-    client.close();
-    _shards.delete(safeName);
-    _shardLastAccess.delete(safeName);
-    const dbPath = path2.join(SHARDS_DIR, `${safeName}.db`);
-    if (existsSync3(dbPath)) {
-      const stat = statSync(dbPath);
-      const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-      const archivedPath = path2.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
-      renameSync2(dbPath, archivedPath);
-      process.stderr.write(
-        `[shard-manager] Archived unreadable shard ${safeName}: ${archivedPath} (${stat.size} bytes, mtime ${stat.mtime.toISOString()})
-`
-      );
-    }
-    client = getShardClient(projectName);
-    await ensureShardSchema(client);
-    return client;
-  }
-}
-function evictLRU() {
-  let oldest = null;
-  let oldestTime = Infinity;
-  for (const [name, time] of _shardLastAccess) {
-    if (time < oldestTime) {
-      oldestTime = time;
-      oldest = name;
-    }
-  }
-  if (oldest) {
-    const client = _shards.get(oldest);
-    if (client) {
-      client.close();
-    }
-    _shards.delete(oldest);
-    _shardLastAccess.delete(oldest);
-  }
-}
-function evictIdleShards() {
-  const now = Date.now();
-  const toEvict = [];
-  for (const [name, lastAccess] of _shardLastAccess) {
-    if (now - lastAccess > SHARD_IDLE_MS) {
-      toEvict.push(name);
-    }
-  }
-  for (const name of toEvict) {
-    const client = _shards.get(name);
-    if (client) {
-      client.close();
-    }
-    _shards.delete(name);
-    _shardLastAccess.delete(name);
-  }
-}
-function getOpenShardCount() {
-  return _shards.size;
-}
-function disposeShards() {
-  if (_evictionTimer) {
-    clearInterval(_evictionTimer);
-    _evictionTimer = null;
-  }
-  for (const [, client] of _shards) {
-    client.close();
-  }
-  _shards.clear();
-  _shardLastAccess.clear();
-  _shardingEnabled = false;
-  _encryptionKey = null;
-}
-var SHARDS_DIR, SHARD_IDLE_MS, MAX_OPEN_SHARDS, EVICTION_INTERVAL_MS, _shards, _shardLastAccess, _evictionTimer, _encryptionKey, _shardingEnabled;
-var init_shard_manager = __esm({
-  "src/lib/shard-manager.ts"() {
-    "use strict";
-    init_config();
-    SHARDS_DIR = path2.join(EXE_AI_DIR, "shards");
-    SHARD_IDLE_MS = 5 * 60 * 1e3;
-    MAX_OPEN_SHARDS = 10;
-    EVICTION_INTERVAL_MS = 60 * 1e3;
-    _shards = /* @__PURE__ */ new Map();
-    _shardLastAccess = /* @__PURE__ */ new Map();
-    _evictionTimer = null;
-    _encryptionKey = null;
-    _shardingEnabled = false;
-  }
-});
-
-// src/lib/worker-gate.ts
-var worker_gate_exports = {};
-__export(worker_gate_exports, {
-  MAX_CONCURRENT_WORKERS: () => MAX_CONCURRENT_WORKERS,
-  cleanupWorkerPid: () => cleanupWorkerPid,
-  registerWorkerPid: () => registerWorkerPid,
-  releaseBackfillLock: () => releaseBackfillLock,
-  tryAcquireBackfillLock: () => tryAcquireBackfillLock,
-  tryAcquireWorkerSlot: () => tryAcquireWorkerSlot
-});
-import { readdirSync as readdirSync2, writeFileSync, unlinkSync, mkdirSync as mkdirSync3, existsSync as existsSync4 } from "fs";
-import path3 from "path";
-function tryAcquireWorkerSlot() {
-  try {
-    mkdirSync3(WORKER_PID_DIR, { recursive: true });
-    const reservationId = `res-${process.pid}-${Date.now()}`;
-    const reservationPath = path3.join(WORKER_PID_DIR, `${reservationId}.pid`);
-    writeFileSync(reservationPath, String(process.pid));
-    const files = readdirSync2(WORKER_PID_DIR);
-    let alive = 0;
-    for (const f of files) {
-      if (!f.endsWith(".pid")) continue;
-      if (f.startsWith("res-")) {
-        alive++;
-        continue;
-      }
-      const dashIdx = f.lastIndexOf("-");
-      const pid = parseInt(f.slice(dashIdx + 1).replace(".pid", ""), 10);
-      if (isNaN(pid)) continue;
-      try {
-        process.kill(pid, 0);
-        alive++;
-      } catch {
-        try {
-          unlinkSync(path3.join(WORKER_PID_DIR, f));
-        } catch {
-        }
-      }
-    }
-    if (alive > MAX_CONCURRENT_WORKERS) {
-      try {
-        unlinkSync(reservationPath);
-      } catch {
-      }
-      return false;
-    }
-    try {
-      unlinkSync(reservationPath);
-    } catch {
-    }
-    return true;
-  } catch {
-    return true;
-  }
-}
-function registerWorkerPid(pid) {
-  try {
-    mkdirSync3(WORKER_PID_DIR, { recursive: true });
-    writeFileSync(path3.join(WORKER_PID_DIR, `worker-${pid}.pid`), String(pid));
-  } catch {
-  }
-}
-function cleanupWorkerPid() {
-  try {
-    unlinkSync(path3.join(WORKER_PID_DIR, `worker-${process.pid}.pid`));
-  } catch {
-  }
-}
-function tryAcquireBackfillLock() {
-  try {
-    mkdirSync3(WORKER_PID_DIR, { recursive: true });
-    if (existsSync4(BACKFILL_LOCK)) {
-      try {
-        const pid = parseInt(
-          __require("fs").readFileSync(BACKFILL_LOCK, "utf8").trim(),
-          10
-        );
-        if (!isNaN(pid) && pid > 0) {
-          try {
-            process.kill(pid, 0);
-            return false;
-          } catch {
-          }
-        }
-      } catch {
-      }
-    }
-    writeFileSync(BACKFILL_LOCK, String(process.pid));
-    return true;
-  } catch {
-    return true;
-  }
-}
-function releaseBackfillLock() {
-  try {
-    unlinkSync(BACKFILL_LOCK);
-  } catch {
-  }
-}
-var WORKER_PID_DIR, MAX_CONCURRENT_WORKERS, BACKFILL_LOCK;
-var init_worker_gate = __esm({
-  "src/lib/worker-gate.ts"() {
-    "use strict";
-    init_config();
-    WORKER_PID_DIR = path3.join(EXE_AI_DIR, "worker-pids");
-    MAX_CONCURRENT_WORKERS = 3;
-    BACKFILL_LOCK = path3.join(WORKER_PID_DIR, "backfill.lock");
-  }
-});
-
-// src/lib/db-retry.ts
-function isBusyError(err) {
-  if (err instanceof Error) {
-    const msg = err.message.toLowerCase();
-    return msg.includes("sqlite_busy") || msg.includes("database is locked");
-  }
-  return false;
-}
-function delay(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-async function retryOnBusy(fn, label) {
-  let lastError;
-  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
-    try {
-      return await fn();
-    } catch (err) {
-      lastError = err;
-      if (!isBusyError(err) || attempt === MAX_RETRIES) {
-        throw err;
-      }
-      const backoff = BASE_DELAY_MS * Math.pow(2, attempt);
-      const jitter = Math.floor(Math.random() * MAX_JITTER_MS);
-      process.stderr.write(
-        `[exe-os] SQLITE_BUSY ${label} retry ${attempt + 1}/${MAX_RETRIES} \u2014 waiting ${backoff + jitter}ms
-`
-      );
-      await delay(backoff + jitter);
-    }
-  }
-  throw lastError;
-}
-function wrapWithRetry(client) {
-  return new Proxy(client, {
-    get(target, prop, receiver) {
-      if (prop === "execute") {
-        return (sql) => retryOnBusy(() => target.execute(sql), "execute");
-      }
-      if (prop === "batch") {
-        return (stmts, mode) => retryOnBusy(() => target.batch(stmts, mode), "batch");
-      }
-      return Reflect.get(target, prop, receiver);
-    }
-  });
-}
-var MAX_RETRIES, BASE_DELAY_MS, MAX_JITTER_MS;
-var init_db_retry = __esm({
-  "src/lib/db-retry.ts"() {
-    "use strict";
-    MAX_RETRIES = 5;
-    BASE_DELAY_MS = 250;
-    MAX_JITTER_MS = 400;
-  }
-});
-
-// src/lib/employees.ts
-import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync5, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync3, unlinkSync as unlinkSync2, writeFileSync as writeFileSync2 } from "fs";
-import { execSync } from "child_process";
-import path4 from "path";
-import os2 from "os";
-function normalizeRole(role) {
-  return (role ?? "").trim().toLowerCase();
-}
-function isCoordinatorRole(role) {
-  return normalizeRole(role) === normalizeRole(COORDINATOR_ROLE);
-}
-function getCoordinatorEmployee(employees) {
-  return employees.find((e) => isCoordinatorRole(e.role));
-}
-function getCoordinatorName(employees = loadEmployeesSync()) {
-  return getCoordinatorEmployee(employees)?.name ?? DEFAULT_COORDINATOR_TEMPLATE_NAME;
-}
-function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync5(employeesPath)) return [];
-  try {
-    return JSON.parse(readFileSync2(employeesPath, "utf-8"));
-  } catch {
-    return [];
-  }
-}
-var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, IDENTITY_DIR;
-var init_employees = __esm({
-  "src/lib/employees.ts"() {
-    "use strict";
-    init_config();
-    EMPLOYEES_PATH = path4.join(EXE_AI_DIR, "exe-employees.json");
-    DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
-    COORDINATOR_ROLE = "COO";
-    IDENTITY_DIR = path4.join(EXE_AI_DIR, "identity");
-  }
-});
-
-// src/lib/database-adapter.ts
-import os3 from "os";
-import path5 from "path";
-import { createRequire } from "module";
-import { pathToFileURL } from "url";
-function quotedIdentifier(identifier) {
-  return `"${identifier.replace(/"/g, '""')}"`;
-}
-function unqualifiedTableName(name) {
-  const raw = name.trim().replace(/^"|"$/g, "");
-  const parts = raw.split(".");
-  return parts[parts.length - 1].replace(/^"|"$/g, "").toLowerCase();
-}
-function stripTrailingSemicolon(sql) {
-  return sql.trim().replace(/;+\s*$/u, "");
-}
-function appendClause(sql, clause) {
-  const trimmed = stripTrailingSemicolon(sql);
-  const returningMatch = /\sRETURNING\b[\s\S]*$/iu.exec(trimmed);
-  if (!returningMatch) {
-    return `${trimmed}${clause}`;
-  }
-  const idx = returningMatch.index;
-  return `${trimmed.slice(0, idx)}${clause}${trimmed.slice(idx)}`;
-}
-function normalizeStatement(stmt) {
-  if (typeof stmt === "string") {
-    return { kind: "positional", sql: stmt, args: [] };
-  }
-  const sql = stmt.sql;
-  if (Array.isArray(stmt.args) || stmt.args === void 0) {
-    return { kind: "positional", sql, args: stmt.args ?? [] };
-  }
-  return { kind: "named", sql, args: stmt.args };
-}
-function rewriteBooleanLiterals(sql) {
-  let out = sql;
-  for (const column of BOOLEAN_COLUMN_NAMES) {
-    const scoped = `((?:\\b[a-z_][a-z0-9_]*\\.)?${column})`;
-    out = out.replace(new RegExp(`${scoped}\\s*=\\s*0\\b`, "giu"), "$1 = FALSE");
-    out = out.replace(new RegExp(`${scoped}\\s*=\\s*1\\b`, "giu"), "$1 = TRUE");
-    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*0\\b`, "giu"), "$1 != FALSE");
-    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*1\\b`, "giu"), "$1 != TRUE");
-    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*0\\b`, "giu"), "$1 <> FALSE");
-    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*1\\b`, "giu"), "$1 <> TRUE");
+function rewriteBooleanLiterals(sql) {
+  let out = sql;
+  for (const column of BOOLEAN_COLUMN_NAMES) {
+    const scoped = `((?:\\b[a-z_][a-z0-9_]*\\.)?${column})`;
+    out = out.replace(new RegExp(`${scoped}\\s*=\\s*0\\b`, "giu"), "$1 = FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*=\\s*1\\b`, "giu"), "$1 = TRUE");
+    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*0\\b`, "giu"), "$1 != FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*1\\b`, "giu"), "$1 != TRUE");
+    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*0\\b`, "giu"), "$1 <> FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*1\\b`, "giu"), "$1 <> TRUE");
   }
   return out;
 }
@@ -1169,8 +653,8 @@ async function loadPrismaClient() {
         }
         return new PrismaClient2();
       }
-      const exeDbRoot = process.env.EXE_DB_ROOT ?? path5.join(os3.homedir(), "exe-db");
-      const requireFromExeDb = createRequire(path5.join(exeDbRoot, "package.json"));
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path3.join(os3.homedir(), "exe-db");
+      const requireFromExeDb = createRequire(path3.join(exeDbRoot, "package.json"));
       const prismaEntry = requireFromExeDb.resolve("@prisma/client");
       const module = await import(pathToFileURL(prismaEntry).href);
       const PrismaClient = module.PrismaClient ?? module.default?.PrismaClient;
@@ -1440,19 +924,10 @@ var init_database_adapter = __esm({
   }
 });
 
-// src/types/memory.ts
-var EMBEDDING_DIM;
-var init_memory = __esm({
-  "src/types/memory.ts"() {
-    "use strict";
-    EMBEDDING_DIM = 1024;
-  }
-});
-
 // src/lib/daemon-auth.ts
 import crypto from "crypto";
-import path6 from "path";
-import { existsSync as existsSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+import path4 from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
 function normalizeToken(token) {
   if (!token) return null;
   const trimmed = token.trim();
@@ -1460,7 +935,7 @@ function normalizeToken(token) {
 }
 function readDaemonToken() {
   try {
-    if (!existsSync6(DAEMON_TOKEN_PATH)) return null;
+    if (!existsSync4(DAEMON_TOKEN_PATH)) return null;
     return normalizeToken(readFileSync3(DAEMON_TOKEN_PATH, "utf8"));
   } catch {
     return null;
@@ -1471,7 +946,7 @@ function ensureDaemonToken(seed) {
   if (existing) return existing;
   const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
   ensurePrivateDirSync(EXE_AI_DIR);
-  writeFileSync3(DAEMON_TOKEN_PATH, `${token}
+  writeFileSync2(DAEMON_TOKEN_PATH, `${token}
 `, "utf8");
   enforcePrivateFileSync(DAEMON_TOKEN_PATH);
   return token;
@@ -1482,29 +957,18 @@ var init_daemon_auth = __esm({
     "use strict";
     init_config();
     init_secure_files();
-    DAEMON_TOKEN_PATH = path6.join(EXE_AI_DIR, "exed.token");
+    DAEMON_TOKEN_PATH = path4.join(EXE_AI_DIR, "exed.token");
   }
 });
 
 // src/lib/exe-daemon-client.ts
-var exe_daemon_client_exports = {};
-__export(exe_daemon_client_exports, {
-  connectEmbedDaemon: () => connectEmbedDaemon,
-  disconnectClient: () => disconnectClient,
-  embedBatchViaClient: () => embedBatchViaClient,
-  embedViaClient: () => embedViaClient,
-  isClientConnected: () => isClientConnected,
-  pingDaemon: () => pingDaemon,
-  sendDaemonRequest: () => sendDaemonRequest,
-  sendIngestRequest: () => sendIngestRequest
-});
 import net from "net";
 import os4 from "os";
 import { spawn } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync7, unlinkSync as unlinkSync3, readFileSync as readFileSync4, openSync, closeSync, statSync as statSync2 } from "fs";
-import path7 from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
+import { existsSync as existsSync5, unlinkSync as unlinkSync2, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
+import path5 from "path";
+import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
   if (_buffer.length > MAX_BUFFER) {
@@ -1531,7 +995,7 @@ function handleData(chunk) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync7(PID_PATH)) {
+  if (existsSync5(PID_PATH)) {
     try {
       const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
@@ -1544,21 +1008,21 @@ function cleanupStaleFiles() {
     } catch {
     }
     try {
-      unlinkSync3(PID_PATH);
+      unlinkSync2(PID_PATH);
     } catch {
     }
     try {
-      unlinkSync3(SOCKET_PATH);
+      unlinkSync2(SOCKET_PATH);
     } catch {
     }
   }
 }
 function findPackageRoot() {
-  let dir = path7.dirname(fileURLToPath2(import.meta.url));
-  const { root } = path7.parse(dir);
+  let dir = path5.dirname(fileURLToPath(import.meta.url));
+  const { root } = path5.parse(dir);
   while (dir !== root) {
-    if (existsSync7(path7.join(dir, "package.json"))) return dir;
-    dir = path7.dirname(dir);
+    if (existsSync5(path5.join(dir, "package.json"))) return dir;
+    dir = path5.dirname(dir);
   }
   return null;
 }
@@ -1605,8 +1069,8 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path7.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync7(daemonPath)) {
+  const daemonPath = path5.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync5(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
@@ -1615,7 +1079,7 @@ function spawnDaemon() {
   const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path7.join(path7.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path5.join(path5.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -1652,10 +1116,10 @@ function acquireSpawnLock() {
     return true;
   } catch {
     try {
-      const stat = statSync2(SPAWN_LOCK_PATH);
+      const stat = statSync(SPAWN_LOCK_PATH);
       if (Date.now() - stat.mtimeMs > SPAWN_LOCK_STALE_MS) {
         try {
-          unlinkSync3(SPAWN_LOCK_PATH);
+          unlinkSync2(SPAWN_LOCK_PATH);
         } catch {
         }
         try {
@@ -1672,7 +1136,7 @@ function acquireSpawnLock() {
 }
 function releaseSpawnLock() {
   try {
-    unlinkSync3(SPAWN_LOCK_PATH);
+    unlinkSync2(SPAWN_LOCK_PATH);
   } catch {
   }
 }
@@ -1714,223 +1178,60 @@ function connectToSocket() {
     });
   });
 }
-async function connectEmbedDaemon() {
-  if (_socket && _connected) return true;
-  if (await connectToSocket()) return true;
-  if (acquireSpawnLock()) {
-    try {
-      cleanupStaleFiles();
-      spawnDaemon();
-    } finally {
-      releaseSpawnLock();
-    }
-  }
-  const start = Date.now();
-  let delay2 = 100;
-  while (Date.now() - start < CONNECT_TIMEOUT_MS) {
-    await new Promise((r) => setTimeout(r, delay2));
-    if (await connectToSocket()) return true;
-    delay2 = Math.min(delay2 * 2, 3e3);
-  }
-  return false;
-}
-function sendRequest(texts, priority) {
-  return sendDaemonRequest({ texts, priority });
-}
-function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
-  return new Promise((resolve) => {
-    if (!_socket || !_connected) {
-      resolve({ error: "Not connected" });
-      return;
-    }
-    const id = randomUUID();
-    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
-    const timer = setTimeout(() => {
-      _pending.delete(id);
-      resolve({ error: "Request timeout" });
-    }, timeoutMs);
-    _pending.set(id, { resolve, timer });
-    try {
-      _socket.write(JSON.stringify({ id, token, ...payload }) + "\n");
-    } catch {
-      clearTimeout(timer);
-      _pending.delete(id);
-      resolve({ error: "Write failed" });
-    }
-  });
-}
-async function pingDaemon() {
-  if (!_socket || !_connected) return null;
-  const response = await sendDaemonRequest({ type: "health" }, 5e3);
-  if (response.health) {
-    return response.health;
-  }
-  return null;
-}
-function killAndRespawnDaemon() {
-  if (!acquireSpawnLock()) {
-    process.stderr.write("[exed-client] Another process is already restarting daemon \u2014 skipping\n");
-    if (_socket) {
-      _socket.destroy();
-      _socket = null;
-    }
-    _connected = false;
-    _buffer = "";
-    return;
-  }
-  try {
-    process.stderr.write("[exed-client] Killing daemon for restart...\n");
-    if (existsSync7(PID_PATH)) {
-      try {
-        const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
-        if (pid > 0) {
-          try {
-            process.kill(pid, "SIGKILL");
-          } catch {
-          }
-        }
-      } catch {
-      }
-    }
-    if (_socket) {
-      _socket.destroy();
-      _socket = null;
-    }
-    _connected = false;
-    _buffer = "";
-    try {
-      unlinkSync3(PID_PATH);
-    } catch {
-    }
-    try {
-      unlinkSync3(SOCKET_PATH);
-    } catch {
-    }
-    spawnDaemon();
-  } finally {
-    releaseSpawnLock();
-  }
-}
-function isDaemonTooYoung() {
-  try {
-    const stat = statSync2(PID_PATH);
-    return Date.now() - stat.mtimeMs < MIN_DAEMON_AGE_MS;
-  } catch {
-    return false;
-  }
-}
-async function retryThenRestart(doRequest, label) {
-  const result = await doRequest();
-  if (!result.error) {
-    _consecutiveFailures = 0;
-    return result;
-  }
-  _consecutiveFailures++;
-  for (let i = 0; i < MAX_RETRIES_BEFORE_RESTART; i++) {
-    const delayMs = RETRY_DELAYS_MS[i] ?? 5e3;
-    process.stderr.write(`[exed-client] ${label} failed (${result.error}), retry ${i + 1}/${MAX_RETRIES_BEFORE_RESTART} in ${delayMs}ms
-`);
-    await new Promise((r) => setTimeout(r, delayMs));
-    if (!_connected) {
-      if (!await connectToSocket()) continue;
-    }
-    const retry = await doRequest();
-    if (!retry.error) {
-      _consecutiveFailures = 0;
-      return retry;
+async function connectEmbedDaemon() {
+  if (_socket && _connected) return true;
+  if (await connectToSocket()) return true;
+  if (acquireSpawnLock()) {
+    try {
+      cleanupStaleFiles();
+      spawnDaemon();
+    } finally {
+      releaseSpawnLock();
     }
-    _consecutiveFailures++;
-  }
-  if (isDaemonTooYoung()) {
-    process.stderr.write(`[exed-client] ${label}: daemon too young (< ${MIN_DAEMON_AGE_MS / 1e3}s) \u2014 skipping restart
-`);
-    return { error: result.error };
   }
-  process.stderr.write(`[exed-client] ${label}: ${_consecutiveFailures} consecutive failures \u2014 restarting daemon
-`);
-  killAndRespawnDaemon();
   const start = Date.now();
-  let delay2 = 200;
+  let delay2 = 100;
   while (Date.now() - start < CONNECT_TIMEOUT_MS) {
     await new Promise((r) => setTimeout(r, delay2));
-    if (await connectToSocket()) break;
+    if (await connectToSocket()) return true;
     delay2 = Math.min(delay2 * 2, 3e3);
   }
-  if (!_connected) return { error: "Daemon restart failed" };
-  const final = await doRequest();
-  if (!final.error) _consecutiveFailures = 0;
-  return final;
-}
-async function embedViaClient(text, priority = "high") {
-  if (!_connected && !await connectEmbedDaemon()) return null;
-  _requestCount++;
-  if (_requestCount % HEALTH_CHECK_INTERVAL === 0) {
-    const health = await pingDaemon();
-    if (!health && !isDaemonTooYoung()) {
-      process.stderr.write(`[exed-client] Periodic health check failed at request ${_requestCount} \u2014 restarting daemon
-`);
-      killAndRespawnDaemon();
-      const start = Date.now();
-      let d = 200;
-      while (Date.now() - start < CONNECT_TIMEOUT_MS) {
-        await new Promise((r) => setTimeout(r, d));
-        if (await connectToSocket()) break;
-        d = Math.min(d * 2, 3e3);
-      }
-      if (!_connected) return null;
-    }
-  }
-  const result = await retryThenRestart(
-    () => sendRequest([text], priority),
-    "Embed"
-  );
-  return !result.error && result.vectors?.[0] ? result.vectors[0] : null;
-}
-async function embedBatchViaClient(texts, priority = "high") {
-  if (!_connected && !await connectEmbedDaemon()) return null;
-  _requestCount++;
-  const result = await retryThenRestart(
-    () => sendRequest(texts, priority),
-    "Batch embed"
-  );
-  return !result.error && result.vectors ? result.vectors : null;
+  return false;
 }
-function disconnectClient() {
-  if (_socket) {
-    _socket.destroy();
-    _socket = null;
-  }
-  _connected = false;
-  _buffer = "";
-  for (const [id, entry] of _pending) {
-    clearTimeout(entry.timer);
-    _pending.delete(id);
-    entry.resolve({ error: "Client disconnected" });
-  }
+function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
+  return new Promise((resolve) => {
+    if (!_socket || !_connected) {
+      resolve({ error: "Not connected" });
+      return;
+    }
+    const id = randomUUID();
+    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
+    const timer = setTimeout(() => {
+      _pending.delete(id);
+      resolve({ error: "Request timeout" });
+    }, timeoutMs);
+    _pending.set(id, { resolve, timer });
+    try {
+      _socket.write(JSON.stringify({ id, token, ...payload }) + "\n");
+    } catch {
+      clearTimeout(timer);
+      _pending.delete(id);
+      resolve({ error: "Write failed" });
+    }
+  });
 }
 function isClientConnected() {
   return _connected;
 }
-function sendIngestRequest(payload) {
-  if (!_socket || !_connected) return false;
-  try {
-    const id = randomUUID();
-    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
-    _socket.write(JSON.stringify({ id, token, type: "ingest", ...payload }) + "\n");
-    return true;
-  } catch {
-    return false;
-  }
-}
-var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _requestCount, _consecutiveFailures, HEALTH_CHECK_INTERVAL, MAX_RETRIES_BEFORE_RESTART, RETRY_DELAYS_MS, MIN_DAEMON_AGE_MS, _pending, MAX_BUFFER;
+var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _pending, MAX_BUFFER;
 var init_exe_daemon_client = __esm({
   "src/lib/exe-daemon-client.ts"() {
     "use strict";
     init_config();
     init_daemon_auth();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path7.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path7.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path7.join(EXE_AI_DIR, "exed-spawn.lock");
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path5.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path5.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path5.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
@@ -1938,27 +1239,12 @@ var init_exe_daemon_client = __esm({
     _socket = null;
     _connected = false;
     _buffer = "";
-    _requestCount = 0;
-    _consecutiveFailures = 0;
-    HEALTH_CHECK_INTERVAL = 100;
-    MAX_RETRIES_BEFORE_RESTART = 3;
-    RETRY_DELAYS_MS = [1e3, 3e3, 5e3];
-    MIN_DAEMON_AGE_MS = 3e4;
     _pending = /* @__PURE__ */ new Map();
     MAX_BUFFER = 1e7;
   }
 });
 
 // src/lib/daemon-protocol.ts
-var daemon_protocol_exports = {};
-__export(daemon_protocol_exports, {
-  deserializeArgs: () => deserializeArgs,
-  deserializeResultSet: () => deserializeResultSet,
-  deserializeValue: () => deserializeValue,
-  serializeArgs: () => serializeArgs,
-  serializeResultSet: () => serializeResultSet,
-  serializeValue: () => serializeValue
-});
 function serializeValue(v) {
   if (v === null || v === void 0) return null;
   if (typeof v === "bigint") return Number(v);
@@ -1983,32 +1269,6 @@ function deserializeValue(v) {
   }
   return v;
 }
-function serializeArgs(args) {
-  return args.map(serializeValue);
-}
-function deserializeArgs(args) {
-  return args.map(deserializeValue);
-}
-function serializeResultSet(rs) {
-  const rows = [];
-  for (const row of rs.rows) {
-    const obj = {};
-    for (let i = 0; i < rs.columns.length; i++) {
-      const col = rs.columns[i];
-      if (col !== void 0) {
-        obj[col] = serializeValue(row[i]);
-      }
-    }
-    rows.push(obj);
-  }
-  return {
-    columns: [...rs.columns],
-    columnTypes: [...rs.columnTypes ?? []],
-    rows,
-    rowsAffected: typeof rs.rowsAffected === "bigint" ? Number(rs.rowsAffected) : rs.rowsAffected ?? 0,
-    lastInsertRowid: rs.lastInsertRowid != null ? typeof rs.lastInsertRowid === "bigint" ? Number(rs.lastInsertRowid) : rs.lastInsertRowid : null
-  };
-}
 function deserializeResultSet(srs) {
   const rows = srs.rows.map((obj) => {
     const values = srs.columns.map(
@@ -2198,7 +1458,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
-import { createClient as createClient2 } from "@libsql/client";
+import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
     clearInterval(_walCheckpointTimer);
@@ -2223,7 +1483,7 @@ async function initDatabase(config) {
   if (config.encryptionKey) {
     opts.encryptionKey = config.encryptionKey;
   }
-  _client = createClient2(opts);
+  _client = createClient(opts);
   _resilientClient = wrapWithRetry(_client);
   _adapterClient = _resilientClient;
   _client.execute("PRAGMA busy_timeout = 30000").catch(() => {
@@ -3364,13 +2624,289 @@ async function ensureSchema() {
   } catch {
   }
   try {
-    await client.execute({
-      sql: `ALTER TABLE memories ADD COLUMN trajectory TEXT`,
-      args: []
-    });
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN trajectory TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  for (const col of [
+    "ALTER TABLE memories ADD COLUMN intent TEXT",
+    "ALTER TABLE memories ADD COLUMN outcome TEXT",
+    "ALTER TABLE memories ADD COLUMN domain TEXT",
+    "ALTER TABLE memories ADD COLUMN referenced_entities TEXT",
+    "ALTER TABLE memories ADD COLUMN retrieval_count INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN chain_position TEXT",
+    "ALTER TABLE memories ADD COLUMN review_status TEXT",
+    "ALTER TABLE memories ADD COLUMN context_window_pct INTEGER",
+    "ALTER TABLE memories ADD COLUMN file_paths TEXT",
+    "ALTER TABLE memories ADD COLUMN commit_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN duration_ms INTEGER",
+    "ALTER TABLE memories ADD COLUMN token_cost REAL",
+    "ALTER TABLE memories ADD COLUMN audience TEXT",
+    "ALTER TABLE memories ADD COLUMN language_type TEXT",
+    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+  try {
+    await client.execute({
+      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
+      args: []
+    });
+  } catch {
+  }
+}
+async function disposeDatabase() {
+  if (_walCheckpointTimer) {
+    clearInterval(_walCheckpointTimer);
+    _walCheckpointTimer = null;
+  }
+  if (_daemonClient) {
+    _daemonClient.close();
+    _daemonClient = null;
+  }
+  if (_adapterClient && _adapterClient !== _resilientClient) {
+    _adapterClient.close();
+  }
+  _adapterClient = null;
+  if (_client) {
+    _client.close();
+    _client = null;
+    _resilientClient = null;
+  }
+}
+var _client, _resilientClient, _walCheckpointTimer, _daemonClient, _adapterClient, initTurso, SOFT_DELETE_RETENTION_DAYS, disposeTurso;
+var init_database = __esm({
+  "src/lib/database.ts"() {
+    "use strict";
+    init_db_retry();
+    init_employees();
+    init_database_adapter();
+    init_memory();
+    _client = null;
+    _resilientClient = null;
+    _walCheckpointTimer = null;
+    _daemonClient = null;
+    _adapterClient = null;
+    initTurso = initDatabase;
+    SOFT_DELETE_RETENTION_DAYS = 7;
+    disposeTurso = disposeDatabase;
+  }
+});
+
+// src/lib/shard-manager.ts
+var shard_manager_exports = {};
+__export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
+  disposeShards: () => disposeShards,
+  ensureShardSchema: () => ensureShardSchema,
+  getOpenShardCount: () => getOpenShardCount,
+  getReadyShardClient: () => getReadyShardClient,
+  getShardClient: () => getShardClient,
+  getShardsDir: () => getShardsDir,
+  initShardManager: () => initShardManager,
+  isShardingEnabled: () => isShardingEnabled,
+  listShards: () => listShards,
+  shardExists: () => shardExists
+});
+import path7 from "path";
+import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync2 } from "fs";
+import { createClient as createClient2 } from "@libsql/client";
+function initShardManager(encryptionKey) {
+  _encryptionKey = encryptionKey;
+  if (!existsSync7(SHARDS_DIR)) {
+    mkdirSync2(SHARDS_DIR, { recursive: true });
+  }
+  _shardingEnabled = true;
+  if (_evictionTimer) clearInterval(_evictionTimer);
+  _evictionTimer = setInterval(evictIdleShards, EVICTION_INTERVAL_MS);
+  _evictionTimer.unref();
+}
+function isShardingEnabled() {
+  return _shardingEnabled;
+}
+function getShardsDir() {
+  return SHARDS_DIR;
+}
+function getShardClient(projectName) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const safeName = safeShardName(projectName);
+  if (!safeName || safeName === "unknown") {
+    throw new Error(`Invalid project name for shard: "${projectName}" (resolved to "${safeName}")`);
+  }
+  const cached = _shards.get(safeName);
+  if (cached) {
+    _shardLastAccess.set(safeName, Date.now());
+    return cached;
+  }
+  while (_shards.size >= MAX_OPEN_SHARDS) {
+    evictLRU();
+  }
+  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
+  const client = createClient2({
+    url: `file:${dbPath}`,
+    encryptionKey: _encryptionKey
+  });
+  _shards.set(safeName, client);
+  _shardLastAccess.set(safeName, Date.now());
+  return client;
+}
+function shardExists(projectName) {
+  const safeName = safeShardName(projectName);
+  return existsSync7(path7.join(SHARDS_DIR, `${safeName}.db`));
+}
+function safeShardName(projectName) {
+  return projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
+}
+function listShards() {
+  if (!existsSync7(SHARDS_DIR)) return [];
+  return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
+}
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync2(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync3(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
+async function ensureShardSchema(client) {
+  await client.execute("PRAGMA journal_mode = WAL");
+  await client.execute("PRAGMA busy_timeout = 30000");
+  try {
+    await client.execute("PRAGMA libsql_vector_search_ef = 128");
   } catch {
   }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS memories (
+      id            TEXT PRIMARY KEY,
+      agent_id      TEXT NOT NULL,
+      agent_role    TEXT NOT NULL,
+      session_id    TEXT NOT NULL,
+      timestamp     TEXT NOT NULL,
+      tool_name     TEXT NOT NULL,
+      project_name  TEXT NOT NULL,
+      has_error     INTEGER NOT NULL DEFAULT 0,
+      raw_text      TEXT NOT NULL,
+      vector        F32_BLOB(1024),
+      version       INTEGER NOT NULL DEFAULT 0
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_memories_agent ON memories(agent_id);
+    CREATE INDEX IF NOT EXISTS idx_memories_timestamp ON memories(timestamp);
+    CREATE INDEX IF NOT EXISTS idx_memories_agent_project ON memories(agent_id, project_name);
+  `);
+  await client.executeMultiple(`
+    CREATE VIRTUAL TABLE IF NOT EXISTS memories_fts USING fts5(
+      raw_text,
+      content='memories',
+      content_rowid='rowid'
+    );
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_ai AFTER INSERT ON memories BEGIN
+      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_ad AFTER DELETE ON memories BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_au AFTER UPDATE ON memories BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
+    END;
+  `);
   for (const col of [
+    "ALTER TABLE memories ADD COLUMN task_id TEXT",
+    "ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN author_device_id TEXT",
+    "ALTER TABLE memories ADD COLUMN scope TEXT NOT NULL DEFAULT 'business'",
+    "ALTER TABLE memories ADD COLUMN importance INTEGER DEFAULT 5",
+    "ALTER TABLE memories ADD COLUMN status TEXT DEFAULT 'active'",
+    "ALTER TABLE memories ADD COLUMN wiki_synced INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN graph_extracted INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN content_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN graph_extracted_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN confidence REAL DEFAULT 0.7",
+    "ALTER TABLE memories ADD COLUMN last_accessed TEXT",
+    // Wiki linkage columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN workspace_id TEXT",
+    "ALTER TABLE memories ADD COLUMN document_id TEXT",
+    "ALTER TABLE memories ADD COLUMN user_id TEXT",
+    "ALTER TABLE memories ADD COLUMN char_offset INTEGER",
+    "ALTER TABLE memories ADD COLUMN page_number INTEGER",
+    // Source provenance columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN source_path TEXT",
+    "ALTER TABLE memories ADD COLUMN source_type TEXT DEFAULT 'text'",
+    "ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3",
+    "ALTER TABLE memories ADD COLUMN supersedes_id TEXT",
+    // MS-11: draft staging, MS-6a: memory_type, MS-7: trajectory
+    "ALTER TABLE memories ADD COLUMN draft INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'",
+    "ALTER TABLE memories ADD COLUMN trajectory TEXT",
+    // Metadata enrichment columns (must match database.ts)
     "ALTER TABLE memories ADD COLUMN intent TEXT",
     "ALTER TABLE memories ADD COLUMN outcome TEXT",
     "ALTER TABLE memories ADD COLUMN domain TEXT",
@@ -3385,528 +2921,195 @@ async function ensureSchema() {
     "ALTER TABLE memories ADD COLUMN token_cost REAL",
     "ALTER TABLE memories ADD COLUMN audience TEXT",
     "ALTER TABLE memories ADD COLUMN language_type TEXT",
-    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT"
-  ]) {
-    try {
-      await client.execute(col);
-    } catch {
-    }
-  }
-  try {
-    await client.execute({
-      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
-      args: []
-    });
-  } catch {
-  }
-}
-async function disposeDatabase() {
-  if (_walCheckpointTimer) {
-    clearInterval(_walCheckpointTimer);
-    _walCheckpointTimer = null;
-  }
-  if (_daemonClient) {
-    _daemonClient.close();
-    _daemonClient = null;
-  }
-  if (_adapterClient && _adapterClient !== _resilientClient) {
-    _adapterClient.close();
-  }
-  _adapterClient = null;
-  if (_client) {
-    _client.close();
-    _client = null;
-    _resilientClient = null;
-  }
-}
-var _client, _resilientClient, _walCheckpointTimer, _daemonClient, _adapterClient, initTurso, SOFT_DELETE_RETENTION_DAYS, disposeTurso;
-var init_database = __esm({
-  "src/lib/database.ts"() {
-    "use strict";
-    init_db_retry();
-    init_employees();
-    init_database_adapter();
-    init_memory();
-    _client = null;
-    _resilientClient = null;
-    _walCheckpointTimer = null;
-    _daemonClient = null;
-    _adapterClient = null;
-    initTurso = initDatabase;
-    SOFT_DELETE_RETENTION_DAYS = 7;
-    disposeTurso = disposeDatabase;
-  }
-});
-
-// src/lib/keychain.ts
-import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync8 } from "fs";
-import { execSync as execSync2 } from "child_process";
-import path8 from "path";
-import os5 from "os";
-function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path8.join(os5.homedir(), ".exe-os");
-}
-function getKeyPath() {
-  return path8.join(getKeyDir(), "master.key");
-}
-function macKeychainGet() {
-  if (process.platform !== "darwin") return null;
-  try {
-    return execSync2(
-      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
-      { encoding: "utf-8", timeout: 5e3 }
-    ).trim();
-  } catch {
-    return null;
-  }
-}
-function macKeychainSet(value) {
-  if (process.platform !== "darwin") return false;
-  try {
-    try {
-      execSync2(
-        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
-        { timeout: 5e3 }
-      );
-    } catch {
-    }
-    execSync2(
-      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
-      { timeout: 5e3 }
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-function linuxSecretGet() {
-  if (process.platform !== "linux") return null;
-  try {
-    return execSync2(
-      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
-      { encoding: "utf-8", timeout: 5e3 }
-    ).trim();
-  } catch {
-    return null;
-  }
-}
-function linuxSecretSet(value) {
-  if (process.platform !== "linux") return false;
-  try {
-    execSync2(
-      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
-      { timeout: 5e3 }
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function tryKeytar() {
-  try {
-    return await import("keytar");
-  } catch {
-    return null;
-  }
-}
-function deriveMachineKey() {
-  try {
-    const crypto2 = __require("crypto");
-    const material = [
-      os5.hostname(),
-      os5.userInfo().username,
-      os5.arch(),
-      os5.platform(),
-      // Machine ID on Linux (stable across reboots)
-      process.platform === "linux" ? readMachineId() : ""
-    ].join("|");
-    return crypto2.createHash("sha256").update(material).digest();
-  } catch {
-    return null;
-  }
-}
-function readMachineId() {
-  try {
-    const { readFileSync: readFileSync6 } = __require("fs");
-    return readFileSync6("/etc/machine-id", "utf-8").trim();
-  } catch {
-    return "";
-  }
-}
-function encryptWithMachineKey(plaintext, machineKey) {
-  const crypto2 = __require("crypto");
-  const iv = crypto2.randomBytes(12);
-  const cipher = crypto2.createCipheriv("aes-256-gcm", machineKey, iv);
-  let encrypted = cipher.update(plaintext, "utf-8", "base64");
-  encrypted += cipher.final("base64");
-  const authTag = cipher.getAuthTag().toString("base64");
-  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
-}
-function decryptWithMachineKey(encrypted, machineKey) {
-  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
-  try {
-    const crypto2 = __require("crypto");
-    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
-    if (parts.length !== 3) return null;
-    const [ivB64, tagB64, cipherB64] = parts;
-    const iv = Buffer.from(ivB64, "base64");
-    const authTag = Buffer.from(tagB64, "base64");
-    const decipher = crypto2.createDecipheriv("aes-256-gcm", machineKey, iv);
-    decipher.setAuthTag(authTag);
-    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
-    decrypted += decipher.final("utf-8");
-    return decrypted;
-  } catch {
-    return null;
+    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT",
+    "ALTER TABLE memories ADD COLUMN deleted_at TEXT"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
   }
-}
-async function writeMachineBoundFileFallback(b64) {
-  const dir = getKeyDir();
-  await mkdir3(dir, { recursive: true });
-  const keyPath = getKeyPath();
-  const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile3(keyPath, encrypted + "\n", "utf-8");
-    await chmod2(keyPath, 384);
-    return "encrypted";
+  for (const idx of [
+    "CREATE INDEX IF NOT EXISTS idx_memories_tier ON memories(tier)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_supersedes ON memories(supersedes_id) WHERE supersedes_id IS NOT NULL",
+    "CREATE INDEX IF NOT EXISTS idx_memories_scoped_content_hash ON memories(content_hash, agent_id, project_name, memory_type) WHERE content_hash IS NOT NULL"
+  ]) {
+    try {
+      await client.execute(idx);
+    } catch {
+    }
   }
-  await writeFile3(keyPath, b64 + "\n", "utf-8");
-  await chmod2(keyPath, 384);
-  return "plaintext";
-}
-async function getMasterKey() {
-  const nativeValue = macKeychainGet() ?? linuxSecretGet();
-  if (nativeValue) {
-    return Buffer.from(nativeValue, "base64");
+  try {
+    await client.execute("CREATE INDEX IF NOT EXISTS idx_memories_status ON memories(status)");
+  } catch {
   }
-  const keytar = await tryKeytar();
-  if (keytar) {
+  for (const idx of [
+    "CREATE INDEX IF NOT EXISTS idx_memories_workspace ON memories(workspace_id)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_document ON memories(document_id)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_user ON memories(user_id)"
+  ]) {
     try {
-      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (keytarValue) {
-        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
-        if (migrated) {
-          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
-        }
-        return Buffer.from(keytarValue, "base64");
-      }
+      await client.execute(idx);
     } catch {
     }
   }
-  const keyPath = getKeyPath();
-  if (!existsSync8(keyPath)) {
-    process.stderr.write(
-      `[keychain] Key not found at ${keyPath} (HOME=${os5.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
-`
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS entities (
+      id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      type TEXT NOT NULL,
+      first_seen TEXT NOT NULL,
+      last_seen TEXT NOT NULL,
+      properties TEXT DEFAULT '{}',
+      UNIQUE(name, type)
     );
-    return null;
+
+    CREATE TABLE IF NOT EXISTS relationships (
+      id TEXT PRIMARY KEY,
+      source_entity_id TEXT NOT NULL,
+      target_entity_id TEXT NOT NULL,
+      type TEXT NOT NULL,
+      weight REAL DEFAULT 1.0,
+      timestamp TEXT NOT NULL,
+      properties TEXT DEFAULT '{}',
+      UNIQUE(source_entity_id, target_entity_id, type)
+    );
+
+    CREATE TABLE IF NOT EXISTS entity_memories (
+      entity_id TEXT NOT NULL,
+      memory_id TEXT NOT NULL,
+      PRIMARY KEY (entity_id, memory_id)
+    );
+
+    CREATE TABLE IF NOT EXISTS relationship_memories (
+      relationship_id TEXT NOT NULL,
+      memory_id TEXT NOT NULL,
+      PRIMARY KEY (relationship_id, memory_id)
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_entities_name ON entities(name);
+    CREATE INDEX IF NOT EXISTS idx_entities_type ON entities(type);
+    CREATE INDEX IF NOT EXISTS idx_relationships_source ON relationships(source_entity_id);
+    CREATE INDEX IF NOT EXISTS idx_relationships_target ON relationships(target_entity_id);
+    CREATE INDEX IF NOT EXISTS idx_relationships_type ON relationships(type);
+
+    CREATE TABLE IF NOT EXISTS hyperedges (
+      id TEXT PRIMARY KEY,
+      label TEXT NOT NULL,
+      relation TEXT NOT NULL,
+      confidence REAL DEFAULT 1.0,
+      timestamp TEXT NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS hyperedge_nodes (
+      hyperedge_id TEXT NOT NULL,
+      entity_id TEXT NOT NULL,
+      PRIMARY KEY (hyperedge_id, entity_id)
+    );
+  `);
+  for (const col of [
+    "ALTER TABLE relationships ADD COLUMN confidence REAL DEFAULT 1.0",
+    "ALTER TABLE relationships ADD COLUMN confidence_label TEXT DEFAULT 'extracted'"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
   }
+}
+async function getReadyShardClient(projectName) {
+  const safeName = safeShardName(projectName);
+  let client = getShardClient(projectName);
   try {
-    const content = (await readFile3(keyPath, "utf-8")).trim();
-    let b64Value;
-    if (content.startsWith(ENCRYPTED_PREFIX)) {
-      const machineKey = deriveMachineKey();
-      if (!machineKey) {
-        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
-        return null;
-      }
-      const decrypted = decryptWithMachineKey(content, machineKey);
-      if (!decrypted) {
-        process.stderr.write(
-          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
-        );
-        return null;
-      }
-      b64Value = decrypted;
-    } else {
-      b64Value = content;
-    }
-    const key = Buffer.from(b64Value, "base64");
-    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
-    if (migrated) {
-      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
-      try {
-        await unlink(keyPath);
-        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
-      } catch {
-      }
-    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
-      const fallback = await writeMachineBoundFileFallback(b64Value);
-      if (fallback === "encrypted") {
-        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
-      } else {
-        process.stderr.write(
-          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
-        );
-      }
-    }
-    return key;
+    await ensureShardSchema(client);
+    return client;
   } catch (err) {
-    process.stderr.write(
-      `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
+    const message = err instanceof Error ? err.message : String(err);
+    if (!/SQLITE_NOTADB|file is not a database/i.test(message)) throw err;
+    client.close();
+    _shards.delete(safeName);
+    _shardLastAccess.delete(safeName);
+    const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
+    if (existsSync7(dbPath)) {
+      const stat = statSync2(dbPath);
+      const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+      const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
+      renameSync3(dbPath, archivedPath);
+      process.stderr.write(
+        `[shard-manager] Archived unreadable shard ${safeName}: ${archivedPath} (${stat.size} bytes, mtime ${stat.mtime.toISOString()})
 `
-    );
-    return null;
+      );
+    }
+    client = getShardClient(projectName);
+    await ensureShardSchema(client);
+    return client;
   }
 }
-var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
-var init_keychain = __esm({
-  "src/lib/keychain.ts"() {
-    "use strict";
-    SERVICE = "exe-mem";
-    ACCOUNT = "master-key";
-    ENCRYPTED_PREFIX = "enc:";
-  }
-});
-
-// src/lib/state-bus.ts
-var StateBus, orgBus;
-var init_state_bus = __esm({
-  "src/lib/state-bus.ts"() {
-    "use strict";
-    StateBus = class {
-      handlers = /* @__PURE__ */ new Map();
-      globalHandlers = /* @__PURE__ */ new Set();
-      /** Emit an event to all subscribers */
-      emit(event) {
-        const typeHandlers = this.handlers.get(event.type);
-        if (typeHandlers) {
-          for (const handler of typeHandlers) {
-            try {
-              handler(event);
-            } catch {
-            }
-          }
-        }
-        for (const handler of this.globalHandlers) {
-          try {
-            handler(event);
-          } catch {
-          }
-        }
-      }
-      /** Subscribe to a specific event type */
-      on(type, handler) {
-        if (!this.handlers.has(type)) {
-          this.handlers.set(type, /* @__PURE__ */ new Set());
-        }
-        this.handlers.get(type).add(handler);
-      }
-      /** Subscribe to ALL events */
-      onAny(handler) {
-        this.globalHandlers.add(handler);
-      }
-      /** Unsubscribe from a specific event type */
-      off(type, handler) {
-        this.handlers.get(type)?.delete(handler);
-      }
-      /** Unsubscribe from ALL events */
-      offAny(handler) {
-        this.globalHandlers.delete(handler);
-      }
-      /** Remove all listeners */
-      clear() {
-        this.handlers.clear();
-        this.globalHandlers.clear();
-      }
-    };
-    orgBus = new StateBus();
+function evictLRU() {
+  let oldest = null;
+  let oldestTime = Infinity;
+  for (const [name, time] of _shardLastAccess) {
+    if (time < oldestTime) {
+      oldestTime = time;
+      oldest = name;
+    }
   }
-});
-
-// src/lib/memory-write-governor.ts
-import { createHash } from "crypto";
-function normalizeMemoryText(text) {
-  return text.replace(/\r\n/g, "\n").replace(/[ \t]+$/gm, "").replace(/\n{4,}/g, "\n\n\n").trim();
-}
-function classifyMemoryType(input) {
-  if (input.memory_type && input.memory_type.trim()) return input.memory_type.trim();
-  const tool = input.tool_name.toLowerCase();
-  const text = input.raw_text.toLowerCase();
-  if (tool.includes("store_decision") || tool.includes("decision")) return "decision";
-  if (tool.includes("commit") || text.includes("adr-") || text.includes("architectural decision")) return "adr";
-  if (tool.includes("store_behavior") || tool.includes("behavior")) return "behavior";
-  if (tool.includes("global_procedure") || text.includes("organization-wide procedures")) return "procedure";
-  if (tool.includes("checkpoint") || text.startsWith("context checkpoint")) return "checkpoint";
-  if (tool.includes("sessionsummary") || tool.includes("session-summary")) return "summary";
-  if (tool.includes("sessionend") || text.startsWith("session ended")) return "summary";
-  if (tool.includes("send_whatsapp") || tool.includes("conversation")) return "conversation";
-  if (tool === "store_memory" || tool === "manual") return "observation";
-  return "raw";
-}
-function shouldDropMemory(text) {
-  const normalized = normalizeMemoryText(text);
-  if (normalized.length < 10) return { drop: true, reason: "too_short" };
-  if (NOISE_DROP_PATTERNS.some((pattern) => pattern.test(normalized))) {
-    return { drop: true, reason: "known_boilerplate_noise" };
-  }
-  return { drop: false };
-}
-function shouldSkipEmbedding(input) {
-  const type = classifyMemoryType(input);
-  if (HIGH_VALUE_SUPERSESSION_TYPES.has(type)) return false;
-  if (type === "raw" && input.raw_text.length > 2e4) return true;
-  if (SKIP_EMBED_PATTERNS.some((pattern) => pattern.test(input.raw_text))) return true;
-  return false;
-}
-function hashMemoryContent(text) {
-  return createHash("sha256").update(normalizeMemoryText(text)).digest("hex");
-}
-function scopedDedupArgs(input) {
-  return [input.contentHash, input.agentId, input.projectName, input.memoryType];
-}
-function governMemoryRecord(record) {
-  const normalized = normalizeMemoryText(record.raw_text);
-  const memoryType = classifyMemoryType({
-    raw_text: normalized,
-    agent_id: record.agent_id,
-    project_name: record.project_name,
-    tool_name: record.tool_name,
-    memory_type: record.memory_type
-  });
-  const drop = shouldDropMemory(normalized);
-  const skipEmbedding = shouldSkipEmbedding({
-    raw_text: normalized,
-    agent_id: record.agent_id,
-    project_name: record.project_name,
-    tool_name: record.tool_name,
-    memory_type: memoryType
-  });
-  return {
-    record: {
-      ...record,
-      raw_text: normalized,
-      memory_type: memoryType,
-      vector: skipEmbedding ? null : record.vector
-    },
-    contentHash: hashMemoryContent(normalized),
-    shouldDrop: drop.drop,
-    dropReason: drop.reason,
-    skipEmbedding,
-    hygiene: {
-      dedup: true,
-      supersession: HIGH_VALUE_SUPERSESSION_TYPES.has(memoryType)
+  if (oldest) {
+    const client = _shards.get(oldest);
+    if (client) {
+      client.close();
     }
-  };
+    _shards.delete(oldest);
+    _shardLastAccess.delete(oldest);
+  }
 }
-async function findScopedDuplicate(input) {
-  const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
-  const client = getClient2();
-  const args = scopedDedupArgs(input);
-  let sql = `SELECT id FROM memories
-             WHERE content_hash = ?
-               AND agent_id = ?
-               AND project_name = ?
-               AND COALESCE(memory_type, 'raw') = ?
-               AND COALESCE(status, 'active') != 'deleted'`;
-  if (input.excludeId) {
-    sql += " AND id != ?";
-    args.push(input.excludeId);
-  }
-  sql += " ORDER BY timestamp DESC LIMIT 1";
-  const result = await client.execute({ sql, args });
-  return result.rows[0]?.id ? String(result.rows[0].id) : null;
-}
-async function runPostWriteMemoryHygiene(memoryId) {
-  try {
-    const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
-    const client = getClient2();
-    const current = await client.execute({
-      sql: `SELECT id, agent_id, project_name, memory_type, content_hash, supersedes_id,
-                   importance, timestamp
-            FROM memories
-            WHERE id = ?
-            LIMIT 1`,
-      args: [memoryId]
-    });
-    const row = current.rows[0];
-    if (!row) return;
-    const memoryType = String(row.memory_type ?? "raw");
-    const contentHash = row.content_hash ? String(row.content_hash) : null;
-    const agentId = String(row.agent_id);
-    const projectName = String(row.project_name);
-    if (contentHash) {
-      await client.execute({
-        sql: `UPDATE memories
-              SET status = 'deleted',
-                  outcome = COALESCE(outcome, 'superseded')
-              WHERE id != ?
-                AND content_hash = ?
-                AND agent_id = ?
-                AND project_name = ?
-                AND COALESCE(memory_type, 'raw') = ?
-                AND COALESCE(status, 'active') = 'active'`,
-        args: [memoryId, contentHash, agentId, projectName, memoryType]
-      });
+function evictIdleShards() {
+  const now = Date.now();
+  const toEvict = [];
+  for (const [name, lastAccess] of _shardLastAccess) {
+    if (now - lastAccess > SHARD_IDLE_MS) {
+      toEvict.push(name);
     }
-    const supersedesId = row.supersedes_id ? String(row.supersedes_id) : null;
-    if (supersedesId && HIGH_VALUE_SUPERSESSION_TYPES.has(memoryType)) {
-      const old = await client.execute({
-        sql: `SELECT importance FROM memories WHERE id = ? LIMIT 1`,
-        args: [supersedesId]
-      });
-      const oldImportance = Number(old.rows[0]?.importance ?? 0);
-      const newImportance = Number(row.importance ?? 0);
-      await client.batch([
-        {
-          sql: `UPDATE memories
-                SET status = 'archived',
-                    outcome = COALESCE(outcome, 'superseded')
-                WHERE id = ?`,
-          args: [supersedesId]
-        },
-        {
-          sql: `UPDATE memories
-                SET importance = MAX(COALESCE(importance, 5), ?),
-                    parent_memory_id = COALESCE(parent_memory_id, ?)
-                WHERE id = ?`,
-          args: [Math.max(oldImportance, newImportance), supersedesId, memoryId]
-        }
-      ], "write");
+  }
+  for (const name of toEvict) {
+    const client = _shards.get(name);
+    if (client) {
+      client.close();
     }
-  } catch (err) {
-    process.stderr.write(
-      `[memory-governor] post-write hygiene failed for ${memoryId}: ${err instanceof Error ? err.message : String(err)}
-`
-    );
+    _shards.delete(name);
+    _shardLastAccess.delete(name);
   }
 }
-function schedulePostWriteMemoryHygiene(memoryIds) {
-  if (process.env.EXE_SKIP_MEMORY_HYGIENE === "1") return;
-  if (memoryIds.length === 0) return;
-  const run = () => {
-    void Promise.all(memoryIds.map((id) => runPostWriteMemoryHygiene(id)));
-  };
-  if (typeof setImmediate === "function") setImmediate(run);
-  else setTimeout(run, 0);
+function getOpenShardCount() {
+  return _shards.size;
+}
+function disposeShards() {
+  if (_evictionTimer) {
+    clearInterval(_evictionTimer);
+    _evictionTimer = null;
+  }
+  for (const [, client] of _shards) {
+    client.close();
+  }
+  _shards.clear();
+  _shardLastAccess.clear();
+  _shardingEnabled = false;
+  _encryptionKey = null;
 }
-var HIGH_VALUE_SUPERSESSION_TYPES, NOISE_DROP_PATTERNS, SKIP_EMBED_PATTERNS;
-var init_memory_write_governor = __esm({
-  "src/lib/memory-write-governor.ts"() {
+var SHARDS_DIR, SHARD_IDLE_MS, MAX_OPEN_SHARDS, EVICTION_INTERVAL_MS, _shards, _shardLastAccess, _evictionTimer, _encryptionKey, _shardingEnabled;
+var init_shard_manager = __esm({
+  "src/lib/shard-manager.ts"() {
     "use strict";
-    HIGH_VALUE_SUPERSESSION_TYPES = /* @__PURE__ */ new Set([
-      "decision",
-      "adr",
-      "behavior",
-      "procedure"
-    ]);
-    NOISE_DROP_PATTERNS = [
-      /^\s*\[📋\s+\d+\s+reviews?\s+pending\b/im,
-      /^\s*<system-reminder>[\s\S]*?<\/system-reminder>\s*$/im,
-      /^\s*The UserPromptSubmit hook checks the DB for new tasks/im,
-      /^\s*Intercom is a speedup, not delivery/im,
-      /^\s*Context bar reads as USAGE not remaining/im
-    ];
-    SKIP_EMBED_PATTERNS = [
-      /tmux capture-pane\b/i,
-      /docker ps\b/i,
-      /docker images\b/i,
-      /git status\b/i,
-      /grep .*node_modules/i,
-      /npm (install|ci)\b[\s\S]*(added \d+ packages|audited \d+ packages)/i
-    ];
+    init_config();
+    SHARDS_DIR = path7.join(EXE_AI_DIR, "shards");
+    SHARD_IDLE_MS = 5 * 60 * 1e3;
+    MAX_OPEN_SHARDS = 10;
+    EVICTION_INTERVAL_MS = 60 * 1e3;
+    _shards = /* @__PURE__ */ new Map();
+    _shardLastAccess = /* @__PURE__ */ new Map();
+    _evictionTimer = null;
+    _encryptionKey = null;
+    _shardingEnabled = false;
   }
 });
 
@@ -4165,969 +3368,595 @@ ${p.content}`).join("\n\n");
   }
 });
 
-// src/lib/memory-cards.ts
-var memory_cards_exports = {};
-__export(memory_cards_exports, {
-  extractMemoryCards: () => extractMemoryCards,
-  insertMemoryCardsForBatch: () => insertMemoryCardsForBatch,
-  searchMemoryCards: () => searchMemoryCards
+// src/lib/worker-gate.ts
+var worker_gate_exports = {};
+__export(worker_gate_exports, {
+  MAX_CONCURRENT_WORKERS: () => MAX_CONCURRENT_WORKERS,
+  cleanupWorkerPid: () => cleanupWorkerPid,
+  registerWorkerPid: () => registerWorkerPid,
+  releaseBackfillLock: () => releaseBackfillLock,
+  tryAcquireBackfillLock: () => tryAcquireBackfillLock,
+  tryAcquireWorkerSlot: () => tryAcquireWorkerSlot
 });
-import { createHash as createHash2 } from "crypto";
-function stableId(memoryId, type, content) {
-  return createHash2("sha256").update(`${memoryId}:${type}:${content}`).digest("hex").slice(0, 32);
-}
-function cleanText(text) {
-  return text.replace(/```[\s\S]*?```/g, " ").replace(/<[^>]+>/g, " ").replace(/\s+/g, " ").trim();
-}
-function splitSentences(text) {
-  return cleanText(text).split(/(?<=[.!?])\s+|\n+/).map((s) => s.trim()).filter((s) => s.length >= 24 && s.length <= MAX_SENTENCE_CHARS);
-}
-function inferCardType(sentence, toolName) {
-  const lower = sentence.toLowerCase();
-  if (toolName === "store_decision" || /\b(decided|decision|adr|approved|rejected)\b/.test(lower)) return "decision";
-  if (/\b(prefers|preference|likes|dislikes|wants|doesn't want|does not want)\b/.test(lower)) return "preference";
-  if (/\b(changed|updated|replaced|now|no longer|instead|supersedes)\b/.test(lower)) return "belief_update";
-  if (toolName && ["Read", "Write", "Edit", "Bash"].includes(toolName)) return "code";
-  if (/\b(meeting|deadline|shipped|launched|completed|failed|blocked|assigned|created)\b/.test(lower)) return "event";
-  return "fact";
-}
-function extractSubject(sentence, agentId) {
-  const explicit = sentence.match(/\b([A-Z][a-zA-Z0-9_-]{2,}(?:\s+[A-Z][a-zA-Z0-9_-]{2,})?)\b/);
-  return explicit?.[1] ?? agentId;
-}
-function predicateFor(type) {
-  switch (type) {
-    case "preference":
-      return "prefers";
-    case "belief_update":
-      return "updated";
-    case "decision":
-      return "decided";
-    case "event":
-      return "happened";
-    case "code":
-      return "implemented";
-    default:
-      return "states";
-  }
-}
-function extractMemoryCards(row) {
-  const sentences = splitSentences(row.raw_text);
-  const cards = [];
-  for (const sentence of sentences) {
-    const type = inferCardType(sentence, row.tool_name);
-    const subject = extractSubject(sentence, row.agent_id);
-    const content = sentence.length > MAX_SENTENCE_CHARS ? `${sentence.slice(0, MAX_SENTENCE_CHARS - 1)}\u2026` : sentence;
-    cards.push({
-      id: stableId(row.id, type, content),
-      memory_id: row.id,
-      agent_id: row.agent_id,
-      session_id: row.session_id,
-      project_name: row.project_name ?? null,
-      timestamp: row.timestamp,
-      card_type: type,
-      subject,
-      predicate: predicateFor(type),
-      object: content,
-      content,
-      source_ref: row.id,
-      confidence: type === "fact" ? 0.55 : 0.65
-    });
-    if (cards.length >= MAX_CARDS_PER_MEMORY) break;
+import { readdirSync as readdirSync2, writeFileSync as writeFileSync3, unlinkSync as unlinkSync3, mkdirSync as mkdirSync3, existsSync as existsSync8 } from "fs";
+import path8 from "path";
+function tryAcquireWorkerSlot() {
+  try {
+    mkdirSync3(WORKER_PID_DIR, { recursive: true });
+    const reservationId = `res-${process.pid}-${Date.now()}`;
+    const reservationPath = path8.join(WORKER_PID_DIR, `${reservationId}.pid`);
+    writeFileSync3(reservationPath, String(process.pid));
+    const files = readdirSync2(WORKER_PID_DIR);
+    let alive = 0;
+    for (const f of files) {
+      if (!f.endsWith(".pid")) continue;
+      if (f.startsWith("res-")) {
+        alive++;
+        continue;
+      }
+      const dashIdx = f.lastIndexOf("-");
+      const pid = parseInt(f.slice(dashIdx + 1).replace(".pid", ""), 10);
+      if (isNaN(pid)) continue;
+      try {
+        process.kill(pid, 0);
+        alive++;
+      } catch {
+        try {
+          unlinkSync3(path8.join(WORKER_PID_DIR, f));
+        } catch {
+        }
+      }
+    }
+    if (alive > MAX_CONCURRENT_WORKERS) {
+      try {
+        unlinkSync3(reservationPath);
+      } catch {
+      }
+      return false;
+    }
+    try {
+      unlinkSync3(reservationPath);
+    } catch {
+    }
+    return true;
+  } catch {
+    return true;
   }
-  return cards;
 }
-async function insertMemoryCardsForBatch(rows) {
-  const cards = rows.flatMap(extractMemoryCards);
-  if (cards.length === 0) return 0;
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const client = getClient();
-  const stmts = cards.map((card) => ({
-    sql: `INSERT OR IGNORE INTO memory_cards
-          (id, memory_id, agent_id, session_id, project_name, timestamp, card_type,
-           subject, predicate, object, content, source_ref, confidence, active, created_at)
-          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 1, ?)`,
-    args: [
-      card.id,
-      card.memory_id,
-      card.agent_id,
-      card.session_id,
-      card.project_name,
-      card.timestamp,
-      card.card_type,
-      card.subject,
-      card.predicate,
-      card.object,
-      card.content,
-      card.source_ref,
-      card.confidence,
-      now
-    ]
-  }));
-  await client.batch(stmts, "write");
-  return cards.length;
-}
-function buildMatchExpr(queryText) {
-  const terms = queryText.toLowerCase().split(/\s+/).filter((t) => t.length >= 3).map((t) => t.replace(/[^a-z0-9_]/g, "")).filter((t) => t.length >= 3).slice(0, 12);
-  if (terms.length === 0) return null;
-  return terms.map((t) => `${t}*`).join(terms.length >= 3 ? " AND " : " OR ");
-}
-async function searchMemoryCards(queryText, agentId, options) {
-  const limit = options?.limit ?? 10;
-  const matchExpr = buildMatchExpr(queryText);
-  if (!matchExpr) return [];
-  let sql = `SELECT c.id, c.memory_id, c.agent_id, c.session_id, c.project_name,
-                    c.timestamp, c.card_type, c.content, c.source_ref, c.confidence
-             FROM memory_cards c
-             JOIN memory_cards_fts fts ON c.rowid = fts.rowid
-             WHERE memory_cards_fts MATCH ?
-               AND c.agent_id = ?
-               AND COALESCE(c.active, 1) = 1`;
-  const args = [matchExpr, agentId];
-  if (options?.projectName) {
-    sql += ` AND c.project_name = ?`;
-    args.push(options.projectName);
-  }
-  if (options?.since) {
-    sql += ` AND c.timestamp >= ?`;
-    args.push(options.since);
-  }
-  sql += ` ORDER BY rank LIMIT ?`;
-  args.push(limit);
-  const result = await getClient().execute({ sql, args });
-  return result.rows.map((row) => ({
-    id: `card:${String(row.id)}`,
-    agent_id: String(row.agent_id),
-    agent_role: "memory_card",
-    session_id: String(row.session_id),
-    timestamp: String(row.timestamp),
-    tool_name: `memory_card:${String(row.card_type)}`,
-    project_name: row.project_name == null ? "" : String(row.project_name),
-    has_error: false,
-    raw_text: `[${String(row.card_type)}] ${String(row.content)}
-Source memory: ${String(row.source_ref ?? row.memory_id)}`,
-    vector: [],
-    importance: 6,
-    status: "active",
-    confidence: Number(row.confidence ?? 0.6),
-    last_accessed: String(row.timestamp)
-  }));
+function registerWorkerPid(pid) {
+  try {
+    mkdirSync3(WORKER_PID_DIR, { recursive: true });
+    writeFileSync3(path8.join(WORKER_PID_DIR, `worker-${pid}.pid`), String(pid));
+  } catch {
+  }
+}
+function cleanupWorkerPid() {
+  try {
+    unlinkSync3(path8.join(WORKER_PID_DIR, `worker-${process.pid}.pid`));
+  } catch {
+  }
+}
+function tryAcquireBackfillLock() {
+  try {
+    mkdirSync3(WORKER_PID_DIR, { recursive: true });
+    if (existsSync8(BACKFILL_LOCK)) {
+      try {
+        const pid = parseInt(
+          __require("fs").readFileSync(BACKFILL_LOCK, "utf8").trim(),
+          10
+        );
+        if (!isNaN(pid) && pid > 0) {
+          try {
+            process.kill(pid, 0);
+            return false;
+          } catch {
+          }
+        }
+      } catch {
+      }
+    }
+    writeFileSync3(BACKFILL_LOCK, String(process.pid));
+    return true;
+  } catch {
+    return true;
+  }
+}
+function releaseBackfillLock() {
+  try {
+    unlinkSync3(BACKFILL_LOCK);
+  } catch {
+  }
 }
-var MAX_CARDS_PER_MEMORY, MAX_SENTENCE_CHARS;
-var init_memory_cards = __esm({
-  "src/lib/memory-cards.ts"() {
+var WORKER_PID_DIR, MAX_CONCURRENT_WORKERS, BACKFILL_LOCK;
+var init_worker_gate = __esm({
+  "src/lib/worker-gate.ts"() {
     "use strict";
-    init_database();
-    MAX_CARDS_PER_MEMORY = 6;
-    MAX_SENTENCE_CHARS = 360;
+    init_config();
+    WORKER_PID_DIR = path8.join(EXE_AI_DIR, "worker-pids");
+    MAX_CONCURRENT_WORKERS = 3;
+    BACKFILL_LOCK = path8.join(WORKER_PID_DIR, "backfill.lock");
   }
 });
 
-// src/lib/store.ts
-var store_exports = {};
-__export(store_exports, {
-  attachDocumentMetadata: () => attachDocumentMetadata,
-  buildRawVisibilityFilter: () => buildRawVisibilityFilter,
-  buildWikiScopeFilter: () => buildWikiScopeFilter,
-  classifyTier: () => classifyTier,
-  disposeStore: () => disposeStore,
-  flushBatch: () => flushBatch,
-  flushTier3: () => flushTier3,
-  getMemoryCardinality: () => getMemoryCardinality,
-  initStore: () => initStore,
-  reserveVersions: () => reserveVersions,
-  searchMemories: () => searchMemories,
-  updateMemoryStatus: () => updateMemoryStatus,
-  vectorToBlob: () => vectorToBlob,
-  writeMemory: () => writeMemory
+// src/lib/db-backup.ts
+var db_backup_exports = {};
+__export(db_backup_exports, {
+  createBackup: () => createBackup,
+  findActiveDb: () => findActiveDb,
+  getBackupDir: () => getBackupDir,
+  getLatestBackup: () => getLatestBackup,
+  hasBackupToday: () => hasBackupToday,
+  listBackups: () => listBackups,
+  rotateBackups: () => rotateBackups
 });
-function isBusyError2(err) {
-  if (err instanceof Error) {
-    const msg = err.message.toLowerCase();
-    return msg.includes("sqlite_busy") || msg.includes("database is locked");
+import { copyFileSync, existsSync as existsSync9, mkdirSync as mkdirSync4, readdirSync as readdirSync3, unlinkSync as unlinkSync4, statSync as statSync3 } from "fs";
+import path9 from "path";
+function findActiveDb() {
+  for (const name of DB_NAMES) {
+    const p = path9.join(EXE_AI_DIR, name);
+    if (existsSync9(p)) return p;
   }
-  return false;
+  return null;
 }
-async function retryOnBusy2(fn, label) {
-  for (let attempt = 0; attempt <= INIT_MAX_RETRIES; attempt++) {
+function createBackup(reason = "manual") {
+  const dbPath = findActiveDb();
+  if (!dbPath) return null;
+  mkdirSync4(BACKUP_DIR, { recursive: true });
+  const dbName = path9.basename(dbPath, ".db");
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
+  const backupName = `${dbName}-${reason}-${timestamp}.db`;
+  const backupPath = path9.join(BACKUP_DIR, backupName);
+  copyFileSync(dbPath, backupPath);
+  const walPath = dbPath + "-wal";
+  if (existsSync9(walPath)) {
     try {
-      return await fn();
-    } catch (err) {
-      if (!isBusyError2(err) || attempt === INIT_MAX_RETRIES) throw err;
-      process.stderr.write(
-        `[store] SQLITE_BUSY during ${label}, retry ${attempt + 1}/${INIT_MAX_RETRIES}
-`
-      );
-      await new Promise((r) => setTimeout(r, INIT_RETRY_DELAY_MS * (attempt + 1)));
+      copyFileSync(walPath, backupPath + "-wal");
+    } catch {
     }
   }
-  throw new Error("unreachable");
-}
-async function initStore(options) {
-  if (_flushTimer !== null) {
-    clearInterval(_flushTimer);
-    _flushTimer = null;
-  }
-  _pendingRecords = [];
-  _flushing = false;
-  _batchSize = options?.batchSize ?? 20;
-  _flushIntervalMs = options?.flushIntervalMs ?? 1e4;
-  let dbPath = options?.dbPath;
-  if (!dbPath) {
-    const config = await loadConfig();
-    dbPath = config.dbPath;
+  const shmPath = dbPath + "-shm";
+  if (existsSync9(shmPath)) {
+    try {
+      copyFileSync(shmPath, backupPath + "-shm");
+    } catch {
+    }
   }
-  let masterKey = options?.masterKey ?? null;
-  if (!masterKey) {
-    masterKey = await getMasterKey();
-    if (!masterKey) {
-      throw new Error(
-        "No encryption key found. Run /exe-setup to generate one."
-      );
+  return backupPath;
+}
+function rotateBackups(keepDays = DEFAULT_KEEP_DAYS) {
+  if (!existsSync9(BACKUP_DIR)) return 0;
+  const cutoff = Date.now() - keepDays * 24 * 60 * 60 * 1e3;
+  let deleted = 0;
+  try {
+    const files = readdirSync3(BACKUP_DIR);
+    for (const file of files) {
+      if (!file.endsWith(".db") && !file.endsWith(".db-wal") && !file.endsWith(".db-shm")) continue;
+      const filePath = path9.join(BACKUP_DIR, file);
+      try {
+        const stat = statSync3(filePath);
+        if (stat.mtimeMs < cutoff) {
+          unlinkSync4(filePath);
+          deleted++;
+        }
+      } catch {
+      }
     }
+  } catch {
   }
-  const hexKey = masterKey.toString("hex");
-  await initTurso({
-    dbPath,
-    encryptionKey: hexKey
-  });
-  await retryOnBusy2(() => ensureSchema(), "ensureSchema");
+  return deleted;
+}
+function listBackups() {
+  if (!existsSync9(BACKUP_DIR)) return [];
+  try {
+    const files = readdirSync3(BACKUP_DIR).filter((f) => f.endsWith(".db") && !f.endsWith("-wal") && !f.endsWith("-shm"));
+    return files.map((name) => {
+      const p = path9.join(BACKUP_DIR, name);
+      const stat = statSync3(p);
+      return { path: p, name, size: stat.size, date: stat.mtime };
+    }).sort((a, b) => b.date.getTime() - a.date.getTime());
+  } catch {
+    return [];
+  }
+}
+function hasBackupToday(reason) {
+  const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  const backups = listBackups();
+  return backups.some((b) => b.name.includes(reason) && b.name.includes(today.replace(/-/g, "-")));
+}
+function getLatestBackup() {
+  const backups = listBackups();
+  return backups.length > 0 ? backups[0].path : null;
+}
+function getBackupDir() {
+  return BACKUP_DIR;
+}
+var BACKUP_DIR, DEFAULT_KEEP_DAYS, DB_NAMES;
+var init_db_backup = __esm({
+  "src/lib/db-backup.ts"() {
+    "use strict";
+    init_config();
+    BACKUP_DIR = path9.join(EXE_AI_DIR, "backups");
+    DEFAULT_KEEP_DAYS = 3;
+    DB_NAMES = ["memories.db", "exe-mem.db", "exe-os.db", "exe.db"];
+  }
+});
+
+// src/bin/exe-doctor.ts
+import os6 from "os";
+
+// src/lib/store.ts
+init_memory();
+init_database();
+
+// src/lib/keychain.ts
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { existsSync as existsSync6 } from "fs";
+import { execSync as execSync2 } from "child_process";
+import path6 from "path";
+import os5 from "os";
+var SERVICE = "exe-mem";
+var ACCOUNT = "master-key";
+function getKeyDir() {
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path6.join(os5.homedir(), ".exe-os");
+}
+function getKeyPath() {
+  return path6.join(getKeyDir(), "master.key");
+}
+function macKeychainGet() {
+  if (process.platform !== "darwin") return null;
   try {
-    const { initDaemonClient: initDaemonClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
-    await initDaemonClient2();
+    return execSync2(
+      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
   } catch {
+    return null;
   }
-  if (!options?.lightweight) {
+}
+function macKeychainSet(value) {
+  if (process.platform !== "darwin") return false;
+  try {
     try {
-      const { initShardManager: initShardManager2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
-      initShardManager2(hexKey);
+      execSync2(
+        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
     } catch {
     }
-    const client = getClient();
-    const vResult = await retryOnBusy2(
-      () => client.execute("SELECT MAX(version) as max_v FROM memories"),
-      "version-query"
+    execSync2(
+      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
     );
-    _nextVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
-    try {
-      const { loadGlobalProcedures: loadGlobalProcedures2 } = await Promise.resolve().then(() => (init_global_procedures(), global_procedures_exports));
-      await loadGlobalProcedures2();
-    } catch {
-    }
+    return true;
+  } catch {
+    return false;
   }
 }
-function classifyTier(record) {
-  if (record.tool_name === "commit_to_long_term_memory" && (record.importance ?? 0) >= 8) return 1;
-  if (["store_memory", "manual"].includes(record.tool_name ?? "") && (record.importance ?? 0) >= 5) return 2;
-  return 3;
-}
-function inferFilePaths(record) {
-  if (!["Read", "Write", "Edit"].includes(record.tool_name)) return null;
-  const firstLine = record.raw_text.split("\n")[0] ?? "";
-  const match = firstLine.match(/(\/[\w./-]+\.\w+)/);
-  return match ? JSON.stringify([match[1]]) : null;
-}
-function inferCommitHash(record) {
-  if (record.tool_name !== "Bash") return null;
-  const match = record.raw_text.match(/\b([a-f0-9]{7,40})\b/);
-  return match ? match[1] : null;
-}
-function inferLanguageType(record) {
-  const text = record.raw_text;
-  if (!text || text.length < 10) return null;
-  const trimmed = text.trimStart();
-  if (trimmed.startsWith("{") || trimmed.startsWith("[")) return "json";
-  if (/\b(SELECT|INSERT|UPDATE|DELETE|CREATE TABLE|ALTER TABLE)\b/i.test(text)) return "sql";
-  if (/\b(function |const |import |export |class |def |async |=>)\b/.test(text)) return "code";
-  if (trimmed.startsWith("#") || trimmed.startsWith("*")) return "prose";
-  return "mixed";
-}
-function inferDomain(record) {
-  const proj = (record.project_name ?? "").toLowerCase();
-  if (proj.includes("marketing") || proj.includes("content")) return "marketing";
-  if (proj.includes("crm") || proj.includes("customer")) return "customer";
-  return null;
+function linuxSecretGet() {
+  if (process.platform !== "linux") return null;
+  try {
+    return execSync2(
+      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
 }
-async function writeMemory(record) {
-  if (record.vector !== null && record.vector.length !== EMBEDDING_DIM) {
-    throw new Error(
-      `Expected ${EMBEDDING_DIM}-dim vector, got ${record.vector.length}`
+function linuxSecretSet(value) {
+  if (process.platform !== "linux") return false;
+  try {
+    execSync2(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      { timeout: 5e3 }
     );
+    return true;
+  } catch {
+    return false;
   }
-  const governed = governMemoryRecord(record);
-  if (governed.shouldDrop) return;
-  record = governed.record;
-  const contentHash = governed.contentHash;
-  const memoryType = record.memory_type ?? "raw";
-  if (_pendingRecords.some(
-    (r) => r.content_hash === contentHash && r.agent_id === record.agent_id && r.project_name === record.project_name && (r.memory_type ?? "raw") === memoryType
-  )) {
-    return;
-  }
+}
+async function tryKeytar() {
   try {
-    const existing = await findScopedDuplicate({
-      contentHash,
-      agentId: record.agent_id,
-      projectName: record.project_name,
-      memoryType
-    });
-    if (existing) return;
+    return await import("keytar");
   } catch {
+    return null;
   }
-  const dbRow = {
-    id: record.id,
-    agent_id: record.agent_id,
-    agent_role: record.agent_role,
-    session_id: record.session_id,
-    timestamp: record.timestamp,
-    tool_name: record.tool_name,
-    project_name: record.project_name,
-    has_error: record.has_error ? 1 : 0,
-    raw_text: record.raw_text,
-    vector: record.vector,
-    version: 0,
-    // Placeholder — assigned atomically at flush time
-    task_id: record.task_id ?? null,
-    importance: record.importance ?? 5,
-    status: record.status ?? "active",
-    confidence: record.confidence ?? 0.7,
-    last_accessed: record.last_accessed ?? record.timestamp,
-    workspace_id: record.workspace_id ?? null,
-    document_id: record.document_id ?? null,
-    user_id: record.user_id ?? null,
-    char_offset: record.char_offset ?? null,
-    page_number: record.page_number ?? null,
-    source_path: record.source_path ?? null,
-    source_type: record.source_type ?? null,
-    tier: record.tier ?? classifyTier(record),
-    supersedes_id: record.supersedes_id ?? null,
-    draft: record.draft ? 1 : 0,
-    memory_type: memoryType,
-    trajectory: record.trajectory ? JSON.stringify(record.trajectory) : null,
-    content_hash: contentHash,
-    intent: record.intent ?? null,
-    outcome: record.outcome ?? null,
-    domain: record.domain ?? inferDomain(record),
-    referenced_entities: record.referenced_entities ?? null,
-    retrieval_count: record.retrieval_count ?? 0,
-    chain_position: record.chain_position ?? null,
-    review_status: record.review_status ?? null,
-    context_window_pct: record.context_window_pct ?? null,
-    file_paths: record.file_paths ?? inferFilePaths(record),
-    commit_hash: record.commit_hash ?? inferCommitHash(record),
-    duration_ms: record.duration_ms ?? null,
-    token_cost: record.token_cost ?? null,
-    audience: record.audience ?? null,
-    language_type: record.language_type ?? inferLanguageType(record),
-    parent_memory_id: record.parent_memory_id ?? null
-  };
-  _pendingRecords.push(dbRow);
-  orgBus.emit({
-    type: "memory_stored",
-    agentId: record.agent_id,
-    project: record.project_name,
-    timestamp: record.timestamp
-  });
-  const MAX_PENDING = 1e3;
-  if (_pendingRecords.length > MAX_PENDING) {
-    const dropped = _pendingRecords.length - MAX_PENDING;
-    _pendingRecords = _pendingRecords.slice(-MAX_PENDING);
-    console.warn(`[store] Dropped ${dropped} oldest pending records (overflow)`);
-  }
-  if (_flushTimer === null) {
-    _flushTimer = setInterval(() => {
-      void flushBatch();
-    }, _flushIntervalMs);
-    if (_flushTimer && typeof _flushTimer === "object" && "unref" in _flushTimer) {
-      _flushTimer.unref();
-    }
+}
+var ENCRYPTED_PREFIX = "enc:";
+function deriveMachineKey() {
+  try {
+    const crypto2 = __require("crypto");
+    const material = [
+      os5.hostname(),
+      os5.userInfo().username,
+      os5.arch(),
+      os5.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto2.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
   }
-  if (_pendingRecords.length >= _batchSize) {
-    await flushBatch();
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync6 } = __require("fs");
+    return readFileSync6("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
   }
 }
-async function flushBatch() {
-  if (_flushing || _pendingRecords.length === 0) return 0;
-  _flushing = true;
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto2 = __require("crypto");
+  const iv = crypto2.randomBytes(12);
+  const cipher = crypto2.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
-    const batch = _pendingRecords.slice(0);
-    const client = getClient();
-    const vResult = await client.execute("SELECT MAX(version) as max_v FROM memories");
-    let baseVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
-    for (const row of batch) {
-      row.version = baseVersion++;
-    }
-    _nextVersion = baseVersion;
-    const buildStmt = (row) => {
-      const hasVector = row.vector !== null;
-      const taskId = row.task_id ?? null;
-      const importance = row.importance ?? 5;
-      const status = row.status ?? "active";
-      const confidence = row.confidence ?? 0.7;
-      const lastAccessed = row.last_accessed ?? row.timestamp;
-      const workspaceId = row.workspace_id ?? null;
-      const documentId = row.document_id ?? null;
-      const userId = row.user_id ?? null;
-      const charOffset = row.char_offset ?? null;
-      const pageNumber = row.page_number ?? null;
-      const sourcePath = row.source_path ?? null;
-      const sourceType = row.source_type ?? null;
-      const tier = row.tier ?? 3;
-      const supersedesId = row.supersedes_id ?? null;
-      const draft = row.draft ? 1 : 0;
-      const memoryType = row.memory_type ?? "raw";
-      const trajectory = row.trajectory ?? null;
-      const contentHash = row.content_hash ?? null;
-      const intent = row.intent ?? null;
-      const outcome = row.outcome ?? null;
-      const domain = row.domain ?? null;
-      const referencedEntities = row.referenced_entities ?? null;
-      const retrievalCount = row.retrieval_count ?? 0;
-      const chainPosition = row.chain_position ?? null;
-      const reviewStatus = row.review_status ?? null;
-      const contextWindowPct = row.context_window_pct ?? null;
-      const filePaths = row.file_paths ?? null;
-      const commitHash = row.commit_hash ?? null;
-      const durationMs = row.duration_ms ?? null;
-      const tokenCost = row.token_cost ?? null;
-      const audience = row.audience ?? null;
-      const languageType = row.language_type ?? null;
-      const parentMemoryId = row.parent_memory_id ?? null;
-      const cols = `id, agent_id, agent_role, session_id, timestamp,
-               tool_name, project_name,
-               has_error, raw_text, vector, version, task_id, importance, status,
-               confidence, last_accessed,
-               workspace_id, document_id, user_id, char_offset, page_number,
-               source_path, source_type, tier, supersedes_id, draft, memory_type, trajectory, content_hash,
-               intent, outcome, domain, referenced_entities, retrieval_count,
-               chain_position, review_status, context_window_pct, file_paths, commit_hash,
-               duration_ms, token_cost, audience, language_type, parent_memory_id`;
-      const metaArgs = [
-        intent,
-        outcome,
-        domain,
-        referencedEntities,
-        retrievalCount,
-        chainPosition,
-        reviewStatus,
-        contextWindowPct,
-        filePaths,
-        commitHash,
-        durationMs,
-        tokenCost,
-        audience,
-        languageType,
-        parentMemoryId
-      ];
-      const baseArgs = [
-        row.id,
-        row.agent_id,
-        row.agent_role,
-        row.session_id,
-        row.timestamp,
-        row.tool_name,
-        row.project_name,
-        row.has_error,
-        row.raw_text
-      ];
-      const sharedArgs = [
-        row.version,
-        taskId,
-        importance,
-        status,
-        confidence,
-        lastAccessed,
-        workspaceId,
-        documentId,
-        userId,
-        charOffset,
-        pageNumber,
-        sourcePath,
-        sourceType,
-        tier,
-        supersedesId,
-        draft,
-        memoryType,
-        trajectory,
-        contentHash
-      ];
-      return {
-        sql: hasVector ? `INSERT OR IGNORE INTO memories (${cols})
-              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, vector32(?), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)` : `INSERT OR IGNORE INTO memories (${cols})
-              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-        args: hasVector ? [...baseArgs, vectorToBlob(row.vector), ...sharedArgs, ...metaArgs] : [...baseArgs, ...sharedArgs, ...metaArgs]
-      };
-    };
-    const globalClient = getClient();
-    const globalStmts = batch.map(buildStmt);
-    await globalClient.batch(globalStmts, "write");
-    try {
-      const { insertMemoryCardsForBatch: insertMemoryCardsForBatch2 } = await Promise.resolve().then(() => (init_memory_cards(), memory_cards_exports));
-      await insertMemoryCardsForBatch2(batch);
-    } catch {
-    }
-    schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
-    _pendingRecords.splice(0, batch.length);
+    const crypto2 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto2.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
+async function getMasterKey() {
+  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
+  const keytar = await tryKeytar();
+  if (keytar) {
     try {
-      const { isShardingEnabled: isShardingEnabled2, getReadyShardClient: getReadyShardClient2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
-      if (isShardingEnabled2()) {
-        const byProject = /* @__PURE__ */ new Map();
-        let skippedUnknown = 0;
-        for (const row of batch) {
-          const proj = row.project_name?.trim();
-          if (!proj) {
-            skippedUnknown++;
-            continue;
-          }
-          if (!byProject.has(proj)) byProject.set(proj, []);
-          byProject.get(proj).push(row);
-        }
-        if (skippedUnknown > 0) {
-          process.stderr.write(
-            `[store] Shard skip: ${skippedUnknown} record(s) with empty project_name (kept in main DB only)
-`
-          );
-        }
-        for (const [project, rows] of byProject) {
-          try {
-            const shardClient = await getReadyShardClient2(project);
-            const shardStmts = rows.map(buildStmt);
-            await shardClient.batch(shardStmts, "write");
-          } catch (err) {
-            const fullError = err instanceof Error ? `${err.name}: ${err.message}${err.stack ? `
-${err.stack.split("\n").slice(1, 3).join("\n")}` : ""}` : String(err);
-            process.stderr.write(
-              `[store] Shard write failed for ${project} (${rows.length} records): ${fullError}
-`
-            );
-          }
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      if (keytarValue) {
+        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
         }
+        return Buffer.from(keytarValue, "base64");
       }
     } catch {
     }
-    return batch.length;
-  } finally {
-    _flushing = false;
-  }
-}
-function buildWikiScopeFilter(options, columnPrefix) {
-  const args = [];
-  let clause = "";
-  if (options?.workspaceId !== void 0) {
-    clause += ` AND ${columnPrefix}workspace_id = ?`;
-    args.push(options.workspaceId);
-  }
-  if (options?.userId === void 0) {
-    clause += ` AND ${columnPrefix}user_id IS NULL`;
-  } else if (options.userId === null) {
-    clause += ` AND ${columnPrefix}user_id IS NULL`;
-  } else {
-    clause += ` AND (${columnPrefix}user_id = ? OR ${columnPrefix}user_id IS NULL)`;
-    args.push(options.userId);
   }
-  return { clause, args };
-}
-function buildRawVisibilityFilter(options, columnPrefix) {
-  if (options?.includeRaw === false) {
-    return {
-      clause: ` AND COALESCE(${columnPrefix}memory_type, 'raw') != 'raw'`,
-      args: []
-    };
+  const keyPath = getKeyPath();
+  if (!existsSync6(keyPath)) {
+    process.stderr.write(
+      `[keychain] Key not found at ${keyPath} (HOME=${os5.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
+`
+    );
+    return null;
   }
-  return { clause: "", args: [] };
-}
-async function searchMemories(queryVector, agentId, options) {
-  let client;
   try {
-    const { isShardingEnabled: isShardingEnabled2, shardExists: shardExists2, getReadyShardClient: getReadyShardClient2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
-    if (isShardingEnabled2() && options?.projectName && shardExists2(options.projectName)) {
-      client = await getReadyShardClient2(options.projectName);
+    const content = (await readFile3(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
     } else {
-      client = getClient();
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
+    }
+    return key;
+  } catch (err) {
+    process.stderr.write(
+      `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+    return null;
+  }
+}
+
+// src/lib/store.ts
+init_config();
+
+// src/lib/state-bus.ts
+var StateBus = class {
+  handlers = /* @__PURE__ */ new Map();
+  globalHandlers = /* @__PURE__ */ new Set();
+  /** Emit an event to all subscribers */
+  emit(event) {
+    const typeHandlers = this.handlers.get(event.type);
+    if (typeHandlers) {
+      for (const handler of typeHandlers) {
+        try {
+          handler(event);
+        } catch {
+        }
+      }
     }
-  } catch {
-    client = getClient();
-  }
-  const limit = options?.limit ?? 10;
-  const statusFilter = options?.includeArchived ? "" : `
-               AND COALESCE(status, 'active') = 'active'`;
-  const draftFilter = options?.includeDrafts ? "" : `
-               AND (draft = 0 OR draft IS NULL)`;
-  let sql = `SELECT id, agent_id, agent_role, session_id, timestamp,
-                    tool_name, project_name,
-                    has_error, raw_text, vector, importance, status,
-                    confidence, last_accessed,
-                    workspace_id, document_id, user_id,
-                    char_offset, page_number,
-                    source_path, source_type
-             FROM memories
-             WHERE agent_id = ?
-               AND vector IS NOT NULL${statusFilter}${draftFilter}
-               AND COALESCE(confidence, 0.7) >= 0.3`;
-  const args = [agentId];
-  const scope = buildWikiScopeFilter(options, "");
-  sql += scope.clause;
-  args.push(...scope.args);
-  const rawVisibility = buildRawVisibilityFilter(options, "");
-  sql += rawVisibility.clause;
-  args.push(...rawVisibility.args);
-  if (options?.projectName) {
-    sql += ` AND project_name = ?`;
-    args.push(options.projectName);
-  }
-  if (options?.toolName) {
-    sql += ` AND tool_name = ?`;
-    args.push(options.toolName);
-  }
-  if (options?.hasError !== void 0) {
-    sql += ` AND has_error = ?`;
-    args.push(options.hasError ? 1 : 0);
-  }
-  if (options?.since) {
-    sql += ` AND timestamp >= ?`;
-    args.push(options.since);
-  }
-  if (options?.memoryTypes && options.memoryTypes.length > 0) {
-    const uniqueTypes = [...new Set(options.memoryTypes)];
-    sql += ` AND memory_type IN (${uniqueTypes.map(() => "?").join(",")})`;
-    args.push(...uniqueTypes);
-  } else if (options?.memoryType) {
-    sql += ` AND memory_type = ?`;
-    args.push(options.memoryType);
-  }
-  sql += ` ORDER BY vector_distance_cos(vector, vector32(?))`;
-  args.push(vectorToBlob(queryVector));
-  sql += ` LIMIT ?`;
-  args.push(limit);
-  const result = await client.execute({ sql, args });
-  return result.rows.map((row) => ({
-    id: row.id,
-    agent_id: row.agent_id,
-    agent_role: row.agent_role,
-    session_id: row.session_id,
-    timestamp: row.timestamp,
-    tool_name: row.tool_name,
-    project_name: row.project_name,
-    has_error: row.has_error === 1,
-    raw_text: row.raw_text,
-    vector: row.vector == null ? [] : Array.isArray(row.vector) ? row.vector : Array.from(row.vector),
-    importance: row.importance ?? 5,
-    status: row.status ?? "active",
-    confidence: row.confidence ?? 0.7,
-    last_accessed: row.last_accessed ?? row.timestamp,
-    workspace_id: row.workspace_id ?? null,
-    document_id: row.document_id ?? null,
-    user_id: row.user_id ?? null,
-    char_offset: row.char_offset ?? null,
-    page_number: row.page_number ?? null,
-    source_path: row.source_path ?? null,
-    source_type: row.source_type ?? null
-  }));
-}
-async function attachDocumentMetadata(records) {
-  const docIds = [
-    ...new Set(
-      records.map((r) => r.document_id).filter((id) => typeof id === "string" && id.length > 0)
-    )
-  ];
-  if (docIds.length === 0) return records;
-  try {
-    const client = getClient();
-    const placeholders = docIds.map(() => "?").join(",");
-    const result = await client.execute({
-      sql: `SELECT id, filename, mime, source_type, uploaded_at
-            FROM documents
-            WHERE id IN (${placeholders})`,
-      args: docIds
-    });
-    const byId = /* @__PURE__ */ new Map();
-    for (const row of result.rows) {
-      const id = row.id;
-      byId.set(id, {
-        document_id: id,
-        filename: row.filename,
-        mime: row.mime ?? null,
-        source_type: row.source_type ?? null,
-        uploaded_at: row.uploaded_at
-      });
+    for (const handler of this.globalHandlers) {
+      try {
+        handler(event);
+      } catch {
+      }
     }
-    for (const record of records) {
-      if (!record.document_id) continue;
-      record.document_metadata = byId.get(record.document_id) ?? null;
+  }
+  /** Subscribe to a specific event type */
+  on(type, handler) {
+    if (!this.handlers.has(type)) {
+      this.handlers.set(type, /* @__PURE__ */ new Set());
     }
-  } catch {
+    this.handlers.get(type).add(handler);
   }
-  return records;
-}
-async function flushTier3(agentId, options) {
-  const client = getClient();
-  const maxAge = options?.maxAgeHours ?? 72;
-  const cutoff = new Date(Date.now() - maxAge * 36e5).toISOString();
-  if (options?.dryRun) {
-    const result2 = await client.execute({
-      sql: `SELECT COUNT(*) as cnt FROM memories
-            WHERE agent_id = ? AND tier = 3 AND status = 'active' AND timestamp < ?`,
-      args: [agentId, cutoff]
-    });
-    return { archived: Number(result2.rows[0]?.cnt ?? 0) };
+  /** Subscribe to ALL events */
+  onAny(handler) {
+    this.globalHandlers.add(handler);
   }
-  const result = await client.execute({
-    sql: `UPDATE memories SET status = 'archived'
-          WHERE agent_id = ? AND tier = 3 AND status = 'active' AND timestamp < ?`,
-    args: [agentId, cutoff]
-  });
-  return { archived: result.rowsAffected };
-}
-async function disposeStore() {
-  if (_flushTimer !== null) {
-    clearInterval(_flushTimer);
-    _flushTimer = null;
+  /** Unsubscribe from a specific event type */
+  off(type, handler) {
+    this.handlers.get(type)?.delete(handler);
   }
-  if (_pendingRecords.length > 0) {
-    await flushBatch();
+  /** Unsubscribe from ALL events */
+  offAny(handler) {
+    this.globalHandlers.delete(handler);
   }
-  await disposeTurso();
-  _pendingRecords = [];
-  _nextVersion = 1;
-}
-function vectorToBlob(vector) {
-  const f32 = vector instanceof Float32Array ? vector : new Float32Array(vector);
-  return JSON.stringify(Array.from(f32));
-}
-async function updateMemoryStatus(id, status) {
-  const client = getClient();
-  await client.execute({
-    sql: `UPDATE memories SET status = ? WHERE id = ?`,
-    args: [status, id]
-  });
-}
-function reserveVersions(count) {
-  const reserved = [];
-  for (let i = 0; i < count; i++) {
-    reserved.push(_nextVersion++);
+  /** Remove all listeners */
+  clear() {
+    this.handlers.clear();
+    this.globalHandlers.clear();
+  }
+};
+var orgBus = new StateBus();
+
+// src/lib/memory-write-governor.ts
+import { createHash } from "crypto";
+
+// src/lib/store.ts
+var INIT_MAX_RETRIES = 3;
+var INIT_RETRY_DELAY_MS = 1e3;
+function isBusyError2(err) {
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    return msg.includes("sqlite_busy") || msg.includes("database is locked");
   }
-  return reserved;
+  return false;
 }
-async function getMemoryCardinality(agentId) {
-  try {
-    const client = getClient();
-    const result = await client.execute({
-      sql: `SELECT COUNT(*) as cnt FROM memories WHERE agent_id = ? AND COALESCE(status, 'active') = 'active'`,
-      args: [agentId]
-    });
-    return Number(result.rows[0]?.cnt) || 0;
-  } catch {
-    return 0;
+async function retryOnBusy2(fn, label) {
+  for (let attempt = 0; attempt <= INIT_MAX_RETRIES; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      if (!isBusyError2(err) || attempt === INIT_MAX_RETRIES) throw err;
+      process.stderr.write(
+        `[store] SQLITE_BUSY during ${label}, retry ${attempt + 1}/${INIT_MAX_RETRIES}
+`
+      );
+      await new Promise((r) => setTimeout(r, INIT_RETRY_DELAY_MS * (attempt + 1)));
+    }
   }
+  throw new Error("unreachable");
 }
-var INIT_MAX_RETRIES, INIT_RETRY_DELAY_MS, _pendingRecords, _batchSize, _flushIntervalMs, _flushTimer, _flushing, _nextVersion;
-var init_store = __esm({
-  "src/lib/store.ts"() {
-    "use strict";
-    init_memory();
-    init_database();
-    init_keychain();
-    init_config();
-    init_state_bus();
-    init_memory_write_governor();
-    INIT_MAX_RETRIES = 3;
-    INIT_RETRY_DELAY_MS = 1e3;
-    _pendingRecords = [];
-    _batchSize = 20;
-    _flushIntervalMs = 1e4;
+var _pendingRecords = [];
+var _batchSize = 20;
+var _flushIntervalMs = 1e4;
+var _flushTimer = null;
+var _flushing = false;
+var _nextVersion = 1;
+async function initStore(options) {
+  if (_flushTimer !== null) {
+    clearInterval(_flushTimer);
     _flushTimer = null;
-    _flushing = false;
-    _nextVersion = 1;
   }
-});
-
-// src/bin/fast-db-init.ts
-var fast_db_init_exports = {};
-__export(fast_db_init_exports, {
-  fastDbInit: () => fastDbInit
-});
-async function fastDbInit() {
-  const { isInitialized: isInitialized2, getClient: getClient2, setExternalClient: setExternalClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
-  if (isInitialized2()) {
-    return getClient2();
+  _pendingRecords = [];
+  _flushing = false;
+  _batchSize = options?.batchSize ?? 20;
+  _flushIntervalMs = options?.flushIntervalMs ?? 1e4;
+  let dbPath = options?.dbPath;
+  if (!dbPath) {
+    const config = await loadConfig();
+    dbPath = config.dbPath;
   }
-  try {
-    const { connectEmbedDaemon: connectEmbedDaemon2, sendDaemonRequest: sendDaemonRequest2, isClientConnected: isClientConnected2 } = await Promise.resolve().then(() => (init_exe_daemon_client(), exe_daemon_client_exports));
-    const { deserializeResultSet: deserializeResultSet2 } = await Promise.resolve().then(() => (init_daemon_protocol(), daemon_protocol_exports));
-    await connectEmbedDaemon2();
-    if (isClientConnected2()) {
-      const daemonClient = {
-        async execute(stmt) {
-          const sql = typeof stmt === "string" ? stmt : stmt.sql;
-          const args = typeof stmt === "string" ? [] : Array.isArray(stmt.args) ? stmt.args : [];
-          const resp = await sendDaemonRequest2({ type: "db-execute", sql, args });
-          if (resp.error) throw new Error(String(resp.error));
-          if (resp.db) return deserializeResultSet2(resp.db);
-          throw new Error("Unexpected daemon response");
-        },
-        async batch(stmts, mode) {
-          const statements = stmts.map((s) => {
-            const sql = typeof s === "string" ? s : s.sql;
-            const args = typeof s === "string" ? [] : Array.isArray(s.args) ? s.args : [];
-            return { sql, args };
-          });
-          const resp = await sendDaemonRequest2({ type: "db-batch", statements, mode: mode ?? "deferred" });
-          if (resp.error) throw new Error(String(resp.error));
-          const batchResults = resp["db-batch"];
-          if (batchResults) return batchResults.map(deserializeResultSet2);
-          throw new Error("Unexpected daemon batch response");
-        },
-        async transaction(_mode) {
-          throw new Error("Transactions not supported via daemon socket");
-        },
-        async executeMultiple(_sql) {
-          throw new Error("executeMultiple not supported via daemon socket");
-        },
-        async migrate(_stmts) {
-          throw new Error("migrate not supported via daemon socket");
-        },
-        sync() {
-          return Promise.resolve(void 0);
-        },
-        close() {
-        },
-        get closed() {
-          return false;
-        },
-        get protocol() {
-          return "file";
-        }
-      };
-      setExternalClient2(daemonClient);
-      return daemonClient;
+  let masterKey = options?.masterKey ?? null;
+  if (!masterKey) {
+    masterKey = await getMasterKey();
+    if (!masterKey) {
+      throw new Error(
+        "No encryption key found. Run /exe-setup to generate one."
+      );
     }
-  } catch {
-  }
-  const { initStore: initStore2 } = await Promise.resolve().then(() => (init_store(), store_exports));
-  await initStore2({ lightweight: true });
-  return getClient2();
-}
-var init_fast_db_init = __esm({
-  "src/bin/fast-db-init.ts"() {
-    "use strict";
   }
-});
-
-// src/lib/db-backup.ts
-var db_backup_exports = {};
-__export(db_backup_exports, {
-  createBackup: () => createBackup,
-  findActiveDb: () => findActiveDb,
-  getBackupDir: () => getBackupDir,
-  getLatestBackup: () => getLatestBackup,
-  hasBackupToday: () => hasBackupToday,
-  listBackups: () => listBackups,
-  rotateBackups: () => rotateBackups
-});
-import { copyFileSync, existsSync as existsSync9, mkdirSync as mkdirSync4, readdirSync as readdirSync3, unlinkSync as unlinkSync4, statSync as statSync3 } from "fs";
-import path9 from "path";
-function findActiveDb() {
-  for (const name of DB_NAMES) {
-    const p = path9.join(EXE_AI_DIR, name);
-    if (existsSync9(p)) return p;
+  const hexKey = masterKey.toString("hex");
+  await initTurso({
+    dbPath,
+    encryptionKey: hexKey
+  });
+  await retryOnBusy2(() => ensureSchema(), "ensureSchema");
+  try {
+    const { initDaemonClient: initDaemonClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+    await initDaemonClient2();
+  } catch {
   }
-  return null;
-}
-function createBackup(reason = "manual") {
-  const dbPath = findActiveDb();
-  if (!dbPath) return null;
-  mkdirSync4(BACKUP_DIR, { recursive: true });
-  const dbName = path9.basename(dbPath, ".db");
-  const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
-  const backupName = `${dbName}-${reason}-${timestamp}.db`;
-  const backupPath = path9.join(BACKUP_DIR, backupName);
-  copyFileSync(dbPath, backupPath);
-  const walPath = dbPath + "-wal";
-  if (existsSync9(walPath)) {
+  if (!options?.lightweight) {
     try {
-      copyFileSync(walPath, backupPath + "-wal");
+      const { initShardManager: initShardManager2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
+      initShardManager2(hexKey);
     } catch {
     }
-  }
-  const shmPath = dbPath + "-shm";
-  if (existsSync9(shmPath)) {
+    const client = getClient();
+    const vResult = await retryOnBusy2(
+      () => client.execute("SELECT MAX(version) as max_v FROM memories"),
+      "version-query"
+    );
+    _nextVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
     try {
-      copyFileSync(shmPath, backupPath + "-shm");
+      const { loadGlobalProcedures: loadGlobalProcedures2 } = await Promise.resolve().then(() => (init_global_procedures(), global_procedures_exports));
+      await loadGlobalProcedures2();
     } catch {
     }
   }
-  return backupPath;
-}
-function rotateBackups(keepDays = DEFAULT_KEEP_DAYS) {
-  if (!existsSync9(BACKUP_DIR)) return 0;
-  const cutoff = Date.now() - keepDays * 24 * 60 * 60 * 1e3;
-  let deleted = 0;
-  try {
-    const files = readdirSync3(BACKUP_DIR);
-    for (const file of files) {
-      if (!file.endsWith(".db") && !file.endsWith(".db-wal") && !file.endsWith(".db-shm")) continue;
-      const filePath = path9.join(BACKUP_DIR, file);
-      try {
-        const stat = statSync3(filePath);
-        if (stat.mtimeMs < cutoff) {
-          unlinkSync4(filePath);
-          deleted++;
-        }
-      } catch {
-      }
-    }
-  } catch {
-  }
-  return deleted;
-}
-function listBackups() {
-  if (!existsSync9(BACKUP_DIR)) return [];
-  try {
-    const files = readdirSync3(BACKUP_DIR).filter((f) => f.endsWith(".db") && !f.endsWith("-wal") && !f.endsWith("-shm"));
-    return files.map((name) => {
-      const p = path9.join(BACKUP_DIR, name);
-      const stat = statSync3(p);
-      return { path: p, name, size: stat.size, date: stat.mtime };
-    }).sort((a, b) => b.date.getTime() - a.date.getTime());
-  } catch {
-    return [];
-  }
-}
-function hasBackupToday(reason) {
-  const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
-  const backups = listBackups();
-  return backups.some((b) => b.name.includes(reason) && b.name.includes(today.replace(/-/g, "-")));
 }
-function getLatestBackup() {
-  const backups = listBackups();
-  return backups.length > 0 ? backups[0].path : null;
-}
-function getBackupDir() {
-  return BACKUP_DIR;
-}
-var BACKUP_DIR, DEFAULT_KEEP_DAYS, DB_NAMES;
-var init_db_backup = __esm({
-  "src/lib/db-backup.ts"() {
-    "use strict";
-    init_config();
-    BACKUP_DIR = path9.join(EXE_AI_DIR, "backups");
-    DEFAULT_KEEP_DAYS = 3;
-    DB_NAMES = ["memories.db", "exe-mem.db", "exe-os.db", "exe.db"];
-  }
-});
 
 // src/bin/exe-doctor.ts
-import os6 from "os";
+init_database();
 
 // src/lib/is-main.ts
 import { realpathSync } from "fs";
-import { fileURLToPath } from "url";
+import { fileURLToPath as fileURLToPath2 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
-    const modulePath = realpathSync(fileURLToPath(importMetaUrl));
+    const modulePath = realpathSync(fileURLToPath2(importMetaUrl));
     return scriptPath === modulePath;
   } catch {
     return importMetaUrl === `file://${process.argv[1]}` || importMetaUrl === new URL(process.argv[1], "file://").href;
@@ -5400,140 +4229,6 @@ async function detectConflicts(client, projectFilter, agentFilter2) {
   };
 }
 
-// src/adapters/runtime-hook-manifest.ts
-var EXE_HOOKS = {
-  postToolCombined: "dist/hooks/post-tool-combined.js",
-  sessionStart: "dist/hooks/session-start.js",
-  promptSubmit: "dist/hooks/prompt-submit.js",
-  heartbeat: "dist/hooks/exe-heartbeat-hook.js",
-  stop: "dist/hooks/stop.js",
-  preToolUse: "dist/hooks/pre-tool-use.js",
-  subagentStop: "dist/hooks/subagent-stop.js",
-  preCompact: "dist/hooks/pre-compact.js",
-  postCompact: "dist/hooks/post-compact.js",
-  sessionEnd: "dist/hooks/session-end.js",
-  notification: "dist/hooks/notification.js",
-  instructionsLoaded: "dist/hooks/instructions-loaded.js"
-};
-var EXE_HOOK_MANIFEST = [
-  {
-    key: "postToolCombined",
-    event: "PostToolUse",
-    commandMarker: EXE_HOOKS.postToolCombined,
-    owner: "exe-os",
-    purpose: "Single PostToolUse entrypoint for ingestion, error recall, summaries, and bug detection.",
-    runtimes: ["claude", "codex", "opencode"],
-    checkpointRole: "none"
-  },
-  {
-    key: "sessionStart",
-    event: "SessionStart",
-    commandMarker: EXE_HOOKS.sessionStart,
-    owner: "exe-os",
-    purpose: "Loads agent identity, procedures, and boot context.",
-    runtimes: ["claude", "codex", "opencode"],
-    checkpointRole: "none"
-  },
-  {
-    key: "promptSubmit",
-    event: "UserPromptSubmit",
-    commandMarker: EXE_HOOKS.promptSubmit,
-    owner: "exe-os",
-    purpose: "Injects current tasks, pending reviews, and local context before each prompt.",
-    runtimes: ["claude", "codex", "opencode"],
-    checkpointRole: "none"
-  },
-  {
-    key: "heartbeat",
-    event: "UserPromptSubmit",
-    commandMarker: EXE_HOOKS.heartbeat,
-    owner: "exe-os",
-    purpose: "Lightweight heartbeat/status sidecar for Claude Code sessions.",
-    runtimes: ["claude"],
-    checkpointRole: "none"
-  },
-  {
-    key: "stop",
-    event: "Stop",
-    commandMarker: EXE_HOOKS.stop,
-    owner: "exe-os",
-    purpose: "Finalizes task state, capacity signals, and emergency checkpointing.",
-    runtimes: ["claude", "codex", "opencode"],
-    checkpointRole: "capacity_checkpoint"
-  },
-  {
-    key: "preToolUse",
-    event: "PreToolUse",
-    commandMarker: EXE_HOOKS.preToolUse,
-    owner: "exe-os",
-    purpose: "Preflight guardrails before shell/tool execution.",
-    runtimes: ["claude", "codex", "opencode"],
-    checkpointRole: "none"
-  },
-  {
-    key: "subagentStop",
-    event: "SubagentStop",
-    commandMarker: EXE_HOOKS.subagentStop,
-    owner: "exe-os",
-    purpose: "Captures subagent completion context.",
-    runtimes: ["claude"],
-    checkpointRole: "none"
-  },
-  {
-    key: "preCompact",
-    event: "PreCompact",
-    commandMarker: EXE_HOOKS.preCompact,
-    owner: "exe-os",
-    purpose: "Writes active-task snapshot and compaction recovery context.",
-    runtimes: ["claude"],
-    checkpointRole: "recovery_context"
-  },
-  {
-    key: "postCompact",
-    event: "PostCompact",
-    commandMarker: EXE_HOOKS.postCompact,
-    owner: "exe-os",
-    purpose: "Rehydrates recovery context after compaction.",
-    runtimes: ["claude"],
-    checkpointRole: "recovery_context"
-  },
-  {
-    key: "sessionEnd",
-    event: "SessionEnd",
-    commandMarker: EXE_HOOKS.sessionEnd,
-    owner: "exe-os",
-    purpose: "Stores session-end checkpoint and triages orphaned in-progress tasks.",
-    runtimes: ["claude"],
-    checkpointRole: "session_summary"
-  },
-  {
-    key: "notification",
-    event: "Notification",
-    commandMarker: EXE_HOOKS.notification,
-    owner: "exe-os",
-    purpose: "Captures runtime notifications and nudges.",
-    runtimes: ["claude"],
-    checkpointRole: "none"
-  },
-  {
-    key: "instructionsLoaded",
-    event: "InstructionsLoaded",
-    commandMarker: EXE_HOOKS.instructionsLoaded,
-    owner: "exe-os",
-    purpose: "Applies runtime instruction post-processing.",
-    runtimes: ["claude"],
-    checkpointRole: "none"
-  }
-];
-var LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS = [
-  "dist/hooks/ingest.js",
-  "dist/hooks/error-recall.js",
-  "dist/hooks/ingest-worker.js"
-];
-function manifestEntryForCommand(command) {
-  return EXE_HOOK_MANIFEST.find((entry) => command.includes(entry.commandMarker));
-}
-
 // src/bin/exe-doctor.ts
 function parseFlags(argv) {
   const flags = { fix: false, dryRun: false, verbose: false, conflicts: false };
@@ -5732,121 +4427,6 @@ function auditHookHealth() {
   const topPatterns = [...patternCounts.entries()].sort((a, b) => b[1] - a[1]).slice(0, 5).map(([pattern, count]) => ({ pattern, count }));
   return { logExists: true, totalLines, errorsLastHour, topPatterns };
 }
-function safeReadJson(filePath) {
-  if (!existsSync10(filePath)) return null;
-  try {
-    return JSON.parse(readFileSync5(filePath, "utf-8"));
-  } catch {
-    return null;
-  }
-}
-function collectHookCommandsFromClaudeSettings(settings) {
-  const hooks = settings?.hooks;
-  if (!hooks || typeof hooks !== "object") return [];
-  const commands = [];
-  for (const [event, groups] of Object.entries(hooks)) {
-    if (!Array.isArray(groups)) continue;
-    for (const group of groups) {
-      const hooksForGroup = group?.hooks;
-      if (!Array.isArray(hooksForGroup)) continue;
-      for (const hook of hooksForGroup) {
-        const command = hook?.command;
-        if (typeof command === "string") commands.push({ event, command });
-      }
-    }
-  }
-  return commands;
-}
-function collectHookCommandsFromCodexHooks(config) {
-  const commands = [];
-  if (!config || typeof config !== "object") return commands;
-  const root = config;
-  for (const [event, value] of Object.entries(root)) {
-    const entries = Array.isArray(value) ? value : value && typeof value === "object" ? Object.values(value) : [];
-    for (const entry of entries) {
-      if (typeof entry === "string") commands.push({ event, command: entry });
-      const command = entry?.command;
-      if (typeof command === "string") commands.push({ event, command });
-    }
-  }
-  return commands;
-}
-function buildHookOwnershipIssues(runtime, commands) {
-  const issues = [];
-  for (const marker of LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS) {
-    const count = commands.filter((cmd) => cmd.command.includes(marker)).length;
-    if (count > 0) {
-      issues.push({
-        runtime,
-        event: "PostToolUse",
-        marker,
-        count,
-        message: `Legacy split PostToolUse hook still installed: ${marker}`
-      });
-    }
-  }
-  for (const entry of EXE_HOOK_MANIFEST.filter((hook) => hook.runtimes.includes(runtime))) {
-    const matching = commands.filter((cmd) => cmd.command.includes(entry.commandMarker));
-    if (matching.length > 1) {
-      issues.push({
-        runtime,
-        event: entry.event,
-        marker: entry.commandMarker,
-        count: matching.length,
-        message: `Duplicate exe-os hook owner for ${entry.event}: ${entry.commandMarker}`
-      });
-    }
-    for (const cmd of matching) {
-      if (cmd.event !== entry.event) {
-        issues.push({
-          runtime,
-          event: cmd.event,
-          marker: entry.commandMarker,
-          count: 1,
-          message: `exe-os hook ${entry.commandMarker} is registered under ${cmd.event}, expected ${entry.event}`
-        });
-      }
-    }
-  }
-  for (const cmd of commands) {
-    if (!cmd.command.includes("dist/hooks/")) continue;
-    if (!cmd.command.includes("exe-os")) continue;
-    const entry = manifestEntryForCommand(cmd.command);
-    const isLegacy = LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS.some((marker) => cmd.command.includes(marker));
-    if (!entry && !isLegacy) {
-      issues.push({
-        runtime,
-        event: cmd.event,
-        marker: "dist/hooks/",
-        count: 1,
-        message: `Unknown exe-os hook command not present in ownership manifest: ${cmd.command.slice(0, 160)}`
-      });
-    }
-  }
-  return issues;
-}
-function auditHookOwnership() {
-  const home = process.env.HOME ?? process.env.USERPROFILE ?? "";
-  const checkedFiles = [];
-  const issues = [];
-  const claudeSettingsPath = path10.join(home, ".claude", "settings.json");
-  const claudeSettings = safeReadJson(claudeSettingsPath);
-  if (claudeSettings) {
-    checkedFiles.push(claudeSettingsPath);
-    issues.push(...buildHookOwnershipIssues("claude", collectHookCommandsFromClaudeSettings(claudeSettings)));
-  }
-  const codexHooksPath = path10.join(home, ".codex", "hooks.json");
-  const codexHooks = safeReadJson(codexHooksPath);
-  if (codexHooks) {
-    checkedFiles.push(codexHooksPath);
-    issues.push(...buildHookOwnershipIssues("codex", collectHookCommandsFromCodexHooks(codexHooks)));
-  }
-  return {
-    checkedFiles,
-    issues,
-    staleLegacyHooks: issues.filter((issue) => issue.message.includes("Legacy split"))
-  };
-}
 async function auditShards() {
   try {
     const { auditShardHealth: auditShardHealth2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
@@ -5891,8 +4471,7 @@ async function runAudit(client, flags) {
   }
   const duplicateCount = duplicates.reduce((sum, d) => sum + d.delete_ids.length, 0);
   const hookHealth = auditHookHealth();
-  const hookOwnership = auditHookOwnership();
-  return { stats, nullVectors, duplicates, duplicateCount, bloated, fts, orphanedProjects, conflicts, hookHealth, hookOwnership, shards };
+  return { stats, nullVectors, duplicates, duplicateCount, bloated, fts, orphanedProjects, conflicts, hookHealth, shards };
 }
 function indicator(value, warn) {
   if (value === 0) return "\u{1F7E2}";
@@ -5971,15 +4550,6 @@ function formatReport(report, flags) {
       lines.push(`                     ${p.count}x: ${p.pattern}`);
     }
   }
-  const ho = report.hookOwnership;
-  if (ho.issues.length === 0) {
-    lines.push(`\u{1F7E2} Hook ownership:  ${ho.checkedFiles.length > 0 ? "manifest clean" : "no local hook config found"}`);
-  } else {
-    lines.push(`\u{1F534} Hook ownership:  ${fmtNum(ho.issues.length)} issue(s)`);
-    for (const issue of ho.issues.slice(0, 5)) {
-      lines.push(`                     [${issue.runtime}/${issue.event}] ${issue.message}`);
-    }
-  }
   const sh = report.shards;
   if (sh.total > 0) {
     if (sh.unreadable === 0) {
@@ -6049,9 +4619,6 @@ function formatReport(report, flags) {
   if (report.conflicts.superseded > 0) {
     recs.push(`${fmtNum(report.conflicts.superseded)} superseded memories can be deactivated`);
   }
-  if (report.hookOwnership.issues.length > 0) {
-    recs.push(`Run exe-os install to refresh hook config; remove stale exe-os hook commands if they remain`);
-  }
   if (recs.length > 0) {
     lines.push("Recommendations:");
     for (const r of recs) {
@@ -6185,8 +4752,8 @@ function splitAtSentences(text, maxChunkSize) {
 }
 async function main(argv = process.argv.slice(2)) {
   const flags = parseFlags(argv);
-  const { fastDbInit: fastDbInit2 } = await Promise.resolve().then(() => (init_fast_db_init(), fast_db_init_exports));
-  const client = await fastDbInit2();
+  await initStore();
+  const client = getClient();
   const report = await runAudit(client, flags);
   console.log(formatReport(report, flags));
   if (flags.fix || flags.dryRun) {
@@ -6254,7 +4821,6 @@ export {
   auditDuplicates,
   auditFts,
   auditHookHealth,
-  auditHookOwnership,
   auditNullVectors,
   auditOrphanedProjects,
   auditShards,