@askexenow/exe-os 0.9.65 → 0.9.67

package/dist/bin/agentic-ontology-backfill.js

@@ -0,0 +1,4708 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/types/memory.ts
+var EMBEDDING_DIM;
+var init_memory = __esm({
+  "src/types/memory.ts"() {
+    "use strict";
+    EMBEDDING_DIM = 1024;
+  }
+});
+
+// src/lib/db-retry.ts
+function isBusyError(err) {
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    return msg.includes("sqlite_busy") || msg.includes("database is locked");
+  }
+  return false;
+}
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function retryOnBusy(fn, label) {
+  let lastError;
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (!isBusyError(err) || attempt === MAX_RETRIES) {
+        throw err;
+      }
+      const backoff = BASE_DELAY_MS * Math.pow(2, attempt);
+      const jitter = Math.floor(Math.random() * MAX_JITTER_MS);
+      process.stderr.write(
+        `[exe-os] SQLITE_BUSY ${label} retry ${attempt + 1}/${MAX_RETRIES} \u2014 waiting ${backoff + jitter}ms
+`
+      );
+      await delay(backoff + jitter);
+    }
+  }
+  throw lastError;
+}
+function wrapWithRetry(client) {
+  return new Proxy(client, {
+    get(target, prop, receiver) {
+      if (prop === "execute") {
+        return (sql) => retryOnBusy(() => target.execute(sql), "execute");
+      }
+      if (prop === "batch") {
+        return (stmts, mode) => retryOnBusy(() => target.batch(stmts, mode), "batch");
+      }
+      return Reflect.get(target, prop, receiver);
+    }
+  });
+}
+var MAX_RETRIES, BASE_DELAY_MS, MAX_JITTER_MS;
+var init_db_retry = __esm({
+  "src/lib/db-retry.ts"() {
+    "use strict";
+    MAX_RETRIES = 5;
+    BASE_DELAY_MS = 250;
+    MAX_JITTER_MS = 400;
+  }
+});
+
+// src/lib/secure-files.ts
+import { chmodSync, existsSync, mkdirSync } from "fs";
+import { chmod, mkdir } from "fs/promises";
+async function ensurePrivateDir(dirPath) {
+  await mkdir(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    await chmod(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+function ensurePrivateDirSync(dirPath) {
+  mkdirSync(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    chmodSync(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+async function enforcePrivateFile(filePath) {
+  try {
+    await chmod(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+function enforcePrivateFileSync(filePath) {
+  try {
+    if (existsSync(filePath)) chmodSync(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+var PRIVATE_DIR_MODE, PRIVATE_FILE_MODE;
+var init_secure_files = __esm({
+  "src/lib/secure-files.ts"() {
+    "use strict";
+    PRIVATE_DIR_MODE = 448;
+    PRIVATE_FILE_MODE = 384;
+  }
+});
+
+// src/lib/config.ts
+import { readFile, writeFile } from "fs/promises";
+import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
+import path from "path";
+import os from "os";
+function resolveDataDir() {
+  if (process.env.EXE_OS_DIR) return process.env.EXE_OS_DIR;
+  if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
+  const newDir = path.join(os.homedir(), ".exe-os");
+  const legacyDir = path.join(os.homedir(), ".exe-mem");
+  if (!existsSync2(newDir) && existsSync2(legacyDir)) {
+    try {
+      renameSync(legacyDir, newDir);
+      process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
+`);
+    } catch {
+      return legacyDir;
+    }
+  }
+  return newDir;
+}
+function migrateLegacyConfig(raw) {
+  if ("r2" in raw) {
+    process.stderr.write(
+      "[exe-os] Warning: config.json contains deprecated 'r2' field from v1.0. R2 sync has been replaced in v1.1. The 'r2' field will be ignored.\n"
+    );
+    delete raw.r2;
+  }
+  if ("syncIntervalMs" in raw) {
+    delete raw.syncIntervalMs;
+  }
+  return raw;
+}
+function migrateConfig(raw) {
+  const fromVersion = typeof raw.config_version === "number" ? raw.config_version : 0;
+  let currentVersion = fromVersion;
+  let migrated = false;
+  if (currentVersion > CURRENT_CONFIG_VERSION) {
+    return { config: raw, migrated: false, fromVersion };
+  }
+  for (const migration of CONFIG_MIGRATIONS) {
+    if (currentVersion === migration.from && migration.to <= CURRENT_CONFIG_VERSION) {
+      raw = migration.migrate(raw);
+      currentVersion = migration.to;
+      migrated = true;
+    }
+  }
+  return { config: raw, migrated, fromVersion };
+}
+function normalizeScalingRoadmap(raw) {
+  const defaultAuto = DEFAULT_CONFIG.scalingRoadmap.rerankerAutoTrigger;
+  const userRoadmap = raw.scalingRoadmap ?? {};
+  const userAuto = userRoadmap.rerankerAutoTrigger ?? {};
+  if (userAuto.enabled === void 0 && raw.rerankerEnabled !== void 0) {
+    userAuto.enabled = raw.rerankerEnabled;
+  }
+  raw.scalingRoadmap = {
+    ...userRoadmap,
+    rerankerAutoTrigger: { ...defaultAuto, ...userAuto }
+  };
+}
+function normalizeSessionLifecycle(raw) {
+  const defaultSL = DEFAULT_CONFIG.sessionLifecycle;
+  const userSL = raw.sessionLifecycle ?? {};
+  raw.sessionLifecycle = { ...defaultSL, ...userSL };
+}
+function normalizeAutoUpdate(raw) {
+  const defaultAU = DEFAULT_CONFIG.autoUpdate;
+  const userAU = raw.autoUpdate ?? {};
+  raw.autoUpdate = { ...defaultAU, ...userAU };
+}
+function normalizeOrchestration(raw) {
+  const defaultOrg = DEFAULT_CONFIG.orchestration;
+  const userOrg = raw.orchestration ?? {};
+  raw.orchestration = { ...defaultOrg, ...userOrg };
+}
+async function loadConfig() {
+  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
+  await ensurePrivateDir(dir);
+  const configPath = path.join(dir, "config.json");
+  if (!existsSync2(configPath)) {
+    return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
+  }
+  const raw = await readFile(configPath, "utf-8");
+  try {
+    let parsed = JSON.parse(raw);
+    parsed = migrateLegacyConfig(parsed);
+    const { config: migratedCfg, migrated, fromVersion } = migrateConfig(parsed);
+    if (migrated) {
+      process.stderr.write(`[exe-os] Config migrated from v${fromVersion} to v${migratedCfg.config_version}
+`);
+      try {
+        await writeFile(configPath, JSON.stringify(migratedCfg, null, 2) + "\n");
+        await enforcePrivateFile(configPath);
+      } catch {
+      }
+    }
+    normalizeScalingRoadmap(migratedCfg);
+    normalizeSessionLifecycle(migratedCfg);
+    normalizeAutoUpdate(migratedCfg);
+    normalizeOrchestration(migratedCfg);
+    const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
+    if (config.dbPath.startsWith("~")) {
+      config.dbPath = config.dbPath.replace(/^~/, os.homedir());
+    }
+    const envDbPath = path.join(dir, "memories.db");
+    if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
+      config.dbPath = envDbPath;
+    }
+    return config;
+  } catch {
+    return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
+  }
+}
+var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CONFIG_VERSION, DEFAULT_CONFIG, CONFIG_MIGRATIONS;
+var init_config = __esm({
+  "src/lib/config.ts"() {
+    "use strict";
+    init_secure_files();
+    EXE_AI_DIR = resolveDataDir();
+    DB_PATH = path.join(EXE_AI_DIR, "memories.db");
+    MODELS_DIR = path.join(EXE_AI_DIR, "models");
+    CONFIG_PATH = path.join(EXE_AI_DIR, "config.json");
+    LEGACY_LANCE_PATH = path.join(EXE_AI_DIR, "local.lance");
+    CURRENT_CONFIG_VERSION = 1;
+    DEFAULT_CONFIG = {
+      config_version: CURRENT_CONFIG_VERSION,
+      dbPath: DB_PATH,
+      modelFile: "jina-embeddings-v5-small-q4_k_m.gguf",
+      embeddingDim: 1024,
+      batchSize: 20,
+      flushIntervalMs: 1e4,
+      autoIngestion: true,
+      autoRetrieval: true,
+      searchMode: "hybrid",
+      hookSearchMode: "hybrid",
+      fileGrepEnabled: true,
+      splashEffect: true,
+      consolidationEnabled: true,
+      consolidationIntervalMs: 6 * 60 * 60 * 1e3,
+      consolidationModel: "claude-haiku-4-5-20251001",
+      consolidationMaxCallsPerRun: 20,
+      selfQueryRouter: true,
+      selfQueryModel: "claude-haiku-4-5-20251001",
+      rerankerEnabled: true,
+      scalingRoadmap: {
+        rerankerAutoTrigger: {
+          enabled: true,
+          broadQueryMinCardinality: 5e4,
+          fetchTopK: 200,
+          returnTopK: 20
+        }
+      },
+      graphRagEnabled: true,
+      wikiEnabled: false,
+      wikiUrl: "",
+      wikiApiKey: "",
+      wikiSyncIntervalMs: 30 * 60 * 1e3,
+      wikiWorkspaceMapping: {},
+      wikiAutoUpdate: true,
+      wikiAutoUpdateThreshold: 0.5,
+      wikiAutoUpdateCreateNew: true,
+      skillLearning: true,
+      skillThreshold: 3,
+      skillModel: "claude-haiku-4-5-20251001",
+      exeHeartbeat: {
+        enabled: true,
+        intervalSeconds: 60,
+        staleInProgressThresholdHours: 2
+      },
+      sessionLifecycle: {
+        idleKillEnabled: true,
+        idleKillTicksRequired: 3,
+        idleKillIntercomAckWindowMs: 1e4,
+        maxAutoInstances: 10
+      },
+      autoUpdate: {
+        checkOnBoot: true,
+        autoInstall: false,
+        checkIntervalMs: 24 * 60 * 60 * 1e3
+      },
+      orchestration: {
+        phase: "phase_1_coo",
+        phaseSetBy: "default"
+      }
+    };
+    CONFIG_MIGRATIONS = [
+      {
+        from: 0,
+        to: 1,
+        migrate: (cfg) => {
+          cfg.config_version = 1;
+          return cfg;
+        }
+      }
+    ];
+  }
+});
+
+// src/lib/employees.ts
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
+import { execSync } from "child_process";
+import path2 from "path";
+import os2 from "os";
+function normalizeRole(role) {
+  return (role ?? "").trim().toLowerCase();
+}
+function isCoordinatorRole(role) {
+  return normalizeRole(role) === normalizeRole(COORDINATOR_ROLE);
+}
+function getCoordinatorEmployee(employees) {
+  return employees.find((e) => isCoordinatorRole(e.role));
+}
+function getCoordinatorName(employees = loadEmployeesSync()) {
+  return getCoordinatorEmployee(employees)?.name ?? DEFAULT_COORDINATOR_TEMPLATE_NAME;
+}
+function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
+  if (!existsSync3(employeesPath)) return [];
+  try {
+    return JSON.parse(readFileSync2(employeesPath, "utf-8"));
+  } catch {
+    return [];
+  }
+}
+var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, IDENTITY_DIR;
+var init_employees = __esm({
+  "src/lib/employees.ts"() {
+    "use strict";
+    init_config();
+    EMPLOYEES_PATH = path2.join(EXE_AI_DIR, "exe-employees.json");
+    DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
+    COORDINATOR_ROLE = "COO";
+    IDENTITY_DIR = path2.join(EXE_AI_DIR, "identity");
+  }
+});
+
+// src/lib/database-adapter.ts
+import os3 from "os";
+import path3 from "path";
+import { createRequire } from "module";
+import { pathToFileURL } from "url";
+function quotedIdentifier(identifier) {
+  return `"${identifier.replace(/"/g, '""')}"`;
+}
+function unqualifiedTableName(name) {
+  const raw = name.trim().replace(/^"|"$/g, "");
+  const parts = raw.split(".");
+  return parts[parts.length - 1].replace(/^"|"$/g, "").toLowerCase();
+}
+function stripTrailingSemicolon(sql) {
+  return sql.trim().replace(/;+\s*$/u, "");
+}
+function appendClause(sql, clause) {
+  const trimmed = stripTrailingSemicolon(sql);
+  const returningMatch = /\sRETURNING\b[\s\S]*$/iu.exec(trimmed);
+  if (!returningMatch) {
+    return `${trimmed}${clause}`;
+  }
+  const idx = returningMatch.index;
+  return `${trimmed.slice(0, idx)}${clause}${trimmed.slice(idx)}`;
+}
+function normalizeStatement(stmt) {
+  if (typeof stmt === "string") {
+    return { kind: "positional", sql: stmt, args: [] };
+  }
+  const sql = stmt.sql;
+  if (Array.isArray(stmt.args) || stmt.args === void 0) {
+    return { kind: "positional", sql, args: stmt.args ?? [] };
+  }
+  return { kind: "named", sql, args: stmt.args };
+}
+function rewriteBooleanLiterals(sql) {
+  let out = sql;
+  for (const column of BOOLEAN_COLUMN_NAMES) {
+    const scoped = `((?:\\b[a-z_][a-z0-9_]*\\.)?${column})`;
+    out = out.replace(new RegExp(`${scoped}\\s*=\\s*0\\b`, "giu"), "$1 = FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*=\\s*1\\b`, "giu"), "$1 = TRUE");
+    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*0\\b`, "giu"), "$1 != FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*1\\b`, "giu"), "$1 != TRUE");
+    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*0\\b`, "giu"), "$1 <> FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*1\\b`, "giu"), "$1 <> TRUE");
+  }
+  return out;
+}
+function rewriteInsertOrIgnore(sql) {
+  if (!/^\s*INSERT\s+OR\s+IGNORE\s+INTO\b/iu.test(sql)) {
+    return sql;
+  }
+  const replaced = sql.replace(/^\s*INSERT\s+OR\s+IGNORE\s+INTO\b/iu, "INSERT INTO");
+  return /\bON\s+CONFLICT\b/iu.test(replaced) ? replaced : appendClause(replaced, " ON CONFLICT DO NOTHING");
+}
+function rewriteInsertOrReplace(sql) {
+  const match = /^\s*INSERT\s+OR\s+REPLACE\s+INTO\s+([A-Za-z0-9_."]+)\s*\(([^)]+)\)([\s\S]*)$/iu.exec(sql);
+  if (!match) {
+    return sql;
+  }
+  const rawTable = match[1];
+  const rawColumns = match[2];
+  const remainder = match[3];
+  const tableName = unqualifiedTableName(rawTable);
+  const conflictKeys = UPSERT_KEYS[tableName];
+  if (!conflictKeys?.length) {
+    return sql;
+  }
+  const columns = rawColumns.split(",").map((col) => col.trim().replace(/^"|"$/g, ""));
+  const updateColumns = columns.filter((col) => !conflictKeys.includes(col));
+  const conflictTarget = conflictKeys.map(quotedIdentifier).join(", ");
+  const updateClause = updateColumns.length === 0 ? " DO NOTHING" : ` DO UPDATE SET ${updateColumns.map((col) => `${quotedIdentifier(col)} = EXCLUDED.${quotedIdentifier(col)}`).join(", ")}`;
+  return `INSERT INTO ${rawTable} (${rawColumns})${appendClause(remainder, ` ON CONFLICT (${conflictTarget})${updateClause}`)}`;
+}
+function rewriteSql(sql) {
+  let out = sql;
+  out = out.replace(/\bdatetime\(\s*['"]now['"]\s*\)/giu, "CURRENT_TIMESTAMP");
+  out = out.replace(/\bvector32\s*\(\s*\?\s*\)/giu, "?");
+  out = rewriteBooleanLiterals(out);
+  out = rewriteInsertOrReplace(out);
+  out = rewriteInsertOrIgnore(out);
+  return stripTrailingSemicolon(out);
+}
+function toBoolean(value) {
+  if (value === null || value === void 0) return value;
+  if (typeof value === "boolean") return value;
+  if (typeof value === "number") return value !== 0;
+  if (typeof value === "bigint") return value !== 0n;
+  if (typeof value === "string") {
+    const normalized = value.trim().toLowerCase();
+    if (normalized === "0" || normalized === "false") return false;
+    if (normalized === "1" || normalized === "true") return true;
+  }
+  return Boolean(value);
+}
+function countQuestionMarks(sql, end) {
+  let count = 0;
+  let inSingle = false;
+  let inDouble = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = 0; i < end; i++) {
+    const ch = sql[i];
+    const next = sql[i + 1];
+    if (inLineComment) {
+      if (ch === "\n") inLineComment = false;
+      continue;
+    }
+    if (inBlockComment) {
+      if (ch === "*" && next === "/") {
+        inBlockComment = false;
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "-" && next === "-") {
+      inLineComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "/" && next === "*") {
+      inBlockComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inDouble && ch === "'" && sql[i - 1] !== "\\") {
+      inSingle = !inSingle;
+      continue;
+    }
+    if (!inSingle && ch === '"' && sql[i - 1] !== "\\") {
+      inDouble = !inDouble;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "?") {
+      count += 1;
+    }
+  }
+  return count;
+}
+function findBooleanPlaceholderIndexes(sql) {
+  const indexes = /* @__PURE__ */ new Set();
+  for (const column of BOOLEAN_COLUMN_NAMES) {
+    const pattern = new RegExp(`(?:\\b[a-z_][a-z0-9_]*\\.)?${column}\\s*=\\s*\\?`, "giu");
+    for (const match of sql.matchAll(pattern)) {
+      const matchText = match[0];
+      const qIndex = match.index + matchText.lastIndexOf("?");
+      indexes.add(countQuestionMarks(sql, qIndex + 1));
+    }
+  }
+  return indexes;
+}
+function coerceInsertBooleanArgs(sql, args) {
+  const match = /^\s*INSERT(?:\s+OR\s+(?:IGNORE|REPLACE))?\s+INTO\s+([A-Za-z0-9_."]+)\s*\(([^)]+)\)/iu.exec(sql);
+  if (!match) return;
+  const rawTable = match[1];
+  const rawColumns = match[2];
+  const boolColumns = BOOLEAN_COLUMNS_BY_TABLE[unqualifiedTableName(rawTable)];
+  if (!boolColumns?.size) return;
+  const columns = rawColumns.split(",").map((col) => col.trim().replace(/^"|"$/g, ""));
+  for (const [index, column] of columns.entries()) {
+    if (boolColumns.has(column) && index < args.length) {
+      args[index] = toBoolean(args[index]);
+    }
+  }
+}
+function coerceUpdateBooleanArgs(sql, args) {
+  const match = /^\s*UPDATE\s+([A-Za-z0-9_."]+)\s+SET\s+([\s\S]+?)(?:\s+WHERE\b|$)/iu.exec(sql);
+  if (!match) return;
+  const rawTable = match[1];
+  const setClause = match[2];
+  const boolColumns = BOOLEAN_COLUMNS_BY_TABLE[unqualifiedTableName(rawTable)];
+  if (!boolColumns?.size) return;
+  const assignments = setClause.split(",");
+  let placeholderIndex = 0;
+  for (const assignment of assignments) {
+    if (!assignment.includes("?")) continue;
+    placeholderIndex += 1;
+    const colMatch = /^\s*(?:[A-Za-z_][A-Za-z0-9_]*\.)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*\?/iu.exec(assignment);
+    if (colMatch && boolColumns.has(colMatch[1])) {
+      args[placeholderIndex - 1] = toBoolean(args[placeholderIndex - 1]);
+    }
+  }
+}
+function coerceBooleanArgs(sql, args) {
+  const nextArgs = [...args];
+  coerceInsertBooleanArgs(sql, nextArgs);
+  coerceUpdateBooleanArgs(sql, nextArgs);
+  const placeholderIndexes = findBooleanPlaceholderIndexes(sql);
+  for (const index of placeholderIndexes) {
+    if (index > 0 && index <= nextArgs.length) {
+      nextArgs[index - 1] = toBoolean(nextArgs[index - 1]);
+    }
+  }
+  return nextArgs;
+}
+function convertQuestionMarksToDollarParams(sql) {
+  let out = "";
+  let placeholder = 0;
+  let inSingle = false;
+  let inDouble = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i];
+    const next = sql[i + 1];
+    if (inLineComment) {
+      out += ch;
+      if (ch === "\n") inLineComment = false;
+      continue;
+    }
+    if (inBlockComment) {
+      out += ch;
+      if (ch === "*" && next === "/") {
+        out += next;
+        inBlockComment = false;
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "-" && next === "-") {
+      out += ch + next;
+      inLineComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "/" && next === "*") {
+      out += ch + next;
+      inBlockComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inDouble && ch === "'" && sql[i - 1] !== "\\") {
+      inSingle = !inSingle;
+      out += ch;
+      continue;
+    }
+    if (!inSingle && ch === '"' && sql[i - 1] !== "\\") {
+      inDouble = !inDouble;
+      out += ch;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "?") {
+      placeholder += 1;
+      out += `$${placeholder}`;
+      continue;
+    }
+    out += ch;
+  }
+  return out;
+}
+function translateStatementForPostgres(stmt) {
+  const normalized = normalizeStatement(stmt);
+  if (normalized.kind === "named") {
+    throw new Error("Named SQL parameters are not supported by the Prisma adapter.");
+  }
+  const rewrittenSql = rewriteSql(normalized.sql);
+  const coercedArgs = coerceBooleanArgs(rewrittenSql, normalized.args);
+  return {
+    sql: convertQuestionMarksToDollarParams(rewrittenSql),
+    args: coercedArgs
+  };
+}
+function shouldBypassPostgres(stmt) {
+  const normalized = normalizeStatement(stmt);
+  if (normalized.kind === "named") {
+    return true;
+  }
+  return IMMEDIATE_FALLBACK_PATTERNS.some((pattern) => pattern.test(normalized.sql));
+}
+function shouldFallbackOnError(error) {
+  const message = error instanceof Error ? error.message : String(error);
+  return /42P01|42883|42601|does not exist|syntax error|not supported|Named SQL parameters are not supported/iu.test(message);
+}
+function isReadQuery(sql) {
+  const trimmed = sql.trimStart();
+  return /^(SELECT|WITH|SHOW|EXPLAIN|VALUES)\b/iu.test(trimmed) || /\bRETURNING\b/iu.test(trimmed);
+}
+function buildRow(row, columns) {
+  const values = columns.map((column) => row[column]);
+  return Object.assign(values, row);
+}
+function buildResultSet(rows, rowsAffected = 0) {
+  const columns = rows[0] ? Object.keys(rows[0]) : [];
+  const resultRows = rows.map((row) => buildRow(row, columns));
+  return {
+    columns,
+    columnTypes: columns.map(() => ""),
+    rows: resultRows,
+    rowsAffected,
+    lastInsertRowid: void 0,
+    toJSON() {
+      return {
+        columns,
+        columnTypes: columns.map(() => ""),
+        rows,
+        rowsAffected,
+        lastInsertRowid: void 0
+      };
+    }
+  };
+}
+async function loadPrismaClient() {
+  if (!prismaClientPromise) {
+    prismaClientPromise = (async () => {
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const module2 = await import(pathToFileURL(explicitPath).href);
+        const PrismaClient2 = module2.PrismaClient ?? module2.default?.PrismaClient;
+        if (!PrismaClient2) {
+          throw new Error(`No PrismaClient export found at ${explicitPath}`);
+        }
+        return new PrismaClient2();
+      }
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path3.join(os3.homedir(), "exe-db");
+      const requireFromExeDb = createRequire(path3.join(exeDbRoot, "package.json"));
+      const prismaEntry = requireFromExeDb.resolve("@prisma/client");
+      const module = await import(pathToFileURL(prismaEntry).href);
+      const PrismaClient = module.PrismaClient ?? module.default?.PrismaClient;
+      if (!PrismaClient) {
+        throw new Error(`No PrismaClient export found in ${prismaEntry}`);
+      }
+      return new PrismaClient();
+    })();
+  }
+  return prismaClientPromise;
+}
+async function ensureCompatibilityViews(prisma) {
+  if (!compatibilityBootstrapPromise) {
+    compatibilityBootstrapPromise = (async () => {
+      for (const mapping of VIEW_MAPPINGS) {
+        const relation = mapping.source.replace(/"/g, "");
+        const rows = await prisma.$queryRawUnsafe(
+          "SELECT to_regclass($1)::text AS regclass",
+          relation
+        );
+        if (!rows[0]?.regclass) {
+          continue;
+        }
+        await prisma.$executeRawUnsafe(
+          `CREATE OR REPLACE VIEW public.${quotedIdentifier(mapping.view)} AS SELECT * FROM ${mapping.source}`
+        );
+      }
+    })();
+  }
+  return compatibilityBootstrapPromise;
+}
+async function executeOnPrisma(executor, stmt) {
+  const translated = translateStatementForPostgres(stmt);
+  if (isReadQuery(translated.sql)) {
+    const rows = await executor.$queryRawUnsafe(
+      translated.sql,
+      ...translated.args
+    );
+    return buildResultSet(rows, /\bRETURNING\b/iu.test(translated.sql) ? rows.length : 0);
+  }
+  const rowsAffected = await executor.$executeRawUnsafe(translated.sql, ...translated.args);
+  return buildResultSet([], rowsAffected);
+}
+function splitSqlStatements(sql) {
+  const parts = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i];
+    const next = sql[i + 1];
+    if (inLineComment) {
+      current += ch;
+      if (ch === "\n") inLineComment = false;
+      continue;
+    }
+    if (inBlockComment) {
+      current += ch;
+      if (ch === "*" && next === "/") {
+        current += next;
+        inBlockComment = false;
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "-" && next === "-") {
+      current += ch + next;
+      inLineComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "/" && next === "*") {
+      current += ch + next;
+      inBlockComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inDouble && ch === "'" && sql[i - 1] !== "\\") {
+      inSingle = !inSingle;
+      current += ch;
+      continue;
+    }
+    if (!inSingle && ch === '"' && sql[i - 1] !== "\\") {
+      inDouble = !inDouble;
+      current += ch;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === ";") {
+      if (current.trim()) {
+        parts.push(current.trim());
+      }
+      current = "";
+      continue;
+    }
+    current += ch;
+  }
+  if (current.trim()) {
+    parts.push(current.trim());
+  }
+  return parts;
+}
+async function createPrismaDbAdapter(fallbackClient) {
+  const prisma = await loadPrismaClient();
+  await ensureCompatibilityViews(prisma);
+  let closed = false;
+  let adapter;
+  const fallbackExecute = async (stmt, error) => {
+    if (!fallbackClient) {
+      if (error) throw error;
+      throw new Error("No fallback SQLite client is available for this Prisma-routed query.");
+    }
+    if (error) {
+      process.stderr.write(
+        `[database-adapter] Falling back to SQLite: ${error instanceof Error ? error.message : String(error)}
+`
+      );
+    }
+    return fallbackClient.execute(stmt);
+  };
+  adapter = {
+    async execute(stmt) {
+      if (shouldBypassPostgres(stmt)) {
+        return fallbackExecute(stmt);
+      }
+      try {
+        return await executeOnPrisma(prisma, stmt);
+      } catch (error) {
+        if (shouldFallbackOnError(error)) {
+          return fallbackExecute(stmt, error);
+        }
+        throw error;
+      }
+    },
+    async batch(stmts, mode) {
+      if (stmts.some((stmt) => shouldBypassPostgres(stmt))) {
+        if (!fallbackClient) {
+          throw new Error("Cannot batch unsupported SQLite-only statements without a fallback client.");
+        }
+        return fallbackClient.batch(stmts, mode);
+      }
+      try {
+        if (prisma.$transaction) {
+          return await prisma.$transaction(async (tx) => {
+            const results2 = [];
+            for (const stmt of stmts) {
+              results2.push(await executeOnPrisma(tx, stmt));
+            }
+            return results2;
+          });
+        }
+        const results = [];
+        for (const stmt of stmts) {
+          results.push(await executeOnPrisma(prisma, stmt));
+        }
+        return results;
+      } catch (error) {
+        if (fallbackClient && shouldFallbackOnError(error)) {
+          process.stderr.write(
+            `[database-adapter] Falling back batch to SQLite: ${error instanceof Error ? error.message : String(error)}
+`
+          );
+          return fallbackClient.batch(stmts, mode);
+        }
+        throw error;
+      }
+    },
+    async migrate(stmts) {
+      if (fallbackClient) {
+        return fallbackClient.migrate(stmts);
+      }
+      return adapter.batch(stmts, "deferred");
+    },
+    async transaction(mode) {
+      if (!fallbackClient) {
+        throw new Error("Interactive transactions are only supported on the SQLite fallback client.");
+      }
+      return fallbackClient.transaction(mode);
+    },
+    async executeMultiple(sql) {
+      if (fallbackClient && shouldBypassPostgres(sql)) {
+        return fallbackClient.executeMultiple(sql);
+      }
+      for (const statement of splitSqlStatements(sql)) {
+        await adapter.execute(statement);
+      }
+    },
+    async sync() {
+      if (fallbackClient) {
+        return fallbackClient.sync();
+      }
+      return { frame_no: 0, frames_synced: 0 };
+    },
+    close() {
+      closed = true;
+      prismaClientPromise = null;
+      compatibilityBootstrapPromise = null;
+      void prisma.$disconnect?.();
+    },
+    get closed() {
+      return closed;
+    },
+    get protocol() {
+      return "prisma-postgres";
+    }
+  };
+  return adapter;
+}
+var VIEW_MAPPINGS, UPSERT_KEYS, BOOLEAN_COLUMNS_BY_TABLE, BOOLEAN_COLUMN_NAMES, IMMEDIATE_FALLBACK_PATTERNS, prismaClientPromise, compatibilityBootstrapPromise;
+var init_database_adapter = __esm({
+  "src/lib/database-adapter.ts"() {
+    "use strict";
+    VIEW_MAPPINGS = [
+      { view: "memories", source: "memory.memory_records" },
+      { view: "tasks", source: "memory.tasks" },
+      { view: "behaviors", source: "memory.behaviors" },
+      { view: "entities", source: "memory.entities" },
+      { view: "relationships", source: "memory.relationships" },
+      { view: "entity_memories", source: "memory.entity_memories" },
+      { view: "entity_aliases", source: "memory.entity_aliases" },
+      { view: "notifications", source: "memory.notifications" },
+      { view: "messages", source: "memory.messages" },
+      { view: "users", source: "wiki.users" },
+      { view: "workspaces", source: "wiki.workspaces" },
+      { view: "workspace_users", source: "wiki.workspace_users" },
+      { view: "documents", source: "wiki.workspace_documents" },
+      { view: "chats", source: "wiki.workspace_chats" }
+    ];
+    UPSERT_KEYS = {
+      memories: ["id"],
+      tasks: ["id"],
+      behaviors: ["id"],
+      entities: ["id"],
+      relationships: ["id"],
+      entity_aliases: ["alias"],
+      notifications: ["id"],
+      messages: ["id"],
+      users: ["id"],
+      workspaces: ["id"],
+      workspace_users: ["id"],
+      documents: ["id"],
+      chats: ["id"]
+    };
+    BOOLEAN_COLUMNS_BY_TABLE = {
+      memories: /* @__PURE__ */ new Set(["has_error", "draft"]),
+      behaviors: /* @__PURE__ */ new Set(["active"]),
+      notifications: /* @__PURE__ */ new Set(["read"]),
+      users: /* @__PURE__ */ new Set(["has_personal_memory"])
+    };
+    BOOLEAN_COLUMN_NAMES = new Set(
+      Object.values(BOOLEAN_COLUMNS_BY_TABLE).flatMap((cols) => [...cols])
+    );
+    IMMEDIATE_FALLBACK_PATTERNS = [
+      /\bPRAGMA\b/i,
+      /\bsqlite_master\b/i,
+      /(?:^|[.\s])(?:memories|conversations|entities)_fts\b/i,
+      /\bMATCH\b/i,
+      /\bvector_distance_cos\s*\(/i,
+      /\bjson_extract\s*\(/i,
+      /\bjulianday\s*\(/i,
+      /\bstrftime\s*\(/i,
+      /\blast_insert_rowid\s*\(/i
+    ];
+    prismaClientPromise = null;
+    compatibilityBootstrapPromise = null;
+  }
+});
+
+// src/lib/daemon-auth.ts
+import crypto from "crypto";
+import path4 from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+function normalizeToken(token) {
+  if (!token) return null;
+  const trimmed = token.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function readDaemonToken() {
+  try {
+    if (!existsSync4(DAEMON_TOKEN_PATH)) return null;
+    return normalizeToken(readFileSync3(DAEMON_TOKEN_PATH, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function ensureDaemonToken(seed) {
+  const existing = readDaemonToken();
+  if (existing) return existing;
+  const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
+  ensurePrivateDirSync(EXE_AI_DIR);
+  writeFileSync2(DAEMON_TOKEN_PATH, `${token}
+`, "utf8");
+  enforcePrivateFileSync(DAEMON_TOKEN_PATH);
+  return token;
+}
+var DAEMON_TOKEN_PATH;
+var init_daemon_auth = __esm({
+  "src/lib/daemon-auth.ts"() {
+    "use strict";
+    init_config();
+    init_secure_files();
+    DAEMON_TOKEN_PATH = path4.join(EXE_AI_DIR, "exed.token");
+  }
+});
+
+// src/lib/exe-daemon-client.ts
+import net from "net";
+import os4 from "os";
+import { spawn } from "child_process";
+import { randomUUID } from "crypto";
+import { existsSync as existsSync5, unlinkSync as unlinkSync2, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
+import path5 from "path";
+import { fileURLToPath } from "url";
+function handleData(chunk) {
+  _buffer += chunk.toString();
+  if (_buffer.length > MAX_BUFFER) {
+    _buffer = "";
+    return;
+  }
+  let newlineIdx;
+  while ((newlineIdx = _buffer.indexOf("\n")) !== -1) {
+    const line = _buffer.slice(0, newlineIdx).trim();
+    _buffer = _buffer.slice(newlineIdx + 1);
+    if (!line) continue;
+    try {
+      const response = JSON.parse(line);
+      const id = response.id;
+      if (!id) continue;
+      const entry = _pending.get(id);
+      if (entry) {
+        clearTimeout(entry.timer);
+        _pending.delete(id);
+        entry.resolve(response);
+      }
+    } catch {
+    }
+  }
+}
+function cleanupStaleFiles() {
+  if (existsSync5(PID_PATH)) {
+    try {
+      const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
+      if (pid > 0) {
+        try {
+          process.kill(pid, 0);
+          return;
+        } catch {
+        }
+      }
+    } catch {
+    }
+    try {
+      unlinkSync2(PID_PATH);
+    } catch {
+    }
+    try {
+      unlinkSync2(SOCKET_PATH);
+    } catch {
+    }
+  }
+}
+function findPackageRoot() {
+  let dir = path5.dirname(fileURLToPath(import.meta.url));
+  const { root } = path5.parse(dir);
+  while (dir !== root) {
+    if (existsSync5(path5.join(dir, "package.json"))) return dir;
+    dir = path5.dirname(dir);
+  }
+  return null;
+}
+function getAvailableMemoryGB() {
+  if (process.platform === "darwin") {
+    try {
+      const { execSync: execSync3 } = __require("child_process");
+      const vmstat = execSync3("vm_stat", { encoding: "utf8" });
+      const pageSize = 16384;
+      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
+      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
+      const free = vmstat.match(/Pages free:\s+(\d+)/);
+      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
+      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
+      const freePages = free ? parseInt(free[1], 10) : 0;
+      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
+      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
+      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
+    } catch {
+      return os4.freemem() / (1024 * 1024 * 1024);
+    }
+  }
+  return os4.freemem() / (1024 * 1024 * 1024);
+}
+function spawnDaemon() {
+  const freeGB = getAvailableMemoryGB();
+  const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
+  if (totalGB <= 8) {
+    process.stderr.write(
+      `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
+`
+    );
+    return;
+  }
+  if (totalGB <= 16 && freeGB < 2) {
+    process.stderr.write(
+      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
+`
+    );
+    return;
+  }
+  const pkgRoot = findPackageRoot();
+  if (!pkgRoot) {
+    process.stderr.write("[exed-client] WARN: cannot find package root\n");
+    return;
+  }
+  const daemonPath = path5.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync5(daemonPath)) {
+    process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
+`);
+    return;
+  }
+  const resolvedPath = daemonPath;
+  const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
+  process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
+`);
+  const logPath = path5.join(path5.dirname(SOCKET_PATH), "exed.log");
+  let stderrFd = "ignore";
+  try {
+    stderrFd = openSync(logPath, "a");
+  } catch {
+  }
+  const heapCapMB = totalGB <= 8 ? 256 : 512;
+  const nodeArgs = [`--max-old-space-size=${heapCapMB}`, resolvedPath];
+  const child = spawn(process.execPath, nodeArgs, {
+    detached: true,
+    stdio: ["ignore", "ignore", stderrFd],
+    env: {
+      ...process.env,
+      TMUX: void 0,
+      // Daemon is global — must not inherit session scope
+      TMUX_PANE: void 0,
+      // Prevents resolveExeSession() from scoping to one session
+      EXE_DAEMON_SOCK: SOCKET_PATH,
+      EXE_DAEMON_PID: PID_PATH,
+      [DAEMON_TOKEN_ENV]: daemonToken
+    }
+  });
+  child.unref();
+  if (typeof stderrFd === "number") {
+    try {
+      closeSync(stderrFd);
+    } catch {
+    }
+  }
+}
+function acquireSpawnLock() {
+  try {
+    const fd = openSync(SPAWN_LOCK_PATH, "wx");
+    closeSync(fd);
+    return true;
+  } catch {
+    try {
+      const stat = statSync(SPAWN_LOCK_PATH);
+      if (Date.now() - stat.mtimeMs > SPAWN_LOCK_STALE_MS) {
+        try {
+          unlinkSync2(SPAWN_LOCK_PATH);
+        } catch {
+        }
+        try {
+          const fd = openSync(SPAWN_LOCK_PATH, "wx");
+          closeSync(fd);
+          return true;
+        } catch {
+        }
+      }
+    } catch {
+    }
+    return false;
+  }
+}
+function releaseSpawnLock() {
+  try {
+    unlinkSync2(SPAWN_LOCK_PATH);
+  } catch {
+  }
+}
+function connectToSocket() {
+  return new Promise((resolve) => {
+    if (_socket && _connected) {
+      resolve(true);
+      return;
+    }
+    const socket = net.createConnection({ path: SOCKET_PATH });
+    const connectTimeout = setTimeout(() => {
+      socket.destroy();
+      resolve(false);
+    }, 2e3);
+    socket.on("connect", () => {
+      clearTimeout(connectTimeout);
+      _socket = socket;
+      _connected = true;
+      _buffer = "";
+      socket.on("data", handleData);
+      socket.on("close", () => {
+        _connected = false;
+        _socket = null;
+        for (const [id, entry] of _pending) {
+          clearTimeout(entry.timer);
+          _pending.delete(id);
+          entry.resolve({ error: "Connection closed" });
+        }
+      });
+      socket.on("error", () => {
+        _connected = false;
+        _socket = null;
+      });
+      resolve(true);
+    });
+    socket.on("error", () => {
+      clearTimeout(connectTimeout);
+      resolve(false);
+    });
+  });
+}
+async function connectEmbedDaemon() {
+  if (_socket && _connected) return true;
+  if (await connectToSocket()) return true;
+  if (acquireSpawnLock()) {
+    try {
+      cleanupStaleFiles();
+      spawnDaemon();
+    } finally {
+      releaseSpawnLock();
+    }
+  }
+  const start = Date.now();
+  let delay2 = 100;
+  while (Date.now() - start < CONNECT_TIMEOUT_MS) {
+    await new Promise((r) => setTimeout(r, delay2));
+    if (await connectToSocket()) return true;
+    delay2 = Math.min(delay2 * 2, 3e3);
+  }
+  return false;
+}
+function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
+  return new Promise((resolve) => {
+    if (!_socket || !_connected) {
+      resolve({ error: "Not connected" });
+      return;
+    }
+    const id = randomUUID();
+    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
+    const timer = setTimeout(() => {
+      _pending.delete(id);
+      resolve({ error: "Request timeout" });
+    }, timeoutMs);
+    _pending.set(id, { resolve, timer });
+    try {
+      _socket.write(JSON.stringify({ id, token, ...payload }) + "\n");
+    } catch {
+      clearTimeout(timer);
+      _pending.delete(id);
+      resolve({ error: "Write failed" });
+    }
+  });
+}
+function isClientConnected() {
+  return _connected;
+}
+var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _pending, MAX_BUFFER;
+var init_exe_daemon_client = __esm({
+  "src/lib/exe-daemon-client.ts"() {
+    "use strict";
+    init_config();
+    init_daemon_auth();
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path5.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path5.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path5.join(EXE_AI_DIR, "exed-spawn.lock");
+    SPAWN_LOCK_STALE_MS = 3e4;
+    CONNECT_TIMEOUT_MS = 15e3;
+    REQUEST_TIMEOUT_MS = 3e4;
+    DAEMON_TOKEN_ENV = "EXE_DAEMON_TOKEN";
+    _socket = null;
+    _connected = false;
+    _buffer = "";
+    _pending = /* @__PURE__ */ new Map();
+    MAX_BUFFER = 1e7;
+  }
+});
+
+// src/lib/daemon-protocol.ts
+function serializeValue(v) {
+  if (v === null || v === void 0) return null;
+  if (typeof v === "bigint") return Number(v);
+  if (typeof v === "boolean") return v ? 1 : 0;
+  if (v instanceof Uint8Array) {
+    return { __blob: Buffer.from(v).toString("base64") };
+  }
+  if (ArrayBuffer.isView(v)) {
+    return { __blob: Buffer.from(v.buffer, v.byteOffset, v.byteLength).toString("base64") };
+  }
+  if (v instanceof ArrayBuffer) {
+    return { __blob: Buffer.from(v).toString("base64") };
+  }
+  if (typeof v === "string" || typeof v === "number") return v;
+  return String(v);
+}
+function deserializeValue(v) {
+  if (v === null) return null;
+  if (typeof v === "object" && v !== null && "__blob" in v) {
+    const buf = Buffer.from(v.__blob, "base64");
+    return buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength);
+  }
+  return v;
+}
+function deserializeResultSet(srs) {
+  const rows = srs.rows.map((obj) => {
+    const values = srs.columns.map(
+      (col) => deserializeValue(obj[col] ?? null)
+    );
+    const row = values;
+    for (let i = 0; i < srs.columns.length; i++) {
+      const col = srs.columns[i];
+      if (col !== void 0) {
+        row[col] = values[i] ?? null;
+      }
+    }
+    Object.defineProperty(row, "length", {
+      value: values.length,
+      enumerable: false
+    });
+    return row;
+  });
+  return {
+    columns: srs.columns,
+    columnTypes: srs.columnTypes ?? [],
+    rows,
+    rowsAffected: srs.rowsAffected,
+    lastInsertRowid: srs.lastInsertRowid != null ? BigInt(srs.lastInsertRowid) : void 0,
+    toJSON: () => ({
+      columns: srs.columns,
+      columnTypes: srs.columnTypes ?? [],
+      rows: srs.rows,
+      rowsAffected: srs.rowsAffected,
+      lastInsertRowid: srs.lastInsertRowid
+    })
+  };
+}
+var init_daemon_protocol = __esm({
+  "src/lib/daemon-protocol.ts"() {
+    "use strict";
+  }
+});
+
+// src/lib/db-daemon-client.ts
+var db_daemon_client_exports = {};
+__export(db_daemon_client_exports, {
+  createDaemonDbClient: () => createDaemonDbClient,
+  initDaemonDbClient: () => initDaemonDbClient
+});
+function normalizeStatement2(stmt) {
+  if (typeof stmt === "string") {
+    return { sql: stmt, args: [] };
+  }
+  const sql = stmt.sql;
+  let args = [];
+  if (Array.isArray(stmt.args)) {
+    args = stmt.args.map((v) => serializeValue(v));
+  } else if (stmt.args && typeof stmt.args === "object") {
+    const named = {};
+    for (const [key, val] of Object.entries(stmt.args)) {
+      named[key] = serializeValue(val);
+    }
+    return { sql, args: named };
+  }
+  return { sql, args };
+}
+function createDaemonDbClient(fallbackClient) {
+  let _useDaemon = false;
+  const client = {
+    async execute(stmt) {
+      if (!_useDaemon || !isClientConnected()) {
+        return fallbackClient.execute(stmt);
+      }
+      const { sql, args } = normalizeStatement2(stmt);
+      const response = await sendDaemonRequest({
+        type: "db-execute",
+        sql,
+        args
+      });
+      if (response.error) {
+        const errMsg = String(response.error);
+        if (errMsg === "Not connected" || errMsg === "Request timeout" || errMsg === "Write failed" || errMsg === "DB not initialized") {
+          process.stderr.write(`[db-daemon] Transport error (${errMsg}), falling back to direct
+`);
+          return fallbackClient.execute(stmt);
+        }
+        throw new Error(errMsg);
+      }
+      if (response.db) {
+        return deserializeResultSet(response.db);
+      }
+      process.stderr.write("[db-daemon] Unexpected response shape, falling back to direct\n");
+      return fallbackClient.execute(stmt);
+    },
+    async batch(stmts, mode) {
+      if (!_useDaemon || !isClientConnected()) {
+        return fallbackClient.batch(stmts, mode);
+      }
+      const statements = stmts.map(normalizeStatement2);
+      const response = await sendDaemonRequest({
+        type: "db-batch",
+        statements,
+        mode: mode ?? "deferred"
+      });
+      if (response.error) {
+        const errMsg = String(response.error);
+        if (errMsg === "Not connected" || errMsg === "Request timeout" || errMsg === "Write failed" || errMsg === "DB not initialized") {
+          process.stderr.write(`[db-daemon] Batch transport error (${errMsg}), falling back to direct
+`);
+          return fallbackClient.batch(stmts, mode);
+        }
+        throw new Error(errMsg);
+      }
+      const batchResults = response["db-batch"];
+      if (batchResults) {
+        return batchResults.map(deserializeResultSet);
+      }
+      process.stderr.write("[db-daemon] Unexpected batch response shape, falling back to direct\n");
+      return fallbackClient.batch(stmts, mode);
+    },
+    // Transaction support — delegate to fallback (transactions need direct connection)
+    async transaction(mode) {
+      return fallbackClient.transaction(mode);
+    },
+    // executeMultiple — delegate to fallback (used only for schema migrations)
+    async executeMultiple(sql) {
+      return fallbackClient.executeMultiple(sql);
+    },
+    // migrate — delegate to fallback
+    async migrate(stmts) {
+      return fallbackClient.migrate(stmts);
+    },
+    // Sync mode — delegate to fallback
+    sync() {
+      return fallbackClient.sync();
+    },
+    close() {
+      _useDaemon = false;
+    },
+    get closed() {
+      return fallbackClient.closed;
+    },
+    get protocol() {
+      return fallbackClient.protocol;
+    }
+  };
+  return {
+    ...client,
+    /** Enable daemon routing (call after confirming daemon is connected) */
+    _enableDaemon() {
+      _useDaemon = true;
+    },
+    /** Check if daemon routing is active */
+    _isDaemonActive() {
+      return _useDaemon && isClientConnected();
+    }
+  };
+}
+async function initDaemonDbClient(fallbackClient) {
+  if (process.env.EXE_IS_DAEMON === "1") return null;
+  const connected = await connectEmbedDaemon();
+  if (!connected) {
+    process.stderr.write("[db-daemon] Daemon unavailable \u2014 using direct SQLite\n");
+    return null;
+  }
+  const client = createDaemonDbClient(fallbackClient);
+  client._enableDaemon();
+  process.stderr.write("[db-daemon] DB routing through daemon (single-writer)\n");
+  return client;
+}
+var init_db_daemon_client = __esm({
+  "src/lib/db-daemon-client.ts"() {
+    "use strict";
+    init_exe_daemon_client();
+    init_daemon_protocol();
+  }
+});
+
+// src/lib/database.ts
+var database_exports = {};
+__export(database_exports, {
+  SOFT_DELETE_RETENTION_DAYS: () => SOFT_DELETE_RETENTION_DAYS,
+  disposeDatabase: () => disposeDatabase,
+  disposeTurso: () => disposeTurso,
+  ensureSchema: () => ensureSchema,
+  getClient: () => getClient,
+  getRawClient: () => getRawClient,
+  initDaemonClient: () => initDaemonClient,
+  initDatabase: () => initDatabase,
+  initTurso: () => initTurso,
+  isInitialized: () => isInitialized,
+  setExternalClient: () => setExternalClient
+});
+import { createClient } from "@libsql/client";
+async function initDatabase(config) {
+  if (_walCheckpointTimer) {
+    clearInterval(_walCheckpointTimer);
+    _walCheckpointTimer = null;
+  }
+  if (_daemonClient) {
+    _daemonClient.close();
+    _daemonClient = null;
+  }
+  if (_adapterClient && _adapterClient !== _resilientClient) {
+    _adapterClient.close();
+  }
+  _adapterClient = null;
+  if (_client) {
+    _client.close();
+    _client = null;
+    _resilientClient = null;
+  }
+  const opts = {
+    url: `file:${config.dbPath}`
+  };
+  if (config.encryptionKey) {
+    opts.encryptionKey = config.encryptionKey;
+  }
+  _client = createClient(opts);
+  _resilientClient = wrapWithRetry(_client);
+  _adapterClient = _resilientClient;
+  _client.execute("PRAGMA busy_timeout = 30000").catch(() => {
+  });
+  _client.execute("PRAGMA journal_mode = WAL").catch(() => {
+  });
+  if (_walCheckpointTimer) clearInterval(_walCheckpointTimer);
+  _walCheckpointTimer = setInterval(() => {
+    _client?.execute("PRAGMA wal_checkpoint(PASSIVE)").catch(() => {
+    });
+  }, 3e4);
+  _walCheckpointTimer.unref();
+  if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
+    _adapterClient = await createPrismaDbAdapter(_resilientClient);
+  }
+}
+function isInitialized() {
+  return _adapterClient !== null || _client !== null;
+}
+function setExternalClient(client) {
+  _adapterClient = client;
+}
+function getClient() {
+  if (!_adapterClient) {
+    throw new Error("Database client not initialized. Call initDatabase() first.");
+  }
+  if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
+    return _adapterClient;
+  }
+  if (process.env.EXE_IS_DAEMON === "1") {
+    return _resilientClient;
+  }
+  if (_daemonClient && _daemonClient._isDaemonActive()) {
+    return _daemonClient;
+  }
+  if (!_resilientClient) {
+    return _adapterClient;
+  }
+  return _resilientClient;
+}
+async function initDaemonClient() {
+  if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") return;
+  if (process.env.EXE_IS_DAEMON === "1") return;
+  if (process.env.VITEST) return;
+  if (!_resilientClient) return;
+  if (_daemonClient) return;
+  try {
+    const { initDaemonDbClient: initDaemonDbClient2 } = await Promise.resolve().then(() => (init_db_daemon_client(), db_daemon_client_exports));
+    _daemonClient = await initDaemonDbClient2(_resilientClient);
+  } catch (err) {
+    process.stderr.write(
+      `[database] Daemon client init failed (non-fatal): ${err instanceof Error ? err.message : String(err)}
+`
+    );
+  }
+}
+function getRawClient() {
+  if (!_client) {
+    throw new Error("Database client not initialized. Call initDatabase() first.");
+  }
+  return _client;
+}
+async function ensureSchema() {
+  const client = getRawClient();
+  await client.execute("PRAGMA journal_mode = WAL");
+  await client.execute("PRAGMA busy_timeout = 30000");
+  await client.execute("PRAGMA wal_autocheckpoint = 1000");
+  try {
+    await client.execute("PRAGMA libsql_vector_search_ef = 128");
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS memories (
+      id            TEXT PRIMARY KEY,
+      agent_id      TEXT NOT NULL,
+      agent_role    TEXT NOT NULL,
+      session_id    TEXT NOT NULL,
+      timestamp     TEXT NOT NULL,
+      tool_name     TEXT NOT NULL,
+      project_name  TEXT NOT NULL,
+      has_error     INTEGER NOT NULL DEFAULT 0,
+      raw_text      TEXT NOT NULL,
+      vector        F32_BLOB(1024),
+      version       INTEGER NOT NULL DEFAULT 0
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_memories_agent
+      ON memories(agent_id);
+
+    CREATE INDEX IF NOT EXISTS idx_memories_timestamp
+      ON memories(timestamp);
+
+    CREATE INDEX IF NOT EXISTS idx_memories_session
+      ON memories(session_id);
+
+    CREATE INDEX IF NOT EXISTS idx_memories_project
+      ON memories(project_name);
+
+    CREATE INDEX IF NOT EXISTS idx_memories_tool
+      ON memories(tool_name);
+
+    CREATE INDEX IF NOT EXISTS idx_memories_version
+      ON memories(version);
+
+    CREATE INDEX IF NOT EXISTS idx_memories_agent_project
+      ON memories(agent_id, project_name);
+  `);
+  await client.executeMultiple(`
+    CREATE VIRTUAL TABLE IF NOT EXISTS memories_fts USING fts5(
+      raw_text,
+      content='memories',
+      content_rowid='rowid'
+    );
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_ai AFTER INSERT ON memories BEGIN
+      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_ad AFTER DELETE ON memories BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_au AFTER UPDATE ON memories
+    WHEN new.status IS NULL OR new.status != 'deleted' BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
+    END;
+
+    -- Soft-delete trigger: remove from FTS when status changes to 'deleted'
+    CREATE TRIGGER IF NOT EXISTS memories_fts_soft_delete AFTER UPDATE ON memories
+    WHEN new.status = 'deleted' AND (old.status IS NULL OR old.status != 'deleted') BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+    END;
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS sync_meta (
+      key   TEXT PRIMARY KEY,
+      value TEXT NOT NULL
+    );
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS tasks (
+      id            TEXT PRIMARY KEY,
+      title         TEXT NOT NULL,
+      assigned_to   TEXT NOT NULL,
+      assigned_by   TEXT NOT NULL,
+      project_name  TEXT NOT NULL,
+      priority      TEXT NOT NULL DEFAULT 'p1',
+      status        TEXT NOT NULL DEFAULT 'open',
+      task_file     TEXT,
+      created_at    TEXT NOT NULL,
+      updated_at    TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_tasks_assignee_status
+      ON tasks(assigned_to, status);
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS behaviors (
+      id           TEXT PRIMARY KEY,
+      agent_id     TEXT NOT NULL,
+      project_name TEXT,
+      domain       TEXT,
+      content      TEXT NOT NULL,
+      active       INTEGER NOT NULL DEFAULT 1,
+      created_at   TEXT NOT NULL,
+      updated_at   TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_behaviors_agent
+      ON behaviors(agent_id, active);
+  `);
+  try {
+    const coordinatorName = getCoordinatorName();
+    const existing = await client.execute({
+      sql: "SELECT COUNT(*) as cnt FROM behaviors WHERE agent_id = ?",
+      args: [coordinatorName]
+    });
+    if (Number(existing.rows[0]?.cnt) === 0) {
+      const seededAt = "2026-03-25T00:00:00Z";
+      for (const [domain, content] of [
+        ["workflow", `Don't ask "keep going?" \u2014 just keep executing phases/plans autonomously`],
+        ["tool-use", "Always use create_task MCP tool, never write .md files directly for task creation"],
+        ["workflow", "Auto-start reviewing when idle and reviews are pending \u2014 never ask founder for permission"]
+      ]) {
+        await client.execute({
+          sql: `INSERT INTO behaviors (id, agent_id, project_name, domain, content, active, created_at, updated_at)
+                VALUES (hex(randomblob(16)), ?, NULL, ?, ?, 1, ?, ?)`,
+          args: [coordinatorName, domain, content, seededAt, seededAt]
+        });
+      }
+    }
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE behaviors ADD COLUMN priority TEXT DEFAULT 'p1'`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE behaviors ADD COLUMN vector F32_BLOB(${EMBEDDING_DIM})`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN blocked_by TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN parent_task_id TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `CREATE INDEX IF NOT EXISTS idx_tasks_parent_task_id
+              ON tasks(parent_task_id)
+              WHERE parent_task_id IS NOT NULL`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `UPDATE tasks SET status = 'done' WHERE status = 'completed'`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN reviewer TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN context TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN result TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN assigned_tmux TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN checkpoint TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN checkpoint_count INTEGER NOT NULL DEFAULT 0`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN complexity TEXT NOT NULL DEFAULT 'standard'`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN task_id TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN author_device_id TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN scope TEXT NOT NULL DEFAULT 'business'`,
+      args: []
+    });
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS consolidations (
+      id                    TEXT PRIMARY KEY,
+      consolidated_memory_id TEXT NOT NULL,
+      source_memory_id      TEXT NOT NULL,
+      created_at            TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_consolidations_source
+      ON consolidations(source_memory_id);
+
+    CREATE INDEX IF NOT EXISTS idx_consolidations_consolidated
+      ON consolidations(consolidated_memory_id);
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS reminders (
+      id            TEXT PRIMARY KEY,
+      text          TEXT NOT NULL,
+      created_at    TEXT NOT NULL,
+      due_date      TEXT,
+      completed_at  TEXT
+    );
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS notifications (
+      id          TEXT PRIMARY KEY,
+      agent_id    TEXT NOT NULL,
+      agent_role  TEXT NOT NULL,
+      event       TEXT NOT NULL,
+      project     TEXT NOT NULL,
+      summary     TEXT NOT NULL,
+      task_file   TEXT,
+      session_scope TEXT,
+      read        INTEGER NOT NULL DEFAULT 0,
+      created_at  TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_notifications_read
+      ON notifications(read);
+
+    CREATE INDEX IF NOT EXISTS idx_notifications_agent
+      ON notifications(agent_id, session_scope);
+
+    CREATE INDEX IF NOT EXISTS idx_notifications_task_file
+      ON notifications(task_file);
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS schedules (
+      id            TEXT PRIMARY KEY,
+      cron          TEXT NOT NULL,
+      description   TEXT NOT NULL,
+      job_type      TEXT NOT NULL DEFAULT 'report',
+      prompt        TEXT,
+      assigned_to   TEXT,
+      project_name  TEXT,
+      active        INTEGER NOT NULL DEFAULT 1,
+      use_crontab   INTEGER NOT NULL DEFAULT 0,
+      created_at    TEXT NOT NULL
+    );
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS device_registry (
+      device_id     TEXT PRIMARY KEY,
+      friendly_name TEXT NOT NULL,
+      hostname      TEXT NOT NULL,
+      projects      TEXT NOT NULL DEFAULT '[]',
+      agents        TEXT NOT NULL DEFAULT '[]',
+      connected     INTEGER DEFAULT 0,
+      last_seen     TEXT NOT NULL
+    );
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS messages (
+      id              TEXT PRIMARY KEY,
+      from_agent      TEXT NOT NULL,
+      from_device     TEXT NOT NULL DEFAULT 'local',
+      target_agent    TEXT NOT NULL,
+      target_project  TEXT,
+      target_device   TEXT NOT NULL DEFAULT 'local',
+      session_scope   TEXT,
+      content         TEXT NOT NULL,
+      priority        TEXT DEFAULT 'normal',
+      status          TEXT DEFAULT 'pending',
+      server_seq      INTEGER,
+      retry_count     INTEGER DEFAULT 0,
+      created_at      TEXT NOT NULL,
+      delivered_at    TEXT,
+      processed_at    TEXT,
+      failed_at       TEXT,
+      failure_reason  TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_messages_target
+      ON messages(target_agent, session_scope, status);
+
+    CREATE INDEX IF NOT EXISTS idx_messages_conversation_order
+      ON messages(target_agent, session_scope, from_agent, server_seq);
+  `);
+  try {
+    await client.execute({
+      sql: `ALTER TABLE notifications ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE messages ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE INDEX IF NOT EXISTS idx_notifications_agent_scope_read
+      ON notifications(agent_id, session_scope, read, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_messages_target_scope_status
+      ON messages(target_agent, session_scope, status, created_at);
+  `);
+  try {
+    await client.execute({
+      sql: `UPDATE memories SET project_name = 'exe-create' WHERE project_name = 'web'`,
+      args: []
+    });
+    await client.execute({
+      sql: `UPDATE memories SET project_name = 'exe-os' WHERE project_name = 'worker'`,
+      args: []
+    });
+    await client.execute({
+      sql: `UPDATE tasks SET project_name = 'exe-create' WHERE project_name = 'web'`,
+      args: []
+    });
+    await client.execute({
+      sql: `UPDATE tasks SET project_name = 'exe-os' WHERE project_name = 'worker'`,
+      args: []
+    });
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS trajectories (
+      id              TEXT PRIMARY KEY,
+      task_id         TEXT NOT NULL,
+      agent_id        TEXT NOT NULL,
+      project_name    TEXT NOT NULL,
+      task_title      TEXT NOT NULL,
+      signature       TEXT NOT NULL,
+      signature_hash  TEXT NOT NULL,
+      tool_count      INTEGER NOT NULL,
+      skill_id        TEXT,
+      created_at      TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_trajectories_hash
+      ON trajectories(signature_hash);
+
+    CREATE INDEX IF NOT EXISTS idx_trajectories_agent
+      ON trajectories(agent_id);
+  `);
+  try {
+    await client.execute("ALTER TABLE trajectories ADD COLUMN skill_id TEXT");
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS consolidations (
+      id                    TEXT PRIMARY KEY,
+      consolidated_memory_id TEXT NOT NULL,
+      source_memory_id      TEXT NOT NULL,
+      created_at            TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_consolidations_source
+      ON consolidations(source_memory_id);
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS audit_trail (
+      id                  INTEGER PRIMARY KEY AUTOINCREMENT,
+      timestamp           TEXT NOT NULL,
+      session_id          TEXT NOT NULL,
+      agent_id            TEXT NOT NULL,
+      tool                TEXT NOT NULL,
+      input               TEXT,
+      decision            TEXT NOT NULL,
+      reason              TEXT,
+      is_customer_facing  INTEGER NOT NULL DEFAULT 0
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_audit_trail_agent
+      ON audit_trail(agent_id, timestamp);
+
+    CREATE INDEX IF NOT EXISTS idx_audit_trail_session
+      ON audit_trail(session_id);
+  `);
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN importance INTEGER DEFAULT 5`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN status TEXT DEFAULT 'active'`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN deleted_at TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN confidence REAL DEFAULT 0.7`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN last_accessed TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `UPDATE memories SET last_accessed = timestamp WHERE last_accessed IS NULL`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN wiki_synced INTEGER DEFAULT 0`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN graph_extracted INTEGER DEFAULT 0`,
+      args: []
+    });
+  } catch {
+  }
+  for (const col of [
+    "ALTER TABLE memories ADD COLUMN content_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN graph_extracted_hash TEXT"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+  try {
+    await client.execute(
+      `CREATE INDEX IF NOT EXISTS idx_memories_content_hash ON memories(content_hash, agent_id)`
+    );
+  } catch {
+  }
+  try {
+    await client.execute(
+      `CREATE INDEX IF NOT EXISTS idx_memories_scoped_content_hash
+         ON memories(content_hash, agent_id, project_name, memory_type)
+         WHERE content_hash IS NOT NULL`
+    );
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS entities (
+      id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      type TEXT NOT NULL,
+      first_seen TEXT NOT NULL,
+      last_seen TEXT NOT NULL,
+      properties TEXT DEFAULT '{}',
+      UNIQUE(name, type)
+    );
+
+    CREATE TABLE IF NOT EXISTS relationships (
+      id TEXT PRIMARY KEY,
+      source_entity_id TEXT NOT NULL,
+      target_entity_id TEXT NOT NULL,
+      type TEXT NOT NULL,
+      weight REAL DEFAULT 1.0,
+      timestamp TEXT NOT NULL,
+      properties TEXT DEFAULT '{}',
+      UNIQUE(source_entity_id, target_entity_id, type)
+    );
+
+    CREATE TABLE IF NOT EXISTS entity_memories (
+      entity_id TEXT NOT NULL,
+      memory_id TEXT NOT NULL,
+      PRIMARY KEY (entity_id, memory_id)
+    );
+
+    CREATE TABLE IF NOT EXISTS relationship_memories (
+      relationship_id TEXT NOT NULL,
+      memory_id TEXT NOT NULL,
+      PRIMARY KEY (relationship_id, memory_id)
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_entities_name ON entities(name);
+    CREATE INDEX IF NOT EXISTS idx_entities_type ON entities(type);
+    CREATE INDEX IF NOT EXISTS idx_relationships_source ON relationships(source_entity_id);
+    CREATE INDEX IF NOT EXISTS idx_relationships_target ON relationships(target_entity_id);
+
+    CREATE TABLE IF NOT EXISTS hyperedges (
+      id TEXT PRIMARY KEY,
+      label TEXT NOT NULL,
+      relation TEXT NOT NULL,
+      confidence REAL DEFAULT 1.0,
+      timestamp TEXT NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS hyperedge_nodes (
+      hyperedge_id TEXT NOT NULL,
+      entity_id TEXT NOT NULL,
+      PRIMARY KEY (hyperedge_id, entity_id)
+    );
+
+    CREATE VIRTUAL TABLE IF NOT EXISTS entities_fts USING fts5(
+      name,
+      content=entities,
+      content_rowid=rowid
+    );
+
+    CREATE TRIGGER IF NOT EXISTS entities_fts_ai AFTER INSERT ON entities BEGIN
+      INSERT INTO entities_fts(rowid, name) VALUES (new.rowid, new.name);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS entities_fts_ad AFTER DELETE ON entities BEGIN
+      INSERT INTO entities_fts(entities_fts, rowid, name) VALUES('delete', old.rowid, old.name);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS entities_fts_au AFTER UPDATE ON entities BEGIN
+      INSERT INTO entities_fts(entities_fts, rowid, name) VALUES('delete', old.rowid, old.name);
+      INSERT INTO entities_fts(rowid, name) VALUES (new.rowid, new.name);
+    END;
+  `);
+  try {
+    await client.execute("INSERT INTO entities_fts(entities_fts) VALUES('rebuild')");
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS entity_aliases (
+      alias TEXT NOT NULL PRIMARY KEY,
+      canonical_entity_id TEXT NOT NULL
+    );
+    CREATE INDEX IF NOT EXISTS idx_entity_aliases_canonical ON entity_aliases(canonical_entity_id);
+  `);
+  for (const col of [
+    "ALTER TABLE relationships ADD COLUMN confidence REAL DEFAULT 1.0",
+    "ALTER TABLE relationships ADD COLUMN confidence_label TEXT DEFAULT 'extracted'"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+  try {
+    await client.execute(
+      `CREATE INDEX IF NOT EXISTS idx_memories_status ON memories(status)`
+    );
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS identity (
+      id          INTEGER PRIMARY KEY AUTOINCREMENT,
+      agent_id    TEXT NOT NULL UNIQUE,
+      content_hash TEXT NOT NULL,
+      updated_at  TEXT NOT NULL,
+      updated_by  TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_identity_agent ON identity(agent_id);
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS chat_history (
+      id          INTEGER PRIMARY KEY AUTOINCREMENT,
+      session_id  TEXT NOT NULL,
+      role        TEXT NOT NULL,
+      content     TEXT NOT NULL,
+      tool_name   TEXT,
+      tool_id     TEXT,
+      is_error    INTEGER NOT NULL DEFAULT 0,
+      timestamp   INTEGER NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_chat_history_session
+      ON chat_history(session_id, id);
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS workspaces (
+      id              TEXT PRIMARY KEY,
+      slug            TEXT NOT NULL UNIQUE,
+      name            TEXT NOT NULL,
+      owner_agent_id  TEXT,
+      created_at      TEXT NOT NULL,
+      metadata        TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_workspaces_slug
+      ON workspaces(slug);
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS documents (
+      id            TEXT PRIMARY KEY,
+      workspace_id  TEXT NOT NULL,
+      filename      TEXT NOT NULL,
+      mime          TEXT,
+      source_type   TEXT,
+      user_id       TEXT,
+      uploaded_at   TEXT NOT NULL,
+      metadata      TEXT,
+      FOREIGN KEY (workspace_id) REFERENCES workspaces(id)
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_documents_workspace
+      ON documents(workspace_id);
+
+    CREATE INDEX IF NOT EXISTS idx_documents_user
+      ON documents(user_id);
+  `);
+  for (const column of [
+    "workspace_id TEXT",
+    "document_id TEXT",
+    "user_id TEXT",
+    "char_offset INTEGER",
+    "page_number INTEGER"
+  ]) {
+    try {
+      await client.execute({
+        sql: `ALTER TABLE memories ADD COLUMN ${column}`,
+        args: []
+      });
+    } catch {
+    }
+  }
+  for (const col of [
+    "ALTER TABLE memories ADD COLUMN source_path TEXT",
+    "ALTER TABLE memories ADD COLUMN source_type TEXT DEFAULT 'text'"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+  await client.executeMultiple(`
+    CREATE INDEX IF NOT EXISTS idx_memories_workspace
+      ON memories(workspace_id);
+
+    CREATE INDEX IF NOT EXISTS idx_memories_document
+      ON memories(document_id);
+
+    CREATE INDEX IF NOT EXISTS idx_memories_user
+      ON memories(user_id);
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS session_kills (
+      id                      TEXT PRIMARY KEY,
+      session_name            TEXT NOT NULL,
+      agent_id                TEXT NOT NULL,
+      killed_at               TIMESTAMP NOT NULL,
+      reason                  TEXT NOT NULL,
+      ticks_idle              INTEGER,
+      estimated_tokens_saved  INTEGER
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_session_kills_killed_at
+      ON session_kills(killed_at);
+
+    CREATE INDEX IF NOT EXISTS idx_session_kills_agent
+      ON session_kills(agent_id);
+  `);
+  await client.execute(`
+    CREATE TABLE IF NOT EXISTS company_procedures (
+      id TEXT PRIMARY KEY,
+      title TEXT NOT NULL,
+      content TEXT NOT NULL,
+      priority TEXT NOT NULL DEFAULT 'p0',
+      domain TEXT,
+      active INTEGER NOT NULL DEFAULT 1,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    )
+  `);
+  const legacyProcedureObject = await client.execute({
+    sql: "SELECT type FROM sqlite_master WHERE name = 'global_procedures'",
+    args: []
+  });
+  const legacyProcedureType = legacyProcedureObject.rows[0]?.type == null ? null : String(legacyProcedureObject.rows[0].type);
+  if (legacyProcedureType === "table") {
+    await client.execute(`
+      INSERT OR IGNORE INTO company_procedures
+        (id, title, content, priority, domain, active, created_at, updated_at)
+      SELECT id, title, content, priority, domain, active, created_at, updated_at
+      FROM global_procedures
+    `);
+    await client.executeMultiple(`
+      CREATE TRIGGER IF NOT EXISTS global_procedures_mirror_insert
+        AFTER INSERT ON global_procedures
+      BEGIN
+        INSERT OR IGNORE INTO company_procedures
+          (id, title, content, priority, domain, active, created_at, updated_at)
+        VALUES
+          (NEW.id, NEW.title, NEW.content, NEW.priority, NEW.domain, NEW.active, NEW.created_at, NEW.updated_at);
+      END;
+
+      CREATE TRIGGER IF NOT EXISTS global_procedures_mirror_update
+        AFTER UPDATE ON global_procedures
+      BEGIN
+        UPDATE company_procedures
+        SET title = NEW.title,
+            content = NEW.content,
+            priority = NEW.priority,
+            domain = NEW.domain,
+            active = NEW.active,
+            created_at = NEW.created_at,
+            updated_at = NEW.updated_at
+        WHERE id = OLD.id;
+      END;
+    `);
+  } else {
+    await client.execute(`
+      CREATE VIEW IF NOT EXISTS global_procedures AS
+      SELECT id, title, content, priority, domain, active, created_at, updated_at
+      FROM company_procedures
+    `);
+    await client.executeMultiple(`
+      CREATE TRIGGER IF NOT EXISTS global_procedures_insert
+        INSTEAD OF INSERT ON global_procedures
+      BEGIN
+        INSERT INTO company_procedures
+          (id, title, content, priority, domain, active, created_at, updated_at)
+        VALUES
+          (NEW.id, NEW.title, NEW.content, NEW.priority, NEW.domain, NEW.active, NEW.created_at, NEW.updated_at);
+      END;
+
+      CREATE TRIGGER IF NOT EXISTS global_procedures_update
+        INSTEAD OF UPDATE ON global_procedures
+      BEGIN
+        UPDATE company_procedures
+        SET title = NEW.title,
+            content = NEW.content,
+            priority = NEW.priority,
+            domain = NEW.domain,
+            active = NEW.active,
+            created_at = NEW.created_at,
+            updated_at = NEW.updated_at
+        WHERE id = OLD.id;
+      END;
+    `);
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS conversations (
+      id              TEXT PRIMARY KEY,
+      platform        TEXT NOT NULL,
+      external_id     TEXT,
+      sender_id       TEXT NOT NULL,
+      sender_name     TEXT,
+      sender_phone    TEXT,
+      sender_email    TEXT,
+      recipient_id    TEXT,
+      channel_id      TEXT NOT NULL,
+      thread_id       TEXT,
+      reply_to_id     TEXT,
+      content_text    TEXT,
+      content_media   TEXT,
+      content_metadata TEXT,
+      agent_response  TEXT,
+      agent_name      TEXT,
+      timestamp       TEXT NOT NULL,
+      ingested_at     TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_conversations_platform
+      ON conversations(platform);
+
+    CREATE INDEX IF NOT EXISTS idx_conversations_sender
+      ON conversations(sender_id);
+
+    CREATE INDEX IF NOT EXISTS idx_conversations_timestamp
+      ON conversations(timestamp);
+
+    CREATE INDEX IF NOT EXISTS idx_conversations_thread
+      ON conversations(thread_id);
+
+    CREATE INDEX IF NOT EXISTS idx_conversations_channel
+      ON conversations(channel_id);
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS session_agent_map (
+      session_uuid TEXT PRIMARY KEY,
+      agent_id TEXT NOT NULL,
+      session_name TEXT,
+      task_id TEXT,
+      project_name TEXT,
+      started_at TEXT NOT NULL,
+      cache_cold_count INTEGER NOT NULL DEFAULT 0
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_session_agent_map_agent
+      ON session_agent_map(agent_id);
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS agent_file_reads (
+      session_uuid TEXT NOT NULL,
+      agent_id TEXT NOT NULL,
+      file_path TEXT NOT NULL,
+      read_at TEXT NOT NULL,
+      commit_hash TEXT,
+      PRIMARY KEY (session_uuid, file_path)
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_file_reads_agent_read_at
+      ON agent_file_reads(agent_id, read_at);
+  `);
+  try {
+    const mapCount = await client.execute({ sql: `SELECT COUNT(*) as cnt FROM session_agent_map`, args: [] });
+    if (Number(mapCount.rows[0]?.cnt ?? 0) === 0) {
+      await client.execute({
+        sql: `INSERT OR IGNORE INTO session_agent_map (session_uuid, agent_id, session_name, started_at)
+              SELECT session_id, agent_id, '', MIN(timestamp)
+              FROM memories
+              WHERE session_id IS NOT NULL AND session_id != '' AND agent_id IS NOT NULL AND agent_id != ''
+              GROUP BY session_id, agent_id`,
+        args: []
+      });
+    }
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE session_agent_map ADD COLUMN cache_cold_count INTEGER NOT NULL DEFAULT 0`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN budget_tokens INTEGER`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN budget_fallback_model TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN tokens_used INTEGER DEFAULT 0`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN tokens_warned_at INTEGER`,
+      args: []
+    });
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE VIRTUAL TABLE IF NOT EXISTS conversations_fts USING fts5(
+      content_text,
+      sender_name,
+      agent_response,
+      content='conversations',
+      content_rowid='rowid'
+    );
+
+    CREATE TRIGGER IF NOT EXISTS conversations_fts_ai AFTER INSERT ON conversations BEGIN
+      INSERT INTO conversations_fts(rowid, content_text, sender_name, agent_response)
+      VALUES (new.rowid, new.content_text, new.sender_name, new.agent_response);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS conversations_fts_ad AFTER DELETE ON conversations BEGIN
+      INSERT INTO conversations_fts(conversations_fts, rowid, content_text, sender_name, agent_response)
+      VALUES('delete', old.rowid, old.content_text, old.sender_name, old.agent_response);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS conversations_fts_au AFTER UPDATE ON conversations BEGIN
+      INSERT INTO conversations_fts(conversations_fts, rowid, content_text, sender_name, agent_response)
+      VALUES('delete', old.rowid, old.content_text, old.sender_name, old.agent_response);
+      INSERT INTO conversations_fts(rowid, content_text, sender_name, agent_response)
+      VALUES (new.rowid, new.content_text, new.sender_name, new.agent_response);
+    END;
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS memory_cards (
+      id            TEXT PRIMARY KEY,
+      memory_id     TEXT NOT NULL,
+      agent_id      TEXT NOT NULL,
+      session_id    TEXT NOT NULL,
+      project_name  TEXT,
+      timestamp     TEXT NOT NULL,
+      card_type     TEXT NOT NULL,
+      subject       TEXT,
+      predicate     TEXT,
+      object        TEXT,
+      content       TEXT NOT NULL,
+      source_ref    TEXT,
+      confidence    REAL DEFAULT 0.6,
+      active        INTEGER DEFAULT 1,
+      created_at    TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_memory_cards_agent
+      ON memory_cards(agent_id, active, timestamp);
+
+    CREATE INDEX IF NOT EXISTS idx_memory_cards_memory
+      ON memory_cards(memory_id);
+
+    CREATE VIRTUAL TABLE IF NOT EXISTS memory_cards_fts
+      USING fts5(content, subject, predicate, object, content='memory_cards', content_rowid='rowid');
+
+    CREATE TRIGGER IF NOT EXISTS memory_cards_fts_ai AFTER INSERT ON memory_cards BEGIN
+      INSERT INTO memory_cards_fts(rowid, content, subject, predicate, object)
+      VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memory_cards_fts_ad AFTER DELETE ON memory_cards BEGIN
+      INSERT INTO memory_cards_fts(memory_cards_fts, rowid, content, subject, predicate, object)
+      VALUES('delete', old.rowid, old.content, old.subject, old.predicate, old.object);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memory_cards_fts_au AFTER UPDATE ON memory_cards BEGIN
+      INSERT INTO memory_cards_fts(memory_cards_fts, rowid, content, subject, predicate, object)
+      VALUES('delete', old.rowid, old.content, old.subject, old.predicate, old.object);
+      INSERT INTO memory_cards_fts(rowid, content, subject, predicate, object)
+      VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
+    END;
+  `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS agent_sessions (
+      id              TEXT PRIMARY KEY,
+      agent_id        TEXT NOT NULL,
+      project_name    TEXT,
+      started_at      TEXT NOT NULL,
+      last_event_at   TEXT NOT NULL,
+      event_count     INTEGER NOT NULL DEFAULT 0,
+      properties      TEXT DEFAULT '{}'
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
+      ON agent_sessions(agent_id, started_at);
+
+    CREATE TABLE IF NOT EXISTS agent_goals (
+      id                TEXT PRIMARY KEY,
+      statement         TEXT NOT NULL,
+      owner_agent_id    TEXT,
+      project_name      TEXT,
+      status            TEXT NOT NULL DEFAULT 'open',
+      priority          INTEGER NOT NULL DEFAULT 5,
+      success_criteria  TEXT,
+      parent_goal_id    TEXT,
+      due_at            TEXT,
+      achieved_at       TEXT,
+      supersedes_id     TEXT,
+      created_at        TEXT NOT NULL,
+      updated_at        TEXT NOT NULL,
+      source_memory_id  TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
+      ON agent_goals(project_name, status, priority);
+
+    CREATE TABLE IF NOT EXISTS agent_events (
+      id                  TEXT PRIMARY KEY,
+      event_type          TEXT NOT NULL,
+      occurred_at         TEXT NOT NULL,
+      sequence_index      INTEGER NOT NULL,
+      actor_agent_id      TEXT,
+      agent_role          TEXT,
+      project_name        TEXT,
+      session_id          TEXT,
+      task_id             TEXT,
+      goal_id             TEXT,
+      parent_event_id     TEXT,
+      intention           TEXT,
+      outcome             TEXT,
+      evidence_memory_id  TEXT,
+      impact              TEXT,
+      payload             TEXT DEFAULT '{}',
+      created_at          TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_time
+      ON agent_events(occurred_at, sequence_index);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
+      ON agent_events(session_id, sequence_index);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
+      ON agent_events(goal_id, occurred_at);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_memory
+      ON agent_events(evidence_memory_id);
+
+    CREATE TABLE IF NOT EXISTS agent_goal_links (
+      id           TEXT PRIMARY KEY,
+      goal_id      TEXT NOT NULL,
+      link_type    TEXT NOT NULL,
+      target_id    TEXT NOT NULL,
+      target_type  TEXT NOT NULL,
+      created_at   TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
+      ON agent_goal_links(goal_id, target_type);
+
+    CREATE TABLE IF NOT EXISTS agent_semantic_labels (
+      id                TEXT PRIMARY KEY,
+      source_memory_id  TEXT NOT NULL,
+      event_id          TEXT,
+      labeler           TEXT NOT NULL,
+      schema_version    INTEGER NOT NULL DEFAULT 1,
+      confidence        REAL NOT NULL DEFAULT 0,
+      labels            TEXT NOT NULL,
+      created_at        TEXT NOT NULL,
+      updated_at        TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
+      ON agent_semantic_labels(source_memory_id, labeler);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
+      ON agent_semantic_labels(event_id);
+
+    CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
+      id                  TEXT PRIMARY KEY,
+      project_name        TEXT,
+      session_id          TEXT,
+      window_start_at     TEXT NOT NULL,
+      window_end_at       TEXT NOT NULL,
+      event_count         INTEGER NOT NULL DEFAULT 0,
+      goal_count          INTEGER NOT NULL DEFAULT 0,
+      success_count       INTEGER NOT NULL DEFAULT 0,
+      failure_count       INTEGER NOT NULL DEFAULT 0,
+      risk_count          INTEGER NOT NULL DEFAULT 0,
+      summary             TEXT NOT NULL,
+      learnings           TEXT NOT NULL DEFAULT '[]',
+      next_actions        TEXT NOT NULL DEFAULT '[]',
+      evidence_event_ids  TEXT NOT NULL DEFAULT '[]',
+      confidence          REAL NOT NULL DEFAULT 0,
+      created_at          TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
+      ON agent_reflection_checkpoints(project_name, window_end_at);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
+      ON agent_reflection_checkpoints(session_id, window_end_at);
+  `);
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute(
+      `CREATE INDEX IF NOT EXISTS idx_memories_tier ON memories(tier)`
+    );
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `UPDATE memories SET tier = 1 WHERE tool_name = 'commit_to_long_term_memory' AND importance >= 8 AND tier = 3`,
+      args: []
+    });
+    await client.execute({
+      sql: `UPDATE memories SET tier = 2 WHERE tool_name IN ('store_memory', 'manual') AND importance >= 5 AND tier = 3`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN supersedes_id TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute(
+      `CREATE INDEX IF NOT EXISTS idx_memories_supersedes ON memories(supersedes_id) WHERE supersedes_id IS NOT NULL`
+    );
+  } catch {
+  }
+  for (const col of [
+    "ALTER TABLE tasks ADD COLUMN checkpoint TEXT",
+    "ALTER TABLE tasks ADD COLUMN checkpoint_count INTEGER DEFAULT 0"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN draft INTEGER DEFAULT 0`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute(
+      `CREATE INDEX IF NOT EXISTS idx_memories_draft ON memories(draft) WHERE draft = 1`
+    );
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute(
+      `CREATE INDEX IF NOT EXISTS idx_memories_type ON memories(memory_type)`
+    );
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN trajectory TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  for (const col of [
+    "ALTER TABLE memories ADD COLUMN intent TEXT",
+    "ALTER TABLE memories ADD COLUMN outcome TEXT",
+    "ALTER TABLE memories ADD COLUMN domain TEXT",
+    "ALTER TABLE memories ADD COLUMN referenced_entities TEXT",
+    "ALTER TABLE memories ADD COLUMN retrieval_count INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN chain_position TEXT",
+    "ALTER TABLE memories ADD COLUMN review_status TEXT",
+    "ALTER TABLE memories ADD COLUMN context_window_pct INTEGER",
+    "ALTER TABLE memories ADD COLUMN file_paths TEXT",
+    "ALTER TABLE memories ADD COLUMN commit_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN duration_ms INTEGER",
+    "ALTER TABLE memories ADD COLUMN token_cost REAL",
+    "ALTER TABLE memories ADD COLUMN audience TEXT",
+    "ALTER TABLE memories ADD COLUMN language_type TEXT",
+    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+  try {
+    await client.execute({
+      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
+      args: []
+    });
+  } catch {
+  }
+}
+async function disposeDatabase() {
+  if (_walCheckpointTimer) {
+    clearInterval(_walCheckpointTimer);
+    _walCheckpointTimer = null;
+  }
+  if (_daemonClient) {
+    _daemonClient.close();
+    _daemonClient = null;
+  }
+  if (_adapterClient && _adapterClient !== _resilientClient) {
+    _adapterClient.close();
+  }
+  _adapterClient = null;
+  if (_client) {
+    _client.close();
+    _client = null;
+    _resilientClient = null;
+  }
+}
+var _client, _resilientClient, _walCheckpointTimer, _daemonClient, _adapterClient, initTurso, SOFT_DELETE_RETENTION_DAYS, disposeTurso;
+var init_database = __esm({
+  "src/lib/database.ts"() {
+    "use strict";
+    init_db_retry();
+    init_employees();
+    init_database_adapter();
+    init_memory();
+    _client = null;
+    _resilientClient = null;
+    _walCheckpointTimer = null;
+    _daemonClient = null;
+    _adapterClient = null;
+    initTurso = initDatabase;
+    SOFT_DELETE_RETENTION_DAYS = 7;
+    disposeTurso = disposeDatabase;
+  }
+});
+
+// src/lib/shard-manager.ts
+var shard_manager_exports = {};
+__export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
+  disposeShards: () => disposeShards,
+  ensureShardSchema: () => ensureShardSchema,
+  getOpenShardCount: () => getOpenShardCount,
+  getReadyShardClient: () => getReadyShardClient,
+  getShardClient: () => getShardClient,
+  getShardsDir: () => getShardsDir,
+  initShardManager: () => initShardManager,
+  isShardingEnabled: () => isShardingEnabled,
+  listShards: () => listShards,
+  shardExists: () => shardExists
+});
+import path7 from "path";
+import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync3 } from "fs";
+import { createClient as createClient2 } from "@libsql/client";
+function initShardManager(encryptionKey) {
+  _encryptionKey = encryptionKey;
+  if (!existsSync7(SHARDS_DIR)) {
+    mkdirSync2(SHARDS_DIR, { recursive: true });
+  }
+  _shardingEnabled = true;
+  if (_evictionTimer) clearInterval(_evictionTimer);
+  _evictionTimer = setInterval(evictIdleShards, EVICTION_INTERVAL_MS);
+  _evictionTimer.unref();
+}
+function isShardingEnabled() {
+  return _shardingEnabled;
+}
+function getShardsDir() {
+  return SHARDS_DIR;
+}
+function getShardClient(projectName) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const safeName = safeShardName(projectName);
+  if (!safeName || safeName === "unknown") {
+    throw new Error(`Invalid project name for shard: "${projectName}" (resolved to "${safeName}")`);
+  }
+  const cached = _shards.get(safeName);
+  if (cached) {
+    _shardLastAccess.set(safeName, Date.now());
+    return cached;
+  }
+  while (_shards.size >= MAX_OPEN_SHARDS) {
+    evictLRU();
+  }
+  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
+  const client = createClient2({
+    url: `file:${dbPath}`,
+    encryptionKey: _encryptionKey
+  });
+  _shards.set(safeName, client);
+  _shardLastAccess.set(safeName, Date.now());
+  return client;
+}
+function shardExists(projectName) {
+  const safeName = safeShardName(projectName);
+  return existsSync7(path7.join(SHARDS_DIR, `${safeName}.db`));
+}
+function safeShardName(projectName) {
+  return projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
+}
+function listShards() {
+  if (!existsSync7(SHARDS_DIR)) return [];
+  return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
+}
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync3(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync3(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
+}
+async function ensureShardSchema(client) {
+  await client.execute("PRAGMA journal_mode = WAL");
+  await client.execute("PRAGMA busy_timeout = 30000");
+  try {
+    await client.execute("PRAGMA libsql_vector_search_ef = 128");
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS memories (
+      id            TEXT PRIMARY KEY,
+      agent_id      TEXT NOT NULL,
+      agent_role    TEXT NOT NULL,
+      session_id    TEXT NOT NULL,
+      timestamp     TEXT NOT NULL,
+      tool_name     TEXT NOT NULL,
+      project_name  TEXT NOT NULL,
+      has_error     INTEGER NOT NULL DEFAULT 0,
+      raw_text      TEXT NOT NULL,
+      vector        F32_BLOB(1024),
+      version       INTEGER NOT NULL DEFAULT 0
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_memories_agent ON memories(agent_id);
+    CREATE INDEX IF NOT EXISTS idx_memories_timestamp ON memories(timestamp);
+    CREATE INDEX IF NOT EXISTS idx_memories_agent_project ON memories(agent_id, project_name);
+  `);
+  await client.executeMultiple(`
+    CREATE VIRTUAL TABLE IF NOT EXISTS memories_fts USING fts5(
+      raw_text,
+      content='memories',
+      content_rowid='rowid'
+    );
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_ai AFTER INSERT ON memories BEGIN
+      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_ad AFTER DELETE ON memories BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_au AFTER UPDATE ON memories BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
+    END;
+  `);
+  for (const col of [
+    "ALTER TABLE memories ADD COLUMN task_id TEXT",
+    "ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN author_device_id TEXT",
+    "ALTER TABLE memories ADD COLUMN scope TEXT NOT NULL DEFAULT 'business'",
+    "ALTER TABLE memories ADD COLUMN importance INTEGER DEFAULT 5",
+    "ALTER TABLE memories ADD COLUMN status TEXT DEFAULT 'active'",
+    "ALTER TABLE memories ADD COLUMN wiki_synced INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN graph_extracted INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN content_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN graph_extracted_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN confidence REAL DEFAULT 0.7",
+    "ALTER TABLE memories ADD COLUMN last_accessed TEXT",
+    // Wiki linkage columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN workspace_id TEXT",
+    "ALTER TABLE memories ADD COLUMN document_id TEXT",
+    "ALTER TABLE memories ADD COLUMN user_id TEXT",
+    "ALTER TABLE memories ADD COLUMN char_offset INTEGER",
+    "ALTER TABLE memories ADD COLUMN page_number INTEGER",
+    // Source provenance columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN source_path TEXT",
+    "ALTER TABLE memories ADD COLUMN source_type TEXT DEFAULT 'text'",
+    "ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3",
+    "ALTER TABLE memories ADD COLUMN supersedes_id TEXT",
+    // MS-11: draft staging, MS-6a: memory_type, MS-7: trajectory
+    "ALTER TABLE memories ADD COLUMN draft INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'",
+    "ALTER TABLE memories ADD COLUMN trajectory TEXT",
+    // Metadata enrichment columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN intent TEXT",
+    "ALTER TABLE memories ADD COLUMN outcome TEXT",
+    "ALTER TABLE memories ADD COLUMN domain TEXT",
+    "ALTER TABLE memories ADD COLUMN referenced_entities TEXT",
+    "ALTER TABLE memories ADD COLUMN retrieval_count INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN chain_position TEXT",
+    "ALTER TABLE memories ADD COLUMN review_status TEXT",
+    "ALTER TABLE memories ADD COLUMN context_window_pct INTEGER",
+    "ALTER TABLE memories ADD COLUMN file_paths TEXT",
+    "ALTER TABLE memories ADD COLUMN commit_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN duration_ms INTEGER",
+    "ALTER TABLE memories ADD COLUMN token_cost REAL",
+    "ALTER TABLE memories ADD COLUMN audience TEXT",
+    "ALTER TABLE memories ADD COLUMN language_type TEXT",
+    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT",
+    "ALTER TABLE memories ADD COLUMN deleted_at TEXT"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+  for (const idx of [
+    "CREATE INDEX IF NOT EXISTS idx_memories_tier ON memories(tier)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_supersedes ON memories(supersedes_id) WHERE supersedes_id IS NOT NULL",
+    "CREATE INDEX IF NOT EXISTS idx_memories_scoped_content_hash ON memories(content_hash, agent_id, project_name, memory_type) WHERE content_hash IS NOT NULL"
+  ]) {
+    try {
+      await client.execute(idx);
+    } catch {
+    }
+  }
+  try {
+    await client.execute("CREATE INDEX IF NOT EXISTS idx_memories_status ON memories(status)");
+  } catch {
+  }
+  for (const idx of [
+    "CREATE INDEX IF NOT EXISTS idx_memories_workspace ON memories(workspace_id)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_document ON memories(document_id)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_user ON memories(user_id)"
+  ]) {
+    try {
+      await client.execute(idx);
+    } catch {
+    }
+  }
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS entities (
+      id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      type TEXT NOT NULL,
+      first_seen TEXT NOT NULL,
+      last_seen TEXT NOT NULL,
+      properties TEXT DEFAULT '{}',
+      UNIQUE(name, type)
+    );
+
+    CREATE TABLE IF NOT EXISTS relationships (
+      id TEXT PRIMARY KEY,
+      source_entity_id TEXT NOT NULL,
+      target_entity_id TEXT NOT NULL,
+      type TEXT NOT NULL,
+      weight REAL DEFAULT 1.0,
+      timestamp TEXT NOT NULL,
+      properties TEXT DEFAULT '{}',
+      UNIQUE(source_entity_id, target_entity_id, type)
+    );
+
+    CREATE TABLE IF NOT EXISTS entity_memories (
+      entity_id TEXT NOT NULL,
+      memory_id TEXT NOT NULL,
+      PRIMARY KEY (entity_id, memory_id)
+    );
+
+    CREATE TABLE IF NOT EXISTS relationship_memories (
+      relationship_id TEXT NOT NULL,
+      memory_id TEXT NOT NULL,
+      PRIMARY KEY (relationship_id, memory_id)
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_entities_name ON entities(name);
+    CREATE INDEX IF NOT EXISTS idx_entities_type ON entities(type);
+    CREATE INDEX IF NOT EXISTS idx_relationships_source ON relationships(source_entity_id);
+    CREATE INDEX IF NOT EXISTS idx_relationships_target ON relationships(target_entity_id);
+    CREATE INDEX IF NOT EXISTS idx_relationships_type ON relationships(type);
+
+    CREATE TABLE IF NOT EXISTS hyperedges (
+      id TEXT PRIMARY KEY,
+      label TEXT NOT NULL,
+      relation TEXT NOT NULL,
+      confidence REAL DEFAULT 1.0,
+      timestamp TEXT NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS hyperedge_nodes (
+      hyperedge_id TEXT NOT NULL,
+      entity_id TEXT NOT NULL,
+      PRIMARY KEY (hyperedge_id, entity_id)
+    );
+  `);
+  for (const col of [
+    "ALTER TABLE relationships ADD COLUMN confidence REAL DEFAULT 1.0",
+    "ALTER TABLE relationships ADD COLUMN confidence_label TEXT DEFAULT 'extracted'"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+}
+async function getReadyShardClient(projectName) {
+  const safeName = safeShardName(projectName);
+  let client = getShardClient(projectName);
+  try {
+    await ensureShardSchema(client);
+    return client;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    if (!/SQLITE_NOTADB|file is not a database/i.test(message)) throw err;
+    client.close();
+    _shards.delete(safeName);
+    _shardLastAccess.delete(safeName);
+    const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
+    if (existsSync7(dbPath)) {
+      const stat = statSync3(dbPath);
+      const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+      const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
+      renameSync3(dbPath, archivedPath);
+      process.stderr.write(
+        `[shard-manager] Archived unreadable shard ${safeName}: ${archivedPath} (${stat.size} bytes, mtime ${stat.mtime.toISOString()})
+`
+      );
+    }
+    client = getShardClient(projectName);
+    await ensureShardSchema(client);
+    return client;
+  }
+}
+function evictLRU() {
+  let oldest = null;
+  let oldestTime = Infinity;
+  for (const [name, time] of _shardLastAccess) {
+    if (time < oldestTime) {
+      oldestTime = time;
+      oldest = name;
+    }
+  }
+  if (oldest) {
+    const client = _shards.get(oldest);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(oldest);
+    _shardLastAccess.delete(oldest);
+  }
+}
+function evictIdleShards() {
+  const now = Date.now();
+  const toEvict = [];
+  for (const [name, lastAccess] of _shardLastAccess) {
+    if (now - lastAccess > SHARD_IDLE_MS) {
+      toEvict.push(name);
+    }
+  }
+  for (const name of toEvict) {
+    const client = _shards.get(name);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(name);
+    _shardLastAccess.delete(name);
+  }
+}
+function getOpenShardCount() {
+  return _shards.size;
+}
+function disposeShards() {
+  if (_evictionTimer) {
+    clearInterval(_evictionTimer);
+    _evictionTimer = null;
+  }
+  for (const [, client] of _shards) {
+    client.close();
+  }
+  _shards.clear();
+  _shardLastAccess.clear();
+  _shardingEnabled = false;
+  _encryptionKey = null;
+}
+var SHARDS_DIR, SHARD_IDLE_MS, MAX_OPEN_SHARDS, EVICTION_INTERVAL_MS, _shards, _shardLastAccess, _evictionTimer, _encryptionKey, _shardingEnabled;
+var init_shard_manager = __esm({
+  "src/lib/shard-manager.ts"() {
+    "use strict";
+    init_config();
+    SHARDS_DIR = path7.join(EXE_AI_DIR, "shards");
+    SHARD_IDLE_MS = 5 * 60 * 1e3;
+    MAX_OPEN_SHARDS = 10;
+    EVICTION_INTERVAL_MS = 60 * 1e3;
+    _shards = /* @__PURE__ */ new Map();
+    _shardLastAccess = /* @__PURE__ */ new Map();
+    _evictionTimer = null;
+    _encryptionKey = null;
+    _shardingEnabled = false;
+  }
+});
+
+// src/lib/platform-procedures.ts
+var PLATFORM_PROCEDURES, PLATFORM_PROCEDURE_TITLES;
+var init_platform_procedures = __esm({
+  "src/lib/platform-procedures.ts"() {
+    "use strict";
+    PLATFORM_PROCEDURES = [
+      // --- Foundation: what is exe-os ---
+      {
+        title: "What is exe-os \u2014 the operating model every agent must understand",
+        domain: "architecture",
+        priority: "p0",
+        content: "Exe OS is an AI employee operating system. A founder runs 5-10 AI agents as a real org: COO, CTO, CMO, engineers, and content production specialists. Each agent has identity, expertise, and experience layers \u2014 persistent memory that makes them better over time. All data is local-first, E2EE, owned by the user. The MCP server is the ONLY data interface \u2014 never access the DB directly."
+      },
+      {
+        title: "Mode 1 \u2014 how exe-os runs inside Claude Code",
+        domain: "architecture",
+        priority: "p0",
+        content: "Mode 1: exe-os runs AS hooks + MCP + skills inside Claude Code, Codex, or OpenCode. The founder picks their default tool at setup. The COO manages employees in tmux sessions. Each coordinator session is a separate window/project. Employees run in their own tmux panes via create_task auto-spawn. The founder talks to the COO; the COO orchestrates the team. The tool is the shell, exe-os is the brain."
+      },
+      {
+        title: "Sessions explained \u2014 coordinator session names and projects",
+        domain: "architecture",
+        priority: "p0",
+        content: "Each coordinator session is an isolated project session. One might be exe-os development, another might be exe-wiki. Each session spawns its own employees using {employee}-{coordinatorSession}. Sessions share the same memory DB but tasks are scoped to the session that created them. A founder can run multiple projects simultaneously. Sessions never interfere with each other."
+      },
+      {
+        title: "Runtime settings \u2014 COO can view and change tools per agent",
+        domain: "workflow",
+        priority: "p1",
+        content: "exe-os supports three tools: Claude Code (Anthropic), Codex (OpenAI), and OpenCode (open source, 75+ providers). Each agent can use a different tool and model. COO uses set_agent_config MCP tool to view or change settings. Call with no args to show all agents. Call with agent_id + runtime + model to change. Users can also run `exe-os settings` from terminal for interactive arrow-key selection."
+      },
+      // --- Hierarchy and dispatch ---
+      {
+        title: "Chain of command \u2014 who talks to whom",
+        domain: "workflow",
+        priority: "p0",
+        content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
+      },
+      {
+        title: "Customer orchestration maturity \u2014 recommend, never trap",
+        domain: "workflow",
+        priority: "p1",
+        content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
+      },
+      {
+        title: "Single dispatch path \u2014 create_task only",
+        domain: "workflow",
+        priority: "p0",
+        content: "create_task is the ONLY way to dispatch work to another agent. No direct ensureEmployee calls, no manual tmux spawns, no send_message for actionable work. create_task \u2192 system auto-spawns \u2192 session correctly named. ONE PATH. No backdoors. No exceptions."
+      },
+      // --- Session isolation ---
+      {
+        title: "Session scoping \u2014 stay in your coordinator boundary",
+        domain: "security",
+        priority: "p0",
+        content: "Session scoping is mandatory. Managers dispatch to workers within their own coordinator session ONLY. Employee sessions use {employee}-{coordinatorSession}. Cross-session dispatch is blocked by the system. Verify session names before dispatch. Tasks are scoped to the creating coordinator session."
+      },
+      {
+        title: "Session isolation \u2014 never touch another session's work",
+        domain: "workflow",
+        priority: "p0",
+        content: "Sessions are isolated. A coordinator session owns ONLY tasks it dispatched. (1) Never close/update/cancel tasks from another coordinator session. (2) Never review work from a different session \u2014 report that it belongs to another session and skip. (3) Ignore other sessions' items in list_tasks results. (4) Employees inherit session: employee sessions work ONLY on their parent coordinator session's tasks. Cross-session work is a system violation."
+      },
+      // --- Engineering: session scoping in code ---
+      {
+        title: "Three-dimensional scoping \u2014 session, project, role \u2014 enforced in every query",
+        domain: "architecture",
+        priority: "p0",
+        content: "Every DB query, notification, review count, and task operation MUST be scoped on 3 dimensions: (1) Session \u2014 filter by session_scope matching the current coordinator session. (2) Project \u2014 filter by project_name. (3) Role \u2014 agents only see data at their hierarchy level. When writing ANY function that touches tasks, reviews, messages, or notifications: always accept a sessionScope parameter and pass it to the SQL WHERE clause. Unscoped queries are bugs. Test by running 2+ coordinator sessions simultaneously."
+      },
+      // --- Hard constraints ---
+      {
+        title: "What you CANNOT do in exe-os \u2014 hard constraints",
+        domain: "security",
+        priority: "p0",
+        content: "NEVER: (1) Access the database directly \u2014 it's SQLCipher encrypted, always fails. Use MCP tools only. (2) Manually spawn tmux sessions \u2014 create_task handles it. (3) Run git checkout main \u2014 agents work in worktrees. (4) Modify another agent's in-progress task. (5) Push to remote \u2014 the COO reviews and pushes. (6) Skip update_task(done) \u2014 it's the ONLY way your work gets reviewed. (7) Run git init."
+      },
+      {
+        title: "Customer patch triage \u2014 upstream bug vs customization",
+        domain: "support",
+        priority: "p0",
+        content: "When an agent encounters a suspected Exe OS bug, update breakage, MCP/tool failure, installer issue, memory/orchestration defect, or customer-local patch need, it MUST use create_bug_report. Do this before or alongside any local workaround so the report reaches AskExe support directly via the customer's license. Classify first: upstream_bug = reproducible exe-os/platform defect; customer_customization = identity, behavior, procedure, config, branding, workflow preference that belongs in customer-owned layers; emergency_hotfix = temporary local patch. For upstream bugs/emergency hotfixes include version, repro steps, expected/actual, files changed, workaround, and local diff summary. Avoid permanent platform-code patches unless founder approves; if a hotfix is unavoidable, document it in the bug report and re-check after npm update."
+      },
+      // --- Operations ---
+      {
+        title: "Managers must supervise deployed workers",
+        domain: "workflow",
+        priority: "p0",
+        content: `Every manager (COO/CTO/CMO) who dispatches work to a worker MUST actively monitor them. Check tmux capture-pane every 10 minutes. Verify they're working, not stuck. If idle at prompt with in_progress task \u2192 send intercom. If stuck \u2192 unblock or escalate. "Standing by" without checking is negligence.`
+      },
+      {
+        title: "COO boot health check \u2014 memory, cloud sync, daemon on every launch",
+        domain: "workflow",
+        priority: "p0",
+        content: "On every /exe boot, COO MUST check system health BEFORE other work: (1) daemon \u2014 is exed PID alive, (2) cloud sync \u2014 grep workers.log for recent cloud-sync errors, (3) memory count \u2014 total in DB, (4) sync delta \u2014 local vs cloud storage_bytes. Report as 4-line status table. If ANY check fails, surface to founder immediately. Do not proceed to tasks until health confirmed."
+      },
+      {
+        title: "exe-build-adv mandatory for 3+ files",
+        domain: "workflow",
+        priority: "p0",
+        content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
+      },
+      {
+        title: "Commit discipline \u2014 never leave verified work floating",
+        domain: "workflow",
+        priority: "p1",
+        content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
+      },
+      {
+        title: "Desktop and TUI are the same product",
+        domain: "architecture",
+        priority: "p0",
+        content: "Desktop and TUI are the SAME product in different renderers. Same data contracts, same interactions, same acceptance criteria. Desktop tab specs in ARCHITECTURE.md ARE the TUI specs. When building TUI, cross-reference Desktop spec. Different tab names, identical behavior. Never treat them as separate products."
+      },
+      // --- Orchestration golden path ---
+      {
+        title: "Task lifecycle \u2014 the golden path every agent follows",
+        domain: "workflow",
+        priority: "p0",
+        content: "create_task is dispatch + delivery. Task lifecycle: open \u2192 in_progress (you start) \u2192 done (update_task when finished) \u2192 needs_review (reviewer nudged) \u2192 closed (COO only via close_task). DB is the reliable delivery \u2014 intercom is just a speedup nudge. If you finish a task, self-chain: check for next task immediately (step 7). Never wait for a nudge. Never say 'standing by.'"
+      },
+      {
+        title: "Intercom is a speedup, not delivery \u2014 DB is the source of truth",
+        domain: "architecture",
+        priority: "p0",
+        content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
+      },
+      // --- MCP is the ONLY data interface ---
+      {
+        title: "MCP disconnect \u2014 ask the user, never work around it",
+        domain: "workflow",
+        priority: "p0",
+        content: "If MCP tools are unavailable, disconnected, or returning connection errors: STOP. Tell the user clearly: 'MCP server is disconnected. Please run /mcp to reconnect.' Do NOT attempt workarounds \u2014 no raw Node imports, no direct DB access, no CLI hacks, no daemon socket calls. MCP is the ONLY data interface. Working around it wastes time, hits bundling issues, and bypasses the contract boundary. Ask once, wait, proceed when reconnected."
+      },
+      // --- MCP Tool Catalog (Layer 0 — every agent knows what tools exist) ---
+      {
+        title: "MCP tools \u2014 memory and search",
+        domain: "tool-use",
+        priority: "p1",
+        content: "recall_my_memory: search your own memories (semantic + FTS). ask_team_memory: search a colleague's memories by agent name. store_memory: persist a memory (decisions, summaries, context). commit_memory: high-importance memory that survives consolidation. search_everything: unified search across memories, tasks, entities, conversations. get_session_context: temporal window of memories around a timestamp. consolidate_memories: merge duplicate/related memories into insights. get_memory_cardinality: count memories per agent (health check)."
+      },
+      {
+        title: "MCP tools \u2014 task orchestration",
+        domain: "tool-use",
+        priority: "p1",
+        content: "create_task: dispatch work to an employee (auto-spawns session). The ONLY dispatch path. list_tasks: query tasks by status, assignee, project. get_task: fetch full task details by ID. update_task: change status (in_progress, done, blocked, cancelled) + add result summary. close_task: finalize a reviewed task (COO only). checkpoint_task: save progress state for crash recovery. resume_employee: re-spawn an employee session for an existing task."
+      },
+      {
+        title: "MCP tools \u2014 knowledge graph (GraphRAG)",
+        domain: "tool-use",
+        priority: "p1",
+        content: "query_relationships: find connections between entities in the knowledge graph. get_entity_neighbors: explore an entity's direct connections. get_hot_entities: find most-referenced entities (trending topics). get_graph_stats: graph health \u2014 entity/relationship counts, density. export_graph: export graph data for visualization. merge_entities: deduplicate entities (alias resolution). find_similar_trajectories: match tool-call patterns to past task solutions."
+      },
+      {
+        title: "MCP tools \u2014 identity, behavior, and decisions",
+        domain: "tool-use",
+        priority: "p1",
+        content: "get_identity: read an agent's exe.md (Layer 1 identity). update_identity: write an agent's exe.md. Identity > behavior \u2014 use for permanent rules. store_behavior: record a correction or pattern for an agent (Layer 2 expertise). list_behaviors: view an agent's active behaviors. deactivate_behavior: soft-delete a stale or conflicting behavior. store_decision: record an ADR (architectural decision record). get_decision: retrieve a past decision by query. create_bug_report: customer-facing bug/support intake; use whenever an Exe OS bug or emergency hotfix is encountered so the report reaches AskExe directly. Customers only get report access; internal list/get/triage support tools are AskExe-only."
+      },
+      {
+        title: "MCP tools \u2014 communication and messaging",
+        domain: "tool-use",
+        priority: "p1",
+        content: "send_message: send supplementary context to another agent (NOT for actionable work \u2014 use create_task). acknowledge_messages: mark messages as read. send_whatsapp: send WhatsApp message via gateway (customer-facing alerts). query_conversations: search ingested conversations across all channels (WhatsApp, email, etc.)."
+      },
+      {
+        title: "MCP tools \u2014 wiki, documents, and content",
+        domain: "tool-use",
+        priority: "p1",
+        content: "wiki: read/list wiki pages only. Direct wiki write tools are removed; wiki updates flow through raw-data ingestion/projection into the curated wiki store. Legacy aliases: list_wiki_pages/get_wiki_page. crm: read/list/get CRM records from exe-db. raw_data: read capped raw landing-pad events from exe-db with payload opt-in. ingest_document: import a file (PDF, MD, etc.) into memory as chunks. list_documents: browse ingested documents by workspace. purge_document: remove a document and its memory chunks. set_document_importance: adjust chunk importance scores. rerank_documents: re-score document relevance for a query."
+      },
+      {
+        title: "MCP tools \u2014 system, operations, and admin",
+        domain: "tool-use",
+        priority: "p1",
+        content: "get_agent_spend: token usage per agent/session (cost tracking). list_agent_sessions: view agent session history. get_session_kills: audit log of killed sessions. get_daemon_health: check exed daemon status. get_auto_wake_status: daemon auto-wake configuration. get_worker_gate: check worker deployment gates. run_memory_audit: health check \u2014 duplicates, null vectors, orphaned rows. run_consolidation: trigger sleep-time memory consolidation. cloud_sync: force a cloud sync cycle. backup_vps: trigger VPS backup."
+      },
+      {
+        title: "MCP tools \u2014 config, licensing, and team",
+        domain: "tool-use",
+        priority: "p1",
+        content: "set_agent_config: view/change per-agent runtime and model settings. list_employees: view the employee roster. add_person: add a person to the CRM contacts roster. list_people: browse CRM contacts. get_person: fetch contact details. get_license_status: check license validity. create_license: generate a new license key (admin). list_licenses: view all issued licenses. activate_license: activate a license on a device."
+      },
+      {
+        title: "MCP tools \u2014 advanced (triggers, skills, orchestration)",
+        domain: "tool-use",
+        priority: "p1",
+        content: "create_trigger: set up a scheduled recurring agent job (cron). list_triggers: view active triggers. load_skill: load a slash-command skill dynamically. apply_starter_pack: import a pre-built behavior + identity pack for a role. export_orchestration: export full org state (tasks, behaviors, identities) as portable JSON. import_orchestration: import org state into a new instance. deploy_client: deploy a customer client instance. query_company_brain: unified RAG query across all company knowledge. create_reminder: set a text reminder (shown in boot brief). list_reminders: view pending reminders. complete_reminder: mark a reminder done. company_procedure: manage customer-owned company procedures (Layer 0; actions: store, list, deactivate). Legacy aliases: global_procedure, store_global_procedure, list_global_procedures, deactivate_global_procedure."
+      }
+    ];
+    PLATFORM_PROCEDURE_TITLES = new Set(
+      PLATFORM_PROCEDURES.map((p) => p.title)
+    );
+  }
+});
+
+// src/lib/global-procedures.ts
+var global_procedures_exports = {};
+__export(global_procedures_exports, {
+  deactivateGlobalProcedure: () => deactivateGlobalProcedure,
+  getGlobalProceduresBlock: () => getGlobalProceduresBlock,
+  loadGlobalProcedures: () => loadGlobalProcedures,
+  storeGlobalProcedure: () => storeGlobalProcedure
+});
+import { randomUUID as randomUUID2 } from "crypto";
+async function loadGlobalProcedures() {
+  const client = getClient();
+  const result = await client.execute({
+    sql: "SELECT * FROM company_procedures WHERE active = 1 ORDER BY priority ASC, created_at ASC",
+    args: []
+  });
+  const allRows = result.rows;
+  const customerOnly = allRows.filter((p) => !PLATFORM_PROCEDURE_TITLES.has(p.title));
+  if (customerOnly.length > 0) {
+    _customerCache = customerOnly.map((p) => `### ${p.title}
+${p.content}`).join("\n\n");
+  } else {
+    _customerCache = "";
+  }
+  _cacheLoaded = true;
+  return customerOnly;
+}
+function getGlobalProceduresBlock() {
+  const sections = [];
+  if (_platformCache) sections.push(_platformCache);
+  if (_cacheLoaded && _customerCache) sections.push(_customerCache);
+  if (sections.length === 0) return "";
+  return `## Organization-Wide Procedures (MANDATORY \u2014 supersedes all other rules)
+
+${sections.join("\n\n")}
+`;
+}
+async function storeGlobalProcedure(input) {
+  const id = randomUUID2();
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const client = getClient();
+  await client.execute({
+    sql: `INSERT INTO company_procedures (id, title, content, priority, domain, active, created_at, updated_at)
+          VALUES (?, ?, ?, ?, ?, 1, ?, ?)`,
+    args: [id, input.title, input.content, input.priority ?? "p0", input.domain ?? null, now, now]
+  });
+  await loadGlobalProcedures();
+  return id;
+}
+async function deactivateGlobalProcedure(id) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const client = getClient();
+  const result = await client.execute({
+    sql: "UPDATE company_procedures SET active = 0, updated_at = ? WHERE id = ?",
+    args: [now, id]
+  });
+  await loadGlobalProcedures();
+  return result.rowsAffected > 0;
+}
+var _customerCache, _cacheLoaded, _platformCache;
+var init_global_procedures = __esm({
+  "src/lib/global-procedures.ts"() {
+    "use strict";
+    init_database();
+    init_platform_procedures();
+    _customerCache = "";
+    _cacheLoaded = false;
+    _platformCache = PLATFORM_PROCEDURES.map((p) => `### ${p.title}
+${p.content}`).join("\n\n");
+  }
+});
+
+// src/lib/memory-cards.ts
+var memory_cards_exports = {};
+__export(memory_cards_exports, {
+  extractMemoryCards: () => extractMemoryCards,
+  insertMemoryCardsForBatch: () => insertMemoryCardsForBatch,
+  searchMemoryCards: () => searchMemoryCards
+});
+import { createHash as createHash2 } from "crypto";
+function stableId(memoryId, type, content) {
+  return createHash2("sha256").update(`${memoryId}:${type}:${content}`).digest("hex").slice(0, 32);
+}
+function cleanText(text) {
+  return text.replace(/```[\s\S]*?```/g, " ").replace(/<[^>]+>/g, " ").replace(/\s+/g, " ").trim();
+}
+function splitSentences(text) {
+  return cleanText(text).split(/(?<=[.!?])\s+|\n+/).map((s) => s.trim()).filter((s) => s.length >= 24 && s.length <= MAX_SENTENCE_CHARS);
+}
+function inferCardType(sentence, toolName) {
+  const lower = sentence.toLowerCase();
+  if (toolName === "store_decision" || /\b(decided|decision|adr|approved|rejected)\b/.test(lower)) return "decision";
+  if (/\b(prefers|preference|likes|dislikes|wants|doesn't want|does not want)\b/.test(lower)) return "preference";
+  if (/\b(changed|updated|replaced|now|no longer|instead|supersedes)\b/.test(lower)) return "belief_update";
+  if (toolName && ["Read", "Write", "Edit", "Bash"].includes(toolName)) return "code";
+  if (/\b(meeting|deadline|shipped|launched|completed|failed|blocked|assigned|created)\b/.test(lower)) return "event";
+  return "fact";
+}
+function extractSubject(sentence, agentId) {
+  const explicit = sentence.match(/\b([A-Z][a-zA-Z0-9_-]{2,}(?:\s+[A-Z][a-zA-Z0-9_-]{2,})?)\b/);
+  return explicit?.[1] ?? agentId;
+}
+function predicateFor(type) {
+  switch (type) {
+    case "preference":
+      return "prefers";
+    case "belief_update":
+      return "updated";
+    case "decision":
+      return "decided";
+    case "event":
+      return "happened";
+    case "code":
+      return "implemented";
+    default:
+      return "states";
+  }
+}
+function extractMemoryCards(row) {
+  const sentences = splitSentences(row.raw_text);
+  const cards = [];
+  for (const sentence of sentences) {
+    const type = inferCardType(sentence, row.tool_name);
+    const subject = extractSubject(sentence, row.agent_id);
+    const content = sentence.length > MAX_SENTENCE_CHARS ? `${sentence.slice(0, MAX_SENTENCE_CHARS - 1)}\u2026` : sentence;
+    cards.push({
+      id: stableId(row.id, type, content),
+      memory_id: row.id,
+      agent_id: row.agent_id,
+      session_id: row.session_id,
+      project_name: row.project_name ?? null,
+      timestamp: row.timestamp,
+      card_type: type,
+      subject,
+      predicate: predicateFor(type),
+      object: content,
+      content,
+      source_ref: row.id,
+      confidence: type === "fact" ? 0.55 : 0.65
+    });
+    if (cards.length >= MAX_CARDS_PER_MEMORY) break;
+  }
+  return cards;
+}
+async function insertMemoryCardsForBatch(rows) {
+  const cards = rows.flatMap(extractMemoryCards);
+  if (cards.length === 0) return 0;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const client = getClient();
+  const stmts = cards.map((card) => ({
+    sql: `INSERT OR IGNORE INTO memory_cards
+          (id, memory_id, agent_id, session_id, project_name, timestamp, card_type,
+           subject, predicate, object, content, source_ref, confidence, active, created_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 1, ?)`,
+    args: [
+      card.id,
+      card.memory_id,
+      card.agent_id,
+      card.session_id,
+      card.project_name,
+      card.timestamp,
+      card.card_type,
+      card.subject,
+      card.predicate,
+      card.object,
+      card.content,
+      card.source_ref,
+      card.confidence,
+      now
+    ]
+  }));
+  await client.batch(stmts, "write");
+  return cards.length;
+}
+function buildMatchExpr(queryText) {
+  const terms = queryText.toLowerCase().split(/\s+/).filter((t) => t.length >= 3).map((t) => t.replace(/[^a-z0-9_]/g, "")).filter((t) => t.length >= 3).slice(0, 12);
+  if (terms.length === 0) return null;
+  return terms.map((t) => `${t}*`).join(terms.length >= 3 ? " AND " : " OR ");
+}
+async function searchMemoryCards(queryText, agentId, options) {
+  const limit = options?.limit ?? 10;
+  const matchExpr = buildMatchExpr(queryText);
+  if (!matchExpr) return [];
+  let sql = `SELECT c.id, c.memory_id, c.agent_id, c.session_id, c.project_name,
+                    c.timestamp, c.card_type, c.content, c.source_ref, c.confidence
+             FROM memory_cards c
+             JOIN memory_cards_fts fts ON c.rowid = fts.rowid
+             WHERE memory_cards_fts MATCH ?
+               AND c.agent_id = ?
+               AND COALESCE(c.active, 1) = 1`;
+  const args = [matchExpr, agentId];
+  if (options?.projectName) {
+    sql += ` AND c.project_name = ?`;
+    args.push(options.projectName);
+  }
+  if (options?.since) {
+    sql += ` AND c.timestamp >= ?`;
+    args.push(options.since);
+  }
+  sql += ` ORDER BY rank LIMIT ?`;
+  args.push(limit);
+  const result = await getClient().execute({ sql, args });
+  return result.rows.map((row) => ({
+    id: `card:${String(row.id)}`,
+    agent_id: String(row.agent_id),
+    agent_role: "memory_card",
+    session_id: String(row.session_id),
+    timestamp: String(row.timestamp),
+    tool_name: `memory_card:${String(row.card_type)}`,
+    project_name: row.project_name == null ? "" : String(row.project_name),
+    has_error: false,
+    raw_text: `[${String(row.card_type)}] ${String(row.content)}
+Source memory: ${String(row.source_ref ?? row.memory_id)}`,
+    vector: [],
+    importance: 6,
+    status: "active",
+    confidence: Number(row.confidence ?? 0.6),
+    last_accessed: String(row.timestamp)
+  }));
+}
+var MAX_CARDS_PER_MEMORY, MAX_SENTENCE_CHARS;
+var init_memory_cards = __esm({
+  "src/lib/memory-cards.ts"() {
+    "use strict";
+    init_database();
+    MAX_CARDS_PER_MEMORY = 6;
+    MAX_SENTENCE_CHARS = 360;
+  }
+});
+
+// src/lib/agentic-ontology.ts
+var agentic_ontology_exports = {};
+__export(agentic_ontology_exports, {
+  clean: () => clean,
+  extractGoalCandidates: () => extractGoalCandidates,
+  inferIntention: () => inferIntention,
+  inferOntologyEventType: () => inferOntologyEventType,
+  inferOutcome: () => inferOutcome,
+  inferSemanticLabel: () => inferSemanticLabel,
+  insertOntologyForBatch: () => insertOntologyForBatch,
+  insertOntologyForMemory: () => insertOntologyForMemory,
+  ontologyPayload: () => ontologyPayload,
+  stableId: () => stableId2
+});
+import { createHash as createHash3 } from "crypto";
+function stableId2(...parts) {
+  return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
+}
+function clean(text, max = 240) {
+  return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
+}
+function inferOntologyEventType(row) {
+  const lower = row.raw_text.toLowerCase();
+  if (row.has_error) return "error";
+  if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
+  if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
+  if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
+  if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
+  if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
+  if (row.tool_name.startsWith("memory_card")) return "memory_card";
+  return "memory_observation";
+}
+function inferIntention(row) {
+  if (row.intent) return clean(row.intent, 220);
+  const text = clean(row.raw_text, 1e3);
+  const patterns = [
+    /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
+    /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
+    /(?:task|plan):\s*([^.!?\n]{8,220})/i
+  ];
+  for (const p of patterns) {
+    const m = text.match(p);
+    if (m?.[1]) return clean(m[1], 220);
+  }
+  if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
+    return `${row.tool_name} during ${row.project_name}`;
+  }
+  return null;
+}
+function inferOutcome(row) {
+  if (row.outcome) return clean(row.outcome, 220);
+  if (row.has_error) return "error";
+  const lower = row.raw_text.toLowerCase();
+  if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
+  if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
+  if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
+  return null;
+}
+function extractGoalCandidates(row) {
+  const text = clean(row.raw_text, 1600);
+  const patterns = [
+    /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
+    /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
+  ];
+  const out = [];
+  for (const pattern of patterns) {
+    for (const m of text.matchAll(pattern)) {
+      const candidate = clean(m[1] ?? "", 220);
+      if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
+      if (out.length >= 3) return out;
+    }
+  }
+  return out;
+}
+function uniq(values, max = 6) {
+  const out = [];
+  for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
+    if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
+    if (out.length >= max) break;
+  }
+  return out;
+}
+function extractMatches(text, patterns, max = 5) {
+  const out = [];
+  for (const pattern of patterns) {
+    for (const match of text.matchAll(pattern)) {
+      const value = match[1] ?? match[0];
+      if (value) out.push(value);
+      if (out.length >= max) return uniq(out, max);
+    }
+  }
+  return uniq(out, max);
+}
+function inferSemanticLabel(row) {
+  const text = clean(row.raw_text, 2400);
+  const eventType = inferOntologyEventType(row);
+  const intention = inferIntention(row);
+  const outcome = inferOutcome(row);
+  const goals = extractGoalCandidates(row);
+  const milestones = extractMatches(text, [
+    /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
+    /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
+  ]);
+  const problems = extractMatches(text, [
+    /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
+    /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
+  ]);
+  const decisions = extractMatches(text, [
+    /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
+  ]);
+  const temporalAnchors = extractMatches(text, [
+    /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
+    /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
+  ], 8);
+  const nextActions = extractMatches(text, [
+    /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
+  ]);
+  const actors = uniq([
+    row.agent_id,
+    ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
+  ], 6);
+  const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
+  const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
+  const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
+  const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
+  return {
+    labeler: "deterministic",
+    schemaVersion: 1,
+    eventType,
+    intention,
+    outcome,
+    impact,
+    confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
+    goals,
+    milestones,
+    problems,
+    decisions,
+    actors,
+    temporalAnchors,
+    successSignals,
+    failureSignals,
+    nextActions,
+    summary: clean(text, 280)
+  };
+}
+function ontologyPayload(row) {
+  const semantic = inferSemanticLabel(row);
+  return {
+    tool_name: row.tool_name,
+    memory_version: row.version ?? null,
+    domain: row.domain ?? null,
+    trajectory: row.trajectory ? safeJson(row.trajectory) : null,
+    semantic
+  };
+}
+function safeJson(value) {
+  try {
+    return JSON.parse(value);
+  } catch {
+    return value.slice(0, 1e3);
+  }
+}
+async function resolveClient(client) {
+  if (client) return client;
+  const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+  return getClient2();
+}
+async function insertOntologyForMemory(row, client) {
+  const db = await resolveClient(client);
+  const occurredAt = row.timestamp;
+  const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
+  const eventType = inferOntologyEventType(row);
+  const intention = inferIntention(row);
+  const outcome = inferOutcome(row);
+  const eventId = stableId2("event", row.id);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.execute({
+    sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
+          VALUES (?, ?, ?, ?, ?, 1, ?)
+          ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
+            event_count = event_count + 1`,
+    args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
+  });
+  await db.execute({
+    sql: `INSERT OR IGNORE INTO agent_events
+          (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
+           session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
+           impact, payload, created_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
+    args: [
+      eventId,
+      eventType,
+      occurredAt,
+      sequence,
+      row.agent_id,
+      row.agent_role,
+      row.project_name,
+      row.session_id,
+      row.task_id ?? null,
+      intention,
+      outcome,
+      row.id,
+      row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
+      JSON.stringify(ontologyPayload(row)),
+      now
+    ]
+  });
+  const semantic = inferSemanticLabel(row);
+  await db.execute({
+    sql: `INSERT INTO agent_semantic_labels
+          (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+          ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
+            labels = excluded.labels, updated_at = excluded.updated_at`,
+    args: [
+      stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
+      row.id,
+      eventId,
+      semantic.labeler,
+      semantic.schemaVersion,
+      semantic.confidence,
+      JSON.stringify(semantic),
+      now,
+      now
+    ]
+  });
+  for (const statement of extractGoalCandidates(row)) {
+    const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
+    await db.execute({
+      sql: `INSERT INTO agent_goals
+            (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
+             parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
+            VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
+            ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
+      args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
+    });
+    await db.execute({
+      sql: `INSERT OR IGNORE INTO agent_goal_links
+            (id, goal_id, link_type, target_id, target_type, created_at)
+            VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
+      args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
+    });
+    await db.execute({
+      sql: `INSERT OR IGNORE INTO agent_goal_links
+            (id, goal_id, link_type, target_id, target_type, created_at)
+            VALUES (?, ?, 'event', ?, 'event', ?)`,
+      args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
+    });
+  }
+}
+async function insertOntologyForBatch(rows, client) {
+  const db = await resolveClient(client);
+  let count = 0;
+  for (const row of rows) {
+    try {
+      await insertOntologyForMemory(row, db);
+      count++;
+    } catch {
+    }
+  }
+  return count;
+}
+var init_agentic_ontology = __esm({
+  "src/lib/agentic-ontology.ts"() {
+    "use strict";
+  }
+});
+
+// src/lib/store.ts
+init_memory();
+init_database();
+
+// src/lib/keychain.ts
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { existsSync as existsSync6, statSync as statSync2 } from "fs";
+import { execSync as execSync2 } from "child_process";
+import path6 from "path";
+import os5 from "os";
+var SERVICE = "exe-os";
+var LEGACY_SERVICE = "exe-mem";
+var ACCOUNT = "master-key";
+function getKeyDir() {
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path6.join(os5.homedir(), ".exe-os");
+}
+function getKeyPath() {
+  return path6.join(getKeyDir(), "master.key");
+}
+function nativeKeychainAllowed() {
+  return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
+}
+var linuxSecretAvailability = null;
+function linuxSecretAvailable() {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "linux") return false;
+  if (linuxSecretAvailability !== null) return linuxSecretAvailability;
+  try {
+    execSync2("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
+  } catch {
+    linuxSecretAvailability = false;
+    return false;
+  }
+  try {
+    execSync2("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
+    linuxSecretAvailability = true;
+  } catch {
+    linuxSecretAvailability = false;
+  }
+  return linuxSecretAvailability;
+}
+function isRootOnlyTrustedServerKeyFile(keyPath) {
+  if (process.platform !== "linux") return false;
+  try {
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
+    const st = statSync2(keyPath);
+    if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    if (uid === 0) return true;
+    const exeOsDir = process.env.EXE_OS_DIR;
+    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+  } catch {
+    return false;
+  }
+}
+function macKeychainGet(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return null;
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync2(
+      `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function macKeychainSet(value, service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "darwin") return false;
+  try {
+    try {
+      execSync2(
+        `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
+    } catch {
+    }
+    execSync2(
+      `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function macKeychainDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "darwin") return false;
+  try {
+    execSync2(
+      `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretGet(service = SERVICE) {
+  if (!linuxSecretAvailable()) return null;
+  try {
+    return execSync2(
+      `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+function linuxSecretSet(value, service = SERVICE) {
+  if (!linuxSecretAvailable()) return false;
+  try {
+    execSync2(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "linux") return false;
+  try {
+    execSync2(
+      `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function tryKeytar() {
+  if (!nativeKeychainAllowed()) return null;
+  try {
+    return await import("keytar");
+  } catch {
+    return null;
+  }
+}
+var ENCRYPTED_PREFIX = "enc:";
+function deriveMachineKey() {
+  try {
+    const crypto2 = __require("crypto");
+    const material = [
+      os5.hostname(),
+      os5.userInfo().username,
+      os5.arch(),
+      os5.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto2.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
+  }
+}
+function readMachineId() {
+  try {
+    const { readFileSync: readFileSync5 } = __require("fs");
+    return readFileSync5("/etc/machine-id", "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto2 = __require("crypto");
+  const iv = crypto2.randomBytes(12);
+  const cipher = crypto2.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
+  try {
+    const crypto2 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto2.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
+  }
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
+async function getMasterKey() {
+  let nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (!nativeValue) {
+    const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
+    if (legacyValue) {
+      const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
+      if (migrated) {
+        macKeychainDelete(LEGACY_SERVICE);
+        linuxSecretDelete(LEGACY_SERVICE);
+        process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
+      }
+      nativeValue = legacyValue;
+    }
+  }
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
+  }
+  const keytar = await tryKeytar();
+  if (keytar) {
+    try {
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
+      if (legacyKeytarValue) {
+        const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+          try {
+            await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
+          } catch {
+          }
+        }
+        return Buffer.from(legacyKeytarValue, "base64");
+      }
+    } catch {
+    }
+  }
+  const keyPath = getKeyPath();
+  if (!existsSync6(keyPath)) {
+    process.stderr.write(
+      `[keychain] Key not found at ${keyPath} (HOME=${os5.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
+`
+    );
+    return null;
+  }
+  try {
+    const content = (await readFile3(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase during setup: exe-os setup\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+      return key;
+    }
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
+      try {
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
+      } catch {
+      }
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
+      }
+    }
+    return key;
+  } catch (err) {
+    process.stderr.write(
+      `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+    return null;
+  }
+}
+
+// src/lib/store.ts
+init_config();
+
+// src/lib/state-bus.ts
+var StateBus = class {
+  handlers = /* @__PURE__ */ new Map();
+  globalHandlers = /* @__PURE__ */ new Set();
+  /** Emit an event to all subscribers */
+  emit(event) {
+    const typeHandlers = this.handlers.get(event.type);
+    if (typeHandlers) {
+      for (const handler of typeHandlers) {
+        try {
+          handler(event);
+        } catch {
+        }
+      }
+    }
+    for (const handler of this.globalHandlers) {
+      try {
+        handler(event);
+      } catch {
+      }
+    }
+  }
+  /** Subscribe to a specific event type */
+  on(type, handler) {
+    if (!this.handlers.has(type)) {
+      this.handlers.set(type, /* @__PURE__ */ new Set());
+    }
+    this.handlers.get(type).add(handler);
+  }
+  /** Subscribe to ALL events */
+  onAny(handler) {
+    this.globalHandlers.add(handler);
+  }
+  /** Unsubscribe from a specific event type */
+  off(type, handler) {
+    this.handlers.get(type)?.delete(handler);
+  }
+  /** Unsubscribe from ALL events */
+  offAny(handler) {
+    this.globalHandlers.delete(handler);
+  }
+  /** Remove all listeners */
+  clear() {
+    this.handlers.clear();
+    this.globalHandlers.clear();
+  }
+};
+var orgBus = new StateBus();
+
+// src/lib/memory-write-governor.ts
+import { createHash } from "crypto";
+var HIGH_VALUE_SUPERSESSION_TYPES = /* @__PURE__ */ new Set([
+  "decision",
+  "adr",
+  "behavior",
+  "procedure"
+]);
+async function runPostWriteMemoryHygiene(memoryId) {
+  try {
+    const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+    const client = getClient2();
+    const current = await client.execute({
+      sql: `SELECT id, agent_id, project_name, memory_type, content_hash, supersedes_id,
+                   importance, timestamp
+            FROM memories
+            WHERE id = ?
+            LIMIT 1`,
+      args: [memoryId]
+    });
+    const row = current.rows[0];
+    if (!row) return;
+    const memoryType = String(row.memory_type ?? "raw");
+    const contentHash = row.content_hash ? String(row.content_hash) : null;
+    const agentId = String(row.agent_id);
+    const projectName = String(row.project_name);
+    if (contentHash) {
+      await client.execute({
+        sql: `UPDATE memories
+              SET status = 'deleted',
+                  outcome = COALESCE(outcome, 'superseded')
+              WHERE id != ?
+                AND content_hash = ?
+                AND agent_id = ?
+                AND project_name = ?
+                AND COALESCE(memory_type, 'raw') = ?
+                AND COALESCE(status, 'active') = 'active'`,
+        args: [memoryId, contentHash, agentId, projectName, memoryType]
+      });
+    }
+    const supersedesId = row.supersedes_id ? String(row.supersedes_id) : null;
+    if (supersedesId && HIGH_VALUE_SUPERSESSION_TYPES.has(memoryType)) {
+      const old = await client.execute({
+        sql: `SELECT importance FROM memories WHERE id = ? LIMIT 1`,
+        args: [supersedesId]
+      });
+      const oldImportance = Number(old.rows[0]?.importance ?? 0);
+      const newImportance = Number(row.importance ?? 0);
+      await client.batch([
+        {
+          sql: `UPDATE memories
+                SET status = 'archived',
+                    outcome = COALESCE(outcome, 'superseded')
+                WHERE id = ?`,
+          args: [supersedesId]
+        },
+        {
+          sql: `UPDATE memories
+                SET importance = MAX(COALESCE(importance, 5), ?),
+                    parent_memory_id = COALESCE(parent_memory_id, ?)
+                WHERE id = ?`,
+          args: [Math.max(oldImportance, newImportance), supersedesId, memoryId]
+        }
+      ], "write");
+    }
+  } catch (err) {
+    process.stderr.write(
+      `[memory-governor] post-write hygiene failed for ${memoryId}: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+  }
+}
+function schedulePostWriteMemoryHygiene(memoryIds) {
+  if (process.env.EXE_SKIP_MEMORY_HYGIENE === "1") return;
+  if (memoryIds.length === 0) return;
+  const run = () => {
+    void Promise.all(memoryIds.map((id) => runPostWriteMemoryHygiene(id)));
+  };
+  if (typeof setImmediate === "function") setImmediate(run);
+  else setTimeout(run, 0);
+}
+
+// src/lib/store.ts
+var INIT_MAX_RETRIES = 3;
+var INIT_RETRY_DELAY_MS = 1e3;
+function isBusyError2(err) {
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    return msg.includes("sqlite_busy") || msg.includes("database is locked");
+  }
+  return false;
+}
+async function retryOnBusy2(fn, label) {
+  for (let attempt = 0; attempt <= INIT_MAX_RETRIES; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      if (!isBusyError2(err) || attempt === INIT_MAX_RETRIES) throw err;
+      process.stderr.write(
+        `[store] SQLITE_BUSY during ${label}, retry ${attempt + 1}/${INIT_MAX_RETRIES}
+`
+      );
+      await new Promise((r) => setTimeout(r, INIT_RETRY_DELAY_MS * (attempt + 1)));
+    }
+  }
+  throw new Error("unreachable");
+}
+var _pendingRecords = [];
+var _batchSize = 20;
+var _flushIntervalMs = 1e4;
+var _flushTimer = null;
+var _flushing = false;
+var _nextVersion = 1;
+async function initStore(options) {
+  if (_flushTimer !== null) {
+    clearInterval(_flushTimer);
+    _flushTimer = null;
+  }
+  _pendingRecords = [];
+  _flushing = false;
+  _batchSize = options?.batchSize ?? 20;
+  _flushIntervalMs = options?.flushIntervalMs ?? 1e4;
+  let dbPath = options?.dbPath;
+  if (!dbPath) {
+    const config = await loadConfig();
+    dbPath = config.dbPath;
+  }
+  let masterKey = options?.masterKey ?? null;
+  if (!masterKey) {
+    masterKey = await getMasterKey();
+    if (!masterKey) {
+      throw new Error(
+        "No encryption key found. Run /exe-setup to generate one."
+      );
+    }
+  }
+  const hexKey = masterKey.toString("hex");
+  await initTurso({
+    dbPath,
+    encryptionKey: hexKey
+  });
+  await retryOnBusy2(() => ensureSchema(), "ensureSchema");
+  try {
+    const { initDaemonClient: initDaemonClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+    await initDaemonClient2();
+  } catch {
+  }
+  if (!options?.lightweight) {
+    try {
+      const { initShardManager: initShardManager2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
+      initShardManager2(hexKey);
+    } catch {
+    }
+    const client = getClient();
+    const vResult = await retryOnBusy2(
+      () => client.execute("SELECT MAX(version) as max_v FROM memories"),
+      "version-query"
+    );
+    _nextVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
+    try {
+      const { loadGlobalProcedures: loadGlobalProcedures2 } = await Promise.resolve().then(() => (init_global_procedures(), global_procedures_exports));
+      await loadGlobalProcedures2();
+    } catch {
+    }
+  }
+}
+async function flushBatch() {
+  if (_flushing || _pendingRecords.length === 0) return 0;
+  _flushing = true;
+  try {
+    const batch = _pendingRecords.slice(0);
+    const client = getClient();
+    const vResult = await client.execute("SELECT MAX(version) as max_v FROM memories");
+    let baseVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
+    for (const row of batch) {
+      row.version = baseVersion++;
+    }
+    _nextVersion = baseVersion;
+    const buildStmt = (row) => {
+      const hasVector = row.vector !== null;
+      const taskId = row.task_id ?? null;
+      const importance = row.importance ?? 5;
+      const status = row.status ?? "active";
+      const confidence = row.confidence ?? 0.7;
+      const lastAccessed = row.last_accessed ?? row.timestamp;
+      const workspaceId = row.workspace_id ?? null;
+      const documentId = row.document_id ?? null;
+      const userId = row.user_id ?? null;
+      const charOffset = row.char_offset ?? null;
+      const pageNumber = row.page_number ?? null;
+      const sourcePath = row.source_path ?? null;
+      const sourceType = row.source_type ?? null;
+      const tier = row.tier ?? 3;
+      const supersedesId = row.supersedes_id ?? null;
+      const draft = row.draft ? 1 : 0;
+      const memoryType = row.memory_type ?? "raw";
+      const trajectory = row.trajectory ?? null;
+      const contentHash = row.content_hash ?? null;
+      const intent = row.intent ?? null;
+      const outcome = row.outcome ?? null;
+      const domain = row.domain ?? null;
+      const referencedEntities = row.referenced_entities ?? null;
+      const retrievalCount = row.retrieval_count ?? 0;
+      const chainPosition = row.chain_position ?? null;
+      const reviewStatus = row.review_status ?? null;
+      const contextWindowPct = row.context_window_pct ?? null;
+      const filePaths = row.file_paths ?? null;
+      const commitHash = row.commit_hash ?? null;
+      const durationMs = row.duration_ms ?? null;
+      const tokenCost = row.token_cost ?? null;
+      const audience = row.audience ?? null;
+      const languageType = row.language_type ?? null;
+      const parentMemoryId = row.parent_memory_id ?? null;
+      const cols = `id, agent_id, agent_role, session_id, timestamp,
+               tool_name, project_name,
+               has_error, raw_text, vector, version, task_id, importance, status,
+               confidence, last_accessed,
+               workspace_id, document_id, user_id, char_offset, page_number,
+               source_path, source_type, tier, supersedes_id, draft, memory_type, trajectory, content_hash,
+               intent, outcome, domain, referenced_entities, retrieval_count,
+               chain_position, review_status, context_window_pct, file_paths, commit_hash,
+               duration_ms, token_cost, audience, language_type, parent_memory_id`;
+      const metaArgs = [
+        intent,
+        outcome,
+        domain,
+        referencedEntities,
+        retrievalCount,
+        chainPosition,
+        reviewStatus,
+        contextWindowPct,
+        filePaths,
+        commitHash,
+        durationMs,
+        tokenCost,
+        audience,
+        languageType,
+        parentMemoryId
+      ];
+      const baseArgs = [
+        row.id,
+        row.agent_id,
+        row.agent_role,
+        row.session_id,
+        row.timestamp,
+        row.tool_name,
+        row.project_name,
+        row.has_error,
+        row.raw_text
+      ];
+      const sharedArgs = [
+        row.version,
+        taskId,
+        importance,
+        status,
+        confidence,
+        lastAccessed,
+        workspaceId,
+        documentId,
+        userId,
+        charOffset,
+        pageNumber,
+        sourcePath,
+        sourceType,
+        tier,
+        supersedesId,
+        draft,
+        memoryType,
+        trajectory,
+        contentHash
+      ];
+      return {
+        sql: hasVector ? `INSERT OR IGNORE INTO memories (${cols})
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, vector32(?), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)` : `INSERT OR IGNORE INTO memories (${cols})
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+        args: hasVector ? [...baseArgs, vectorToBlob(row.vector), ...sharedArgs, ...metaArgs] : [...baseArgs, ...sharedArgs, ...metaArgs]
+      };
+    };
+    const globalClient = getClient();
+    const globalStmts = batch.map(buildStmt);
+    await globalClient.batch(globalStmts, "write");
+    try {
+      const { insertMemoryCardsForBatch: insertMemoryCardsForBatch2 } = await Promise.resolve().then(() => (init_memory_cards(), memory_cards_exports));
+      await insertMemoryCardsForBatch2(batch);
+    } catch {
+    }
+    try {
+      const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
+      await insertOntologyForBatch2(batch);
+    } catch {
+    }
+    schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
+    _pendingRecords.splice(0, batch.length);
+    try {
+      const { isShardingEnabled: isShardingEnabled2, getReadyShardClient: getReadyShardClient2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
+      if (isShardingEnabled2()) {
+        const byProject = /* @__PURE__ */ new Map();
+        let skippedUnknown = 0;
+        for (const row of batch) {
+          const proj = row.project_name?.trim();
+          if (!proj) {
+            skippedUnknown++;
+            continue;
+          }
+          if (!byProject.has(proj)) byProject.set(proj, []);
+          byProject.get(proj).push(row);
+        }
+        if (skippedUnknown > 0) {
+          process.stderr.write(
+            `[store] Shard skip: ${skippedUnknown} record(s) with empty project_name (kept in main DB only)
+`
+          );
+        }
+        for (const [project, rows] of byProject) {
+          try {
+            const shardClient = await getReadyShardClient2(project);
+            const shardStmts = rows.map(buildStmt);
+            await shardClient.batch(shardStmts, "write");
+          } catch (err) {
+            const fullError = err instanceof Error ? `${err.name}: ${err.message}${err.stack ? `
+${err.stack.split("\n").slice(1, 3).join("\n")}` : ""}` : String(err);
+            process.stderr.write(
+              `[store] Shard write failed for ${project} (${rows.length} records): ${fullError}
+`
+            );
+          }
+        }
+      }
+    } catch {
+    }
+    return batch.length;
+  } finally {
+    _flushing = false;
+  }
+}
+async function disposeStore() {
+  if (_flushTimer !== null) {
+    clearInterval(_flushTimer);
+    _flushTimer = null;
+  }
+  if (_pendingRecords.length > 0) {
+    await flushBatch();
+  }
+  await disposeTurso();
+  _pendingRecords = [];
+  _nextVersion = 1;
+}
+function vectorToBlob(vector) {
+  const f32 = vector instanceof Float32Array ? vector : new Float32Array(vector);
+  return JSON.stringify(Array.from(f32));
+}
+
+// src/bin/agentic-ontology-backfill.ts
+init_database();
+init_agentic_ontology();
+var BATCH_SIZE = 500;
+async function main() {
+  await initStore({ lightweight: true });
+  const client = getClient();
+  let offset = 0;
+  let total = 0;
+  while (true) {
+    const result = await client.execute({
+      sql: `SELECT id, agent_id, agent_role, session_id, timestamp, tool_name, project_name,
+                   has_error, raw_text, version, task_id, intent, outcome, domain, trajectory
+            FROM memories
+            WHERE id NOT IN (SELECT evidence_memory_id FROM agent_events WHERE evidence_memory_id IS NOT NULL)
+            ORDER BY version ASC, timestamp ASC
+            LIMIT ? OFFSET ?`,
+      args: [BATCH_SIZE, offset]
+    });
+    if (result.rows.length === 0) break;
+    const rows = result.rows.map((row) => ({
+      id: String(row.id),
+      agent_id: String(row.agent_id),
+      agent_role: String(row.agent_role),
+      session_id: String(row.session_id),
+      timestamp: String(row.timestamp),
+      tool_name: String(row.tool_name),
+      project_name: String(row.project_name),
+      has_error: Number(row.has_error ?? 0),
+      raw_text: String(row.raw_text),
+      version: Number(row.version ?? 0),
+      task_id: row.task_id == null ? null : String(row.task_id),
+      intent: row.intent == null ? null : String(row.intent),
+      outcome: row.outcome == null ? null : String(row.outcome),
+      domain: row.domain == null ? null : String(row.domain),
+      trajectory: row.trajectory == null ? null : String(row.trajectory)
+    }));
+    const inserted = await insertOntologyForBatch(rows, client);
+    total += inserted;
+    process.stderr.write(`[agentic-ontology-backfill] +${inserted} memories projected (${total} total)
+`);
+    offset = 0;
+  }
+  process.stderr.write(`[agentic-ontology-backfill] Complete: ${total} memories projected.
+`);
+  await disposeStore();
+}
+main().catch((err) => {
+  process.stderr.write(`[agentic-ontology-backfill] FATAL: ${err instanceof Error ? err.message : String(err)}
+`);
+  process.exit(1);
+});