@askexenow/exe-os 0.9.65 → 0.9.67

package/dist/bin/exe-start-codex.js

@@ -214,6 +214,11 @@ function normalizeAutoUpdate(raw) {
   const userAU = raw.autoUpdate ?? {};
   raw.autoUpdate = { ...defaultAU, ...userAU };
 }
+function normalizeOrchestration(raw) {
+  const defaultOrg = DEFAULT_CONFIG.orchestration;
+  const userOrg = raw.orchestration ?? {};
+  raw.orchestration = { ...defaultOrg, ...userOrg };
+}
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   await ensurePrivateDir(dir);
@@ -238,10 +243,15 @@ async function loadConfig() {
     normalizeScalingRoadmap(migratedCfg);
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
+    normalizeOrchestration(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
     }
+    const envDbPath = path.join(dir, "memories.db");
+    if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
+      config.dbPath = envDbPath;
+    }
     return config;
   } catch {
     return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
@@ -261,7 +271,16 @@ function loadConfigSync() {
     normalizeScalingRoadmap(migratedCfg);
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
-    return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
+    normalizeOrchestration(migratedCfg);
+    const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
+    if (config.dbPath.startsWith("~")) {
+      config.dbPath = config.dbPath.replace(/^~/, os.homedir());
+    }
+    const envDbPath = path.join(dir, "memories.db");
+    if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
+      config.dbPath = envDbPath;
+    }
+    return config;
   } catch {
     return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
   }
@@ -282,6 +301,7 @@ async function loadConfigFrom(configPath) {
     normalizeScalingRoadmap(migratedCfg);
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
+    normalizeOrchestration(migratedCfg);
     return { ...DEFAULT_CONFIG, ...migratedCfg };
   } catch {
     return { ...DEFAULT_CONFIG };
@@ -353,6 +373,10 @@ var init_config = __esm({
         checkOnBoot: true,
         autoInstall: false,
         checkIntervalMs: 24 * 60 * 60 * 1e3
+      },
+      orchestration: {
+        phase: "phase_1_coo",
+        phaseSetBy: "default"
       }
     };
     CONFIG_MIGRATIONS = [
@@ -1596,6 +1620,9 @@ function getClient() {
   if (_daemonClient && _daemonClient._isDaemonActive()) {
     return _daemonClient;
   }
+  if (!_resilientClient) {
+    return _adapterClient;
+  }
   return _resilientClient;
 }
 async function initDaemonClient() {
@@ -2628,6 +2655,127 @@ async function ensureSchema() {
       VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
     END;
   `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS agent_sessions (
+      id              TEXT PRIMARY KEY,
+      agent_id        TEXT NOT NULL,
+      project_name    TEXT,
+      started_at      TEXT NOT NULL,
+      last_event_at   TEXT NOT NULL,
+      event_count     INTEGER NOT NULL DEFAULT 0,
+      properties      TEXT DEFAULT '{}'
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
+      ON agent_sessions(agent_id, started_at);
+
+    CREATE TABLE IF NOT EXISTS agent_goals (
+      id                TEXT PRIMARY KEY,
+      statement         TEXT NOT NULL,
+      owner_agent_id    TEXT,
+      project_name      TEXT,
+      status            TEXT NOT NULL DEFAULT 'open',
+      priority          INTEGER NOT NULL DEFAULT 5,
+      success_criteria  TEXT,
+      parent_goal_id    TEXT,
+      due_at            TEXT,
+      achieved_at       TEXT,
+      supersedes_id     TEXT,
+      created_at        TEXT NOT NULL,
+      updated_at        TEXT NOT NULL,
+      source_memory_id  TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
+      ON agent_goals(project_name, status, priority);
+
+    CREATE TABLE IF NOT EXISTS agent_events (
+      id                  TEXT PRIMARY KEY,
+      event_type          TEXT NOT NULL,
+      occurred_at         TEXT NOT NULL,
+      sequence_index      INTEGER NOT NULL,
+      actor_agent_id      TEXT,
+      agent_role          TEXT,
+      project_name        TEXT,
+      session_id          TEXT,
+      task_id             TEXT,
+      goal_id             TEXT,
+      parent_event_id     TEXT,
+      intention           TEXT,
+      outcome             TEXT,
+      evidence_memory_id  TEXT,
+      impact              TEXT,
+      payload             TEXT DEFAULT '{}',
+      created_at          TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_time
+      ON agent_events(occurred_at, sequence_index);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
+      ON agent_events(session_id, sequence_index);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
+      ON agent_events(goal_id, occurred_at);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_memory
+      ON agent_events(evidence_memory_id);
+
+    CREATE TABLE IF NOT EXISTS agent_goal_links (
+      id           TEXT PRIMARY KEY,
+      goal_id      TEXT NOT NULL,
+      link_type    TEXT NOT NULL,
+      target_id    TEXT NOT NULL,
+      target_type  TEXT NOT NULL,
+      created_at   TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
+      ON agent_goal_links(goal_id, target_type);
+
+    CREATE TABLE IF NOT EXISTS agent_semantic_labels (
+      id                TEXT PRIMARY KEY,
+      source_memory_id  TEXT NOT NULL,
+      event_id          TEXT,
+      labeler           TEXT NOT NULL,
+      schema_version    INTEGER NOT NULL DEFAULT 1,
+      confidence        REAL NOT NULL DEFAULT 0,
+      labels            TEXT NOT NULL,
+      created_at        TEXT NOT NULL,
+      updated_at        TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
+      ON agent_semantic_labels(source_memory_id, labeler);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
+      ON agent_semantic_labels(event_id);
+
+    CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
+      id                  TEXT PRIMARY KEY,
+      project_name        TEXT,
+      session_id          TEXT,
+      window_start_at     TEXT NOT NULL,
+      window_end_at       TEXT NOT NULL,
+      event_count         INTEGER NOT NULL DEFAULT 0,
+      goal_count          INTEGER NOT NULL DEFAULT 0,
+      success_count       INTEGER NOT NULL DEFAULT 0,
+      failure_count       INTEGER NOT NULL DEFAULT 0,
+      risk_count          INTEGER NOT NULL DEFAULT 0,
+      summary             TEXT NOT NULL,
+      learnings           TEXT NOT NULL DEFAULT '[]',
+      next_actions        TEXT NOT NULL DEFAULT '[]',
+      evidence_event_ids  TEXT NOT NULL DEFAULT '[]',
+      confidence          REAL NOT NULL DEFAULT 0,
+      created_at          TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
+      ON agent_reflection_checkpoints(project_name, window_end_at);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
+      ON agent_reflection_checkpoints(session_id, window_end_at);
+  `);
   try {
     await client.execute({
       sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -2791,7 +2939,7 @@ __export(shard_manager_exports, {
   shardExists: () => shardExists
 });
 import path7 from "path";
-import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync2 } from "fs";
+import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync3 } from "fs";
 import { createClient as createClient2 } from "@libsql/client";
 function initShardManager(encryptionKey) {
   _encryptionKey = encryptionKey;
@@ -2855,7 +3003,7 @@ async function auditShardHealth(options = {}) {
   const shards = [];
   for (const name of names) {
     const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
-    const stat = statSync2(dbPath);
+    const stat = statSync3(dbPath);
     const item = {
       name,
       path: dbPath,
@@ -3108,7 +3256,7 @@ async function getReadyShardClient(projectName) {
     _shardLastAccess.delete(safeName);
     const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
     if (existsSync7(dbPath)) {
-      const stat = statSync2(dbPath);
+      const stat = statSync3(dbPath);
       const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
       const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
       renameSync3(dbPath, archivedPath);
@@ -3228,6 +3376,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
       },
+      {
+        title: "Customer orchestration maturity \u2014 recommend, never trap",
+        domain: "workflow",
+        priority: "p1",
+        content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
+      },
       {
         title: "Single dispatch path \u2014 create_task only",
         domain: "workflow",
@@ -3286,6 +3440,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
       },
+      {
+        title: "Commit discipline \u2014 never leave verified work floating",
+        domain: "workflow",
+        priority: "p1",
+        content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
+      },
       {
         title: "Desktop and TUI are the same product",
         domain: "architecture",
@@ -3603,6 +3763,274 @@ var init_memory_cards = __esm({
   }
 });
 
+// src/lib/agentic-ontology.ts
+var agentic_ontology_exports = {};
+__export(agentic_ontology_exports, {
+  clean: () => clean,
+  extractGoalCandidates: () => extractGoalCandidates,
+  inferIntention: () => inferIntention,
+  inferOntologyEventType: () => inferOntologyEventType,
+  inferOutcome: () => inferOutcome,
+  inferSemanticLabel: () => inferSemanticLabel,
+  insertOntologyForBatch: () => insertOntologyForBatch,
+  insertOntologyForMemory: () => insertOntologyForMemory,
+  ontologyPayload: () => ontologyPayload,
+  stableId: () => stableId2
+});
+import { createHash as createHash3 } from "crypto";
+function stableId2(...parts) {
+  return createHash3("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
+}
+function clean(text, max = 240) {
+  return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
+}
+function inferOntologyEventType(row) {
+  const lower = row.raw_text.toLowerCase();
+  if (row.has_error) return "error";
+  if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
+  if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
+  if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
+  if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
+  if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
+  if (row.tool_name.startsWith("memory_card")) return "memory_card";
+  return "memory_observation";
+}
+function inferIntention(row) {
+  if (row.intent) return clean(row.intent, 220);
+  const text = clean(row.raw_text, 1e3);
+  const patterns = [
+    /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
+    /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
+    /(?:task|plan):\s*([^.!?\n]{8,220})/i
+  ];
+  for (const p of patterns) {
+    const m = text.match(p);
+    if (m?.[1]) return clean(m[1], 220);
+  }
+  if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
+    return `${row.tool_name} during ${row.project_name}`;
+  }
+  return null;
+}
+function inferOutcome(row) {
+  if (row.outcome) return clean(row.outcome, 220);
+  if (row.has_error) return "error";
+  const lower = row.raw_text.toLowerCase();
+  if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
+  if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
+  if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
+  return null;
+}
+function extractGoalCandidates(row) {
+  const text = clean(row.raw_text, 1600);
+  const patterns = [
+    /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
+    /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
+  ];
+  const out = [];
+  for (const pattern of patterns) {
+    for (const m of text.matchAll(pattern)) {
+      const candidate = clean(m[1] ?? "", 220);
+      if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
+      if (out.length >= 3) return out;
+    }
+  }
+  return out;
+}
+function uniq(values, max = 6) {
+  const out = [];
+  for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
+    if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
+    if (out.length >= max) break;
+  }
+  return out;
+}
+function extractMatches(text, patterns, max = 5) {
+  const out = [];
+  for (const pattern of patterns) {
+    for (const match of text.matchAll(pattern)) {
+      const value = match[1] ?? match[0];
+      if (value) out.push(value);
+      if (out.length >= max) return uniq(out, max);
+    }
+  }
+  return uniq(out, max);
+}
+function inferSemanticLabel(row) {
+  const text = clean(row.raw_text, 2400);
+  const eventType = inferOntologyEventType(row);
+  const intention = inferIntention(row);
+  const outcome = inferOutcome(row);
+  const goals = extractGoalCandidates(row);
+  const milestones = extractMatches(text, [
+    /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
+    /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
+  ]);
+  const problems = extractMatches(text, [
+    /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
+    /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
+  ]);
+  const decisions = extractMatches(text, [
+    /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
+  ]);
+  const temporalAnchors = extractMatches(text, [
+    /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
+    /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
+  ], 8);
+  const nextActions = extractMatches(text, [
+    /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
+  ]);
+  const actors = uniq([
+    row.agent_id,
+    ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
+  ], 6);
+  const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
+  const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
+  const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
+  const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
+  return {
+    labeler: "deterministic",
+    schemaVersion: 1,
+    eventType,
+    intention,
+    outcome,
+    impact,
+    confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
+    goals,
+    milestones,
+    problems,
+    decisions,
+    actors,
+    temporalAnchors,
+    successSignals,
+    failureSignals,
+    nextActions,
+    summary: clean(text, 280)
+  };
+}
+function ontologyPayload(row) {
+  const semantic = inferSemanticLabel(row);
+  return {
+    tool_name: row.tool_name,
+    memory_version: row.version ?? null,
+    domain: row.domain ?? null,
+    trajectory: row.trajectory ? safeJson(row.trajectory) : null,
+    semantic
+  };
+}
+function safeJson(value) {
+  try {
+    return JSON.parse(value);
+  } catch {
+    return value.slice(0, 1e3);
+  }
+}
+async function resolveClient(client) {
+  if (client) return client;
+  const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+  return getClient2();
+}
+async function insertOntologyForMemory(row, client) {
+  const db = await resolveClient(client);
+  const occurredAt = row.timestamp;
+  const sequence = Number(row.version ?? 0) || Math.floor(new Date(occurredAt).getTime() / 1e3);
+  const eventType = inferOntologyEventType(row);
+  const intention = inferIntention(row);
+  const outcome = inferOutcome(row);
+  const eventId = stableId2("event", row.id);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.execute({
+    sql: `INSERT INTO agent_sessions (id, agent_id, project_name, started_at, last_event_at, event_count, properties)
+          VALUES (?, ?, ?, ?, ?, 1, ?)
+          ON CONFLICT(id) DO UPDATE SET last_event_at = MAX(last_event_at, excluded.last_event_at),
+            event_count = event_count + 1`,
+    args: [row.session_id, row.agent_id, row.project_name, occurredAt, occurredAt, JSON.stringify({ agent_role: row.agent_role })]
+  });
+  await db.execute({
+    sql: `INSERT OR IGNORE INTO agent_events
+          (id, event_type, occurred_at, sequence_index, actor_agent_id, agent_role, project_name,
+           session_id, task_id, goal_id, parent_event_id, intention, outcome, evidence_memory_id,
+           impact, payload, created_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, ?, ?, ?, ?, ?, ?)`,
+    args: [
+      eventId,
+      eventType,
+      occurredAt,
+      sequence,
+      row.agent_id,
+      row.agent_role,
+      row.project_name,
+      row.session_id,
+      row.task_id ?? null,
+      intention,
+      outcome,
+      row.id,
+      row.has_error ? "negative" : outcome === "success_signal" ? "positive" : "neutral",
+      JSON.stringify(ontologyPayload(row)),
+      now
+    ]
+  });
+  const semantic = inferSemanticLabel(row);
+  await db.execute({
+    sql: `INSERT INTO agent_semantic_labels
+          (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+          ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence,
+            labels = excluded.labels, updated_at = excluded.updated_at`,
+    args: [
+      stableId2("semantic", row.id, semantic.labeler, semantic.schemaVersion),
+      row.id,
+      eventId,
+      semantic.labeler,
+      semantic.schemaVersion,
+      semantic.confidence,
+      JSON.stringify(semantic),
+      now,
+      now
+    ]
+  });
+  for (const statement of extractGoalCandidates(row)) {
+    const goalId = stableId2("goal", row.project_name, statement.toLowerCase());
+    await db.execute({
+      sql: `INSERT INTO agent_goals
+            (id, statement, owner_agent_id, project_name, status, priority, success_criteria,
+             parent_goal_id, due_at, achieved_at, supersedes_id, created_at, updated_at, source_memory_id)
+            VALUES (?, ?, ?, ?, 'open', 5, NULL, NULL, NULL, NULL, NULL, ?, ?, ?)
+            ON CONFLICT(id) DO UPDATE SET updated_at = excluded.updated_at`,
+      args: [goalId, statement, row.agent_id, row.project_name, now, now, row.id]
+    });
+    await db.execute({
+      sql: `INSERT OR IGNORE INTO agent_goal_links
+            (id, goal_id, link_type, target_id, target_type, created_at)
+            VALUES (?, ?, 'evidence', ?, 'memory', ?)`,
+      args: [stableId2("goal_link", goalId, row.id, "memory"), goalId, row.id, now]
+    });
+    await db.execute({
+      sql: `INSERT OR IGNORE INTO agent_goal_links
+            (id, goal_id, link_type, target_id, target_type, created_at)
+            VALUES (?, ?, 'event', ?, 'event', ?)`,
+      args: [stableId2("goal_link", goalId, eventId, "event"), goalId, eventId, now]
+    });
+  }
+}
+async function insertOntologyForBatch(rows, client) {
+  const db = await resolveClient(client);
+  let count = 0;
+  for (const row of rows) {
+    try {
+      await insertOntologyForMemory(row, db);
+      count++;
+    } catch {
+    }
+  }
+  return count;
+}
+var init_agentic_ontology = __esm({
+  "src/lib/agentic-ontology.ts"() {
+    "use strict";
+  }
+});
+
 // src/lib/runtime-table.ts
 var RUNTIME_TABLE, DEFAULT_RUNTIME;
 var init_runtime_table = __esm({
@@ -3941,6 +4369,56 @@ var init_preferences = __esm({
   }
 });
 
+// src/adapters/mcp-http-config.ts
+import { chmodSync as chmodSync2, existsSync as existsSync11, mkdirSync as mkdirSync6, readFileSync as readFileSync7, writeFileSync as writeFileSync6 } from "fs";
+import { randomBytes } from "crypto";
+import path12 from "path";
+import os9 from "os";
+function mcpHttpPort() {
+  return process.env.EXE_MCP_PORT || DEFAULT_MCP_HTTP_PORT;
+}
+function mcpHttpUrl() {
+  return `http://127.0.0.1:${mcpHttpPort()}/mcp`;
+}
+function readOrCreateDaemonToken(homeDir = os9.homedir()) {
+  const exeDir = path12.join(homeDir, ".exe-os");
+  const tokenPath = path12.join(exeDir, "exed.token");
+  if (existsSync11(tokenPath)) {
+    try {
+      const token2 = readFileSync7(tokenPath, "utf-8").trim();
+      if (/^[a-f0-9]{64}$/i.test(token2)) return token2;
+    } catch {
+    }
+  }
+  const token = randomBytes(32).toString("hex");
+  mkdirSync6(exeDir, { recursive: true });
+  writeFileSync6(tokenPath, `${token}
+`, "utf-8");
+  try {
+    chmodSync2(tokenPath, 384);
+  } catch {
+  }
+  return token;
+}
+function buildMcpHttpHeaders(homeDir = os9.homedir(), opts = {}) {
+  const agentId = opts.useShellPlaceholders ? "${AGENT_ID:-exe}" : opts.agentId ?? DEFAULT_MCP_HTTP_AGENT_ID;
+  const agentRole = opts.useShellPlaceholders ? "${AGENT_ROLE:-COO}" : opts.agentRole ?? DEFAULT_MCP_HTTP_AGENT_ROLE;
+  return {
+    Authorization: `Bearer ${readOrCreateDaemonToken(homeDir)}`,
+    "X-Agent-Id": agentId,
+    "X-Agent-Role": agentRole
+  };
+}
+var DEFAULT_MCP_HTTP_PORT, DEFAULT_MCP_HTTP_AGENT_ID, DEFAULT_MCP_HTTP_AGENT_ROLE;
+var init_mcp_http_config = __esm({
+  "src/adapters/mcp-http-config.ts"() {
+    "use strict";
+    DEFAULT_MCP_HTTP_PORT = "48739";
+    DEFAULT_MCP_HTTP_AGENT_ID = "exe";
+    DEFAULT_MCP_HTTP_AGENT_ROLE = "COO";
+  }
+});
+
 // src/adapters/runtime-hook-manifest.ts
 function commandHasAnyMarker(command, markers) {
   return markers.some((marker) => command.includes(marker));
@@ -3948,7 +4426,7 @@ function commandHasAnyMarker(command, markers) {
 function isLegacySplitPostToolCommand(command) {
   return commandHasAnyMarker(command, LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS);
 }
-var EXE_HOOKS, LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS;
+var EXE_HOOKS, EXE_HOOK_MANIFEST, LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS;
 var init_runtime_hook_manifest = __esm({
   "src/adapters/runtime-hook-manifest.ts"() {
     "use strict";
@@ -3966,6 +4444,116 @@ var init_runtime_hook_manifest = __esm({
       notification: "dist/hooks/notification.js",
       instructionsLoaded: "dist/hooks/instructions-loaded.js"
     };
+    EXE_HOOK_MANIFEST = [
+      {
+        key: "postToolCombined",
+        event: "PostToolUse",
+        commandMarker: EXE_HOOKS.postToolCombined,
+        owner: "exe-os",
+        purpose: "Single PostToolUse entrypoint for ingestion, error recall, summaries, and bug detection.",
+        runtimes: ["claude", "codex", "opencode"],
+        checkpointRole: "none"
+      },
+      {
+        key: "sessionStart",
+        event: "SessionStart",
+        commandMarker: EXE_HOOKS.sessionStart,
+        owner: "exe-os",
+        purpose: "Loads agent identity, procedures, and boot context.",
+        runtimes: ["claude", "codex", "opencode"],
+        checkpointRole: "none"
+      },
+      {
+        key: "promptSubmit",
+        event: "UserPromptSubmit",
+        commandMarker: EXE_HOOKS.promptSubmit,
+        owner: "exe-os",
+        purpose: "Injects current tasks, pending reviews, and local context before each prompt.",
+        runtimes: ["claude", "codex", "opencode"],
+        checkpointRole: "none"
+      },
+      {
+        key: "heartbeat",
+        event: "UserPromptSubmit",
+        commandMarker: EXE_HOOKS.heartbeat,
+        owner: "exe-os",
+        purpose: "Lightweight heartbeat/status sidecar for Claude Code sessions.",
+        runtimes: ["claude"],
+        checkpointRole: "none"
+      },
+      {
+        key: "stop",
+        event: "Stop",
+        commandMarker: EXE_HOOKS.stop,
+        owner: "exe-os",
+        purpose: "Finalizes task state, capacity signals, and emergency checkpointing.",
+        runtimes: ["claude", "codex", "opencode"],
+        checkpointRole: "capacity_checkpoint"
+      },
+      {
+        key: "preToolUse",
+        event: "PreToolUse",
+        commandMarker: EXE_HOOKS.preToolUse,
+        owner: "exe-os",
+        purpose: "Preflight guardrails before shell/tool execution.",
+        runtimes: ["claude", "codex", "opencode"],
+        checkpointRole: "none"
+      },
+      {
+        key: "subagentStop",
+        event: "SubagentStop",
+        commandMarker: EXE_HOOKS.subagentStop,
+        owner: "exe-os",
+        purpose: "Captures subagent completion context.",
+        runtimes: ["claude"],
+        checkpointRole: "none"
+      },
+      {
+        key: "preCompact",
+        event: "PreCompact",
+        commandMarker: EXE_HOOKS.preCompact,
+        owner: "exe-os",
+        purpose: "Writes active-task snapshot and compaction recovery context.",
+        runtimes: ["claude"],
+        checkpointRole: "recovery_context"
+      },
+      {
+        key: "postCompact",
+        event: "PostCompact",
+        commandMarker: EXE_HOOKS.postCompact,
+        owner: "exe-os",
+        purpose: "Rehydrates recovery context after compaction.",
+        runtimes: ["claude"],
+        checkpointRole: "recovery_context"
+      },
+      {
+        key: "sessionEnd",
+        event: "SessionEnd",
+        commandMarker: EXE_HOOKS.sessionEnd,
+        owner: "exe-os",
+        purpose: "Stores session-end checkpoint and triages orphaned in-progress tasks.",
+        runtimes: ["claude"],
+        checkpointRole: "session_summary"
+      },
+      {
+        key: "notification",
+        event: "Notification",
+        commandMarker: EXE_HOOKS.notification,
+        owner: "exe-os",
+        purpose: "Captures runtime notifications and nudges.",
+        runtimes: ["claude"],
+        checkpointRole: "none"
+      },
+      {
+        key: "instructionsLoaded",
+        event: "InstructionsLoaded",
+        commandMarker: EXE_HOOKS.instructionsLoaded,
+        owner: "exe-os",
+        purpose: "Applies runtime instruction post-processing.",
+        runtimes: ["claude"],
+        checkpointRole: "none"
+      }
+    ];
     LEGACY_SPLIT_POST_TOOL_HOOK_MARKERS = [
       "dist/hooks/ingest.js",
       "dist/hooks/error-recall.js",
@@ -3975,29 +4563,29 @@ var init_runtime_hook_manifest = __esm({
 });
 
 // src/adapters/claude/installer.ts
-import { readFile as readFile4, writeFile as writeFile4, mkdir as mkdir4, readdir } from "fs/promises";
-import { existsSync as existsSync11, readFileSync as readFileSync7, writeFileSync as writeFileSync6, copyFileSync, mkdirSync as mkdirSync6, chmodSync as chmodSync2 } from "fs";
-import { createHash as createHash3, randomBytes } from "crypto";
-import path12 from "path";
-import os9 from "os";
+import { readFile as readFile4, writeFile as writeFile4, mkdir as mkdir4, readdir, rm } from "fs/promises";
+import { existsSync as existsSync12, readFileSync as readFileSync8, writeFileSync as writeFileSync7, copyFileSync, mkdirSync as mkdirSync7 } from "fs";
+import { createHash as createHash4 } from "crypto";
+import path13 from "path";
+import os10 from "os";
 import { execSync as execSync5 } from "child_process";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function resolvePackageRoot() {
   const thisFile = fileURLToPath2(import.meta.url);
-  let dir = path12.dirname(thisFile);
-  const root = path12.parse(dir).root;
+  let dir = path13.dirname(thisFile);
+  const root = path13.parse(dir).root;
   while (dir !== root) {
-    const pkgPath = path12.join(dir, "package.json");
-    if (existsSync11(pkgPath)) {
+    const pkgPath = path13.join(dir, "package.json");
+    if (existsSync12(pkgPath)) {
       try {
-        const pkg = JSON.parse(readFileSync7(pkgPath, "utf-8"));
+        const pkg = JSON.parse(readFileSync8(pkgPath, "utf-8"));
         if (pkg.name === "@askexenow/exe-os" || pkg.name === "exe-os") return dir;
       } catch {
       }
     }
-    dir = path12.dirname(dir);
+    dir = path13.dirname(dir);
   }
-  return path12.resolve(path12.dirname(thisFile), "..", "..", "..");
+  return path13.resolve(path13.dirname(thisFile), "..", "..", "..");
 }
 var EXE_SECTION_START, EXE_SECTION_END, ORCHESTRATION_RULES;
 var init_installer = __esm({
@@ -4006,6 +4594,7 @@ var init_installer = __esm({
     init_agent_symlinks();
     init_mcp_prefix();
     init_preferences();
+    init_mcp_http_config();
     init_runtime_hook_manifest();
     EXE_SECTION_START = "<!-- exe-os:orchestration-start -->";
     EXE_SECTION_END = "<!-- exe-os:orchestration-end -->";
@@ -4034,19 +4623,19 @@ __export(installer_exports, {
   verifyCodexHooks: () => verifyCodexHooks
 });
 import { readFile as readFile5, writeFile as writeFile5, mkdir as mkdir5 } from "fs/promises";
-import { existsSync as existsSync12 } from "fs";
-import path13 from "path";
-import os10 from "os";
-async function mergeCodexHooks(packageRoot, homeDir = os10.homedir()) {
-  const codexDir = path13.join(homeDir, ".codex");
-  const hooksPath = path13.join(codexDir, "hooks.json");
-  const logsDir = path13.join(homeDir, ".exe-os", "logs");
-  const hookLogPath = path13.join(logsDir, "hooks.log");
+import { existsSync as existsSync13, readFileSync as readFileSync9 } from "fs";
+import path14 from "path";
+import os11 from "os";
+async function mergeCodexHooks(packageRoot, homeDir = os11.homedir()) {
+  const codexDir = path14.join(homeDir, ".codex");
+  const hooksPath = path14.join(codexDir, "hooks.json");
+  const logsDir = path14.join(homeDir, ".exe-os", "logs");
+  const hookLogPath = path14.join(logsDir, "hooks.log");
   const logSuffix = ` 2>> "${hookLogPath}"`;
   await mkdir5(codexDir, { recursive: true });
   await mkdir5(logsDir, { recursive: true });
   let hooksJson = {};
-  if (existsSync12(hooksPath)) {
+  if (existsSync13(hooksPath)) {
     try {
       hooksJson = JSON.parse(await readFile5(hooksPath, "utf-8"));
     } catch {
@@ -4057,19 +4646,6 @@ async function mergeCodexHooks(packageRoot, homeDir = os10.homedir()) {
     hooksJson.hooks = {};
   }
   const hooksToRegister = [
-    {
-      event: "SessionStart",
-      group: {
-        hooks: [
-          {
-            type: "command",
-            command: `node "${path13.join(packageRoot, "dist", "hooks", "session-start.js")}"${logSuffix}`,
-            timeout: 30
-          }
-        ]
-      },
-      marker: EXE_HOOKS.sessionStart
-    },
     {
       event: "PostToolUse",
       group: {
@@ -4079,7 +4655,7 @@ async function mergeCodexHooks(packageRoot, homeDir = os10.homedir()) {
             // Combined hook: runs ingest + error-recall in one Node process.
             // Eliminates a cold-start cycle per tool call (~3-6s savings on Codex).
             type: "command",
-            command: `node "${path13.join(packageRoot, "dist", "hooks", "post-tool-combined.js")}"${logSuffix}`
+            command: `node "${path14.join(packageRoot, "dist", "hooks", "post-tool-combined.js")}"${logSuffix}`
           }
         ]
       },
@@ -4093,7 +4669,7 @@ async function mergeCodexHooks(packageRoot, homeDir = os10.homedir()) {
             // Single hook: prompt-submit handles memory retrieval + entity boost.
             // exe-heartbeat-hook is CC-specific (intercom) — omitted on Codex.
             type: "command",
-            command: `node "${path13.join(packageRoot, "dist", "hooks", "prompt-submit.js")}"${logSuffix}`
+            command: `node "${path14.join(packageRoot, "dist", "hooks", "prompt-submit.js")}"${logSuffix}`
           }
         ]
       },
@@ -4105,7 +4681,7 @@ async function mergeCodexHooks(packageRoot, homeDir = os10.homedir()) {
         hooks: [
           {
             type: "command",
-            command: `node "${path13.join(packageRoot, "dist", "hooks", "stop.js")}"${logSuffix}`
+            command: `node "${path14.join(packageRoot, "dist", "hooks", "stop.js")}"${logSuffix}`
           }
         ]
       },
@@ -4118,7 +4694,7 @@ async function mergeCodexHooks(packageRoot, homeDir = os10.homedir()) {
         hooks: [
           {
             type: "command",
-            command: `node "${path13.join(packageRoot, "dist", "hooks", "pre-tool-use.js")}"${logSuffix}`
+            command: `node "${path14.join(packageRoot, "dist", "hooks", "pre-tool-use.js")}"${logSuffix}`
           }
         ]
       },
@@ -4127,6 +4703,16 @@ async function mergeCodexHooks(packageRoot, homeDir = os10.homedir()) {
   ];
   let added = 0;
   let skipped = 0;
+  const sessionStartGroups = hooksJson.hooks["SessionStart"];
+  if (Array.isArray(sessionStartGroups)) {
+    hooksJson.hooks["SessionStart"] = sessionStartGroups.map((g) => ({
+      ...g,
+      hooks: g.hooks.filter((h) => !h.command.includes(EXE_HOOKS.sessionStart))
+    })).filter((g) => g.hooks.length > 0);
+    if (hooksJson.hooks["SessionStart"].length === 0) {
+      delete hooksJson.hooks["SessionStart"];
+    }
+  }
   const postToolGroups = hooksJson.hooks["PostToolUse"];
   if (Array.isArray(postToolGroups)) {
     hooksJson.hooks["PostToolUse"] = postToolGroups.map((g) => ({
@@ -4156,15 +4742,13 @@ async function mergeCodexHooks(packageRoot, homeDir = os10.homedir()) {
   await writeFile5(hooksPath, JSON.stringify(hooksJson, null, 2) + "\n");
   return { added, skipped };
 }
-function verifyCodexHooks(homeDir = os10.homedir()) {
-  const hooksPath = path13.join(homeDir, ".codex", "hooks.json");
-  if (!existsSync12(hooksPath)) return false;
+function verifyCodexHooks(homeDir = os11.homedir()) {
+  const hooksPath = path14.join(homeDir, ".codex", "hooks.json");
+  if (!existsSync13(hooksPath)) return false;
   try {
-    const hooksJson = JSON.parse(
-      __require("fs").readFileSync(hooksPath, "utf-8")
-    );
+    const hooksJson = JSON.parse(readFileSync9(hooksPath, "utf-8"));
     if (!hooksJson.hooks) return false;
-    const required = ["SessionStart", "PostToolUse", "UserPromptSubmit", "Stop", "PreToolUse"];
+    const required = ["PostToolUse", "UserPromptSubmit", "Stop", "PreToolUse"];
     for (const event of required) {
       const groups = hooksJson.hooks[event];
       if (!groups || !groups.some(
@@ -4182,19 +4766,23 @@ function verifyCodexHooks(homeDir = os10.homedir()) {
     )) {
       return false;
     }
+    const sessionStartCommands = (hooksJson.hooks.SessionStart ?? []).flatMap((g) => g.hooks.map((h) => h.command));
+    if (sessionStartCommands.some((cmd) => cmd.includes(EXE_HOOKS.sessionStart))) {
+      return false;
+    }
     return true;
   } catch {
     return false;
   }
 }
-async function installCodexStatusLine(homeDir = os10.homedir()) {
+async function installCodexStatusLine(homeDir = os11.homedir()) {
   const prefs = loadPreferences(homeDir);
   if (prefs.codexStatusLine === false) return "opted-out";
-  const codexDir = path13.join(homeDir, ".codex");
-  const configPath = path13.join(codexDir, "config.toml");
+  const codexDir = path14.join(homeDir, ".codex");
+  const configPath = path14.join(codexDir, "config.toml");
   await mkdir5(codexDir, { recursive: true });
   let content = "";
-  if (existsSync12(configPath)) {
+  if (existsSync13(configPath)) {
     content = await readFile5(configPath, "utf-8");
     if (/\[tui\][\s\S]*?status_line\s*=/.test(content)) {
       return "already-configured";
@@ -4211,53 +4799,47 @@ status_line = [${DEFAULT_CODEX_STATUS_LINE.map((s) => `"${s}"`).join(", ")}]`;
   await writeFile5(configPath, content);
   return "installed";
 }
-function desiredCodexMcpSection(serverJsPath) {
+function tomlString(value) {
+  return JSON.stringify(value);
+}
+function codexHttpHeadersToml(homeDir) {
+  const headers = buildMcpHttpHeaders(homeDir);
+  return `{ ${Object.entries(headers).map(([key, value]) => `${tomlString(key)} = ${tomlString(value)}`).join(", ")} }`;
+}
+function desiredCodexMcpSection(homeDir) {
   return [
     "[mcp_servers.exe-os]",
-    `command = "node"`,
-    `args = ["${serverJsPath}"]`,
+    `url = ${tomlString(mcpHttpUrl())}`,
+    `http_headers = ${codexHttpHeadersToml(homeDir)}`,
     `startup_timeout_sec = ${CODEX_EXE_MCP_STARTUP_TIMEOUT_SEC}`,
     `tool_timeout_sec = ${CODEX_EXE_MCP_TOOL_TIMEOUT_SEC}`,
     ""
   ].join("\n");
 }
-function reconcileCodexMcpSection(sectionContent, serverJsPath) {
+function reconcileCodexMcpSection(sectionContent, homeDir) {
   const desiredLines = {
-    command: `command = "node"`,
-    args: `args = ["${serverJsPath}"]`,
+    url: `url = ${tomlString(mcpHttpUrl())}`,
+    headers: `http_headers = ${codexHttpHeadersToml(homeDir)}`,
     startup: `startup_timeout_sec = ${CODEX_EXE_MCP_STARTUP_TIMEOUT_SEC}`,
     tool: `tool_timeout_sec = ${CODEX_EXE_MCP_TOOL_TIMEOUT_SEC}`
   };
   let next = sectionContent;
-  let changed = false;
-  const replaceOrAppend = (regex, desired) => {
-    if (regex.test(next)) {
-      const updated = next.replace(regex, desired);
-      if (updated !== next) {
-        next = updated;
-        changed = true;
-      }
-      return;
-    }
-    next = next.endsWith("\n") ? `${next}${desired}
+  next = next.split("\n").filter((line) => !/^(command|args|env|type|url|http_headers|startup_timeout_sec|tool_timeout_sec)\s*=/.test(line.trim())).join("\n").replace(/\n{3,}/g, "\n\n");
+  for (const line of [desiredLines.url, desiredLines.headers, desiredLines.startup, desiredLines.tool]) {
+    next = next.endsWith("\n") ? `${next}${line}
 ` : `${next}
-${desired}
+${line}
 `;
-    changed = true;
-  };
-  replaceOrAppend(/^command\s*=.*$/m, desiredLines.command);
-  replaceOrAppend(/^args\s*=.*$/m, desiredLines.args);
-  replaceOrAppend(/^startup_timeout_sec\s*=.*$/m, desiredLines.startup);
-  replaceOrAppend(/^tool_timeout_sec\s*=.*$/m, desiredLines.tool);
-  return { content: next, changed };
-}
-async function registerCodexMcpServer(packageRoot, homeDir = os10.homedir()) {
-  const codexDir = path13.join(homeDir, ".codex");
-  const configPath = path13.join(codexDir, "config.toml");
-  const serverJsPath = path13.join(packageRoot, "dist", "mcp", "server.js");
+  }
+  return { content: next, changed: next !== sectionContent };
+}
+async function registerCodexMcpServer(packageRoot, homeDir = os11.homedir()) {
+  const codexDir = path14.join(homeDir, ".codex");
+  const configPath = path14.join(codexDir, "config.toml");
+  void packageRoot;
   await mkdir5(codexDir, { recursive: true });
   let content = "";
-  if (existsSync12(configPath)) {
+  if (existsSync13(configPath)) {
     content = await readFile5(configPath, "utf-8");
   }
   const sectionHeader = "[mcp_servers.exe-os]";
@@ -4267,7 +4849,7 @@ async function registerCodexMcpServer(packageRoot, homeDir = os10.homedir()) {
     const nextSectionMatch = afterHeader.match(/\n\[(?!mcp_servers\.exe-os)/);
     const sectionEnd = nextSectionMatch ? headerIndex + sectionHeader.length + nextSectionMatch.index : content.length;
     const sectionContent = content.slice(headerIndex, sectionEnd);
-    const reconciled = reconcileCodexMcpSection(sectionContent, serverJsPath);
+    const reconciled = reconcileCodexMcpSection(sectionContent, homeDir);
     if (!reconciled.changed) {
       return "already-registered";
     }
@@ -4275,17 +4857,17 @@ async function registerCodexMcpServer(packageRoot, homeDir = os10.homedir()) {
     await writeFile5(configPath, content);
     return "updated";
   }
-  const newSection = desiredCodexMcpSection(serverJsPath);
+  const newSection = desiredCodexMcpSection(homeDir);
   const separator = content.length > 0 && !content.endsWith("\n") ? "\n\n" : content.length > 0 ? "\n" : "";
   content = content + separator + newSection;
   await writeFile5(configPath, content);
   return "registered";
 }
-async function ensureCodexHooksFeature(homeDir = os10.homedir()) {
-  const configPath = path13.join(homeDir, ".codex", "config.toml");
-  await mkdir5(path13.join(homeDir, ".codex"), { recursive: true });
+async function ensureCodexHooksFeature(homeDir = os11.homedir()) {
+  const configPath = path14.join(homeDir, ".codex", "config.toml");
+  await mkdir5(path14.join(homeDir, ".codex"), { recursive: true });
   let content = "";
-  if (existsSync12(configPath)) {
+  if (existsSync13(configPath)) {
     content = await readFile5(configPath, "utf-8");
   }
   if (/\[features\][\s\S]*?codex_hooks\s*=\s*true/.test(content)) {
@@ -4340,6 +4922,7 @@ var init_installer2 = __esm({
     init_installer();
     init_preferences();
     init_runtime_hook_manifest();
+    init_mcp_http_config();
     DEFAULT_CODEX_STATUS_LINE = [
       "model-with-reasoning",
       "current-dir",
@@ -4366,20 +4949,20 @@ __export(agent_config_exports, {
   saveAgentConfig: () => saveAgentConfig,
   setAgentRuntime: () => setAgentRuntime
 });
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync7, existsSync as existsSync13 } from "fs";
-import path14 from "path";
+import { readFileSync as readFileSync10, writeFileSync as writeFileSync8, existsSync as existsSync14 } from "fs";
+import path15 from "path";
 function loadAgentConfig() {
-  if (!existsSync13(AGENT_CONFIG_PATH)) return {};
+  if (!existsSync14(AGENT_CONFIG_PATH)) return {};
   try {
-    return JSON.parse(readFileSync8(AGENT_CONFIG_PATH, "utf-8"));
+    return JSON.parse(readFileSync10(AGENT_CONFIG_PATH, "utf-8"));
   } catch {
     return {};
   }
 }
 function saveAgentConfig(config) {
-  const dir = path14.dirname(AGENT_CONFIG_PATH);
+  const dir = path15.dirname(AGENT_CONFIG_PATH);
   ensurePrivateDirSync(dir);
-  writeFileSync7(AGENT_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  writeFileSync8(AGENT_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
   enforcePrivateFileSync(AGENT_CONFIG_PATH);
 }
 function getAgentRuntime(agentId) {
@@ -4423,7 +5006,7 @@ var init_agent_config = __esm({
     init_config();
     init_runtime_table();
     init_secure_files();
-    AGENT_CONFIG_PATH = path14.join(EXE_AI_DIR, "agent-config.json");
+    AGENT_CONFIG_PATH = path15.join(EXE_AI_DIR, "agent-config.json");
     KNOWN_RUNTIMES = {
       claude: ["claude-opus-4.6", "claude-opus-4", "claude-sonnet-4.6", "claude-sonnet-4", "claude-haiku-4.5"],
       codex: ["gpt-5.4", "gpt-5.5", "gpt-5.3-codex-spark", "o3", "o4-mini"],
@@ -4443,13 +5026,13 @@ var init_agent_config = __esm({
 });
 
 // src/bin/exe-start-codex.ts
-import os11 from "os";
-import path15 from "path";
+import os12 from "os";
+import path16 from "path";
 import {
-  existsSync as existsSync14,
-  readFileSync as readFileSync9,
-  writeFileSync as writeFileSync8,
-  mkdirSync as mkdirSync7,
+  existsSync as existsSync15,
+  readFileSync as readFileSync11,
+  writeFileSync as writeFileSync9,
+  mkdirSync as mkdirSync8,
   readdirSync as readdirSync4
 } from "fs";
 import { spawnSync } from "child_process";
@@ -4460,11 +5043,12 @@ init_database();
 
 // src/lib/keychain.ts
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync6 } from "fs";
+import { existsSync as existsSync6, statSync as statSync2 } from "fs";
 import { execSync as execSync2 } from "child_process";
 import path6 from "path";
 import os5 from "os";
-var SERVICE = "exe-mem";
+var SERVICE = "exe-os";
+var LEGACY_SERVICE = "exe-mem";
 var ACCOUNT = "master-key";
 function getKeyDir() {
   return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path6.join(os5.homedir(), ".exe-os");
@@ -4472,29 +5056,79 @@ function getKeyDir() {
 function getKeyPath() {
   return path6.join(getKeyDir(), "master.key");
 }
-function macKeychainGet() {
+function nativeKeychainAllowed() {
+  return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
+}
+var linuxSecretAvailability = null;
+function linuxSecretAvailable() {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "linux") return false;
+  if (linuxSecretAvailability !== null) return linuxSecretAvailability;
+  try {
+    execSync2("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
+  } catch {
+    linuxSecretAvailability = false;
+    return false;
+  }
+  try {
+    execSync2("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
+    linuxSecretAvailability = true;
+  } catch {
+    linuxSecretAvailability = false;
+  }
+  return linuxSecretAvailability;
+}
+function isRootOnlyTrustedServerKeyFile(keyPath) {
+  if (process.platform !== "linux") return false;
+  try {
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
+    const st = statSync2(keyPath);
+    if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    if (uid === 0) return true;
+    const exeOsDir = process.env.EXE_OS_DIR;
+    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+  } catch {
+    return false;
+  }
+}
+function macKeychainGet(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return null;
   if (process.platform !== "darwin") return null;
   try {
     return execSync2(
-      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
       { encoding: "utf-8", timeout: 5e3 }
     ).trim();
   } catch {
     return null;
   }
 }
-function macKeychainSet(value) {
+function macKeychainSet(value, service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "darwin") return false;
   try {
     try {
       execSync2(
-        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
         { timeout: 5e3 }
       );
     } catch {
     }
     execSync2(
-      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function macKeychainDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "darwin") return false;
+  try {
+    execSync2(
+      `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -4502,22 +5136,35 @@ function macKeychainSet(value) {
     return false;
   }
 }
-function linuxSecretGet() {
-  if (process.platform !== "linux") return null;
+function linuxSecretGet(service = SERVICE) {
+  if (!linuxSecretAvailable()) return null;
   try {
     return execSync2(
-      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { encoding: "utf-8", timeout: 5e3 }
     ).trim();
   } catch {
     return null;
   }
 }
-function linuxSecretSet(value) {
+function linuxSecretSet(value, service = SERVICE) {
+  if (!linuxSecretAvailable()) return false;
+  try {
+    execSync2(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function linuxSecretDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "linux") return false;
   try {
     execSync2(
-      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -4526,6 +5173,7 @@ function linuxSecretSet(value) {
   }
 }
 async function tryKeytar() {
+  if (!nativeKeychainAllowed()) return null;
   try {
     return await import("keytar");
   } catch {
@@ -4551,8 +5199,8 @@ function deriveMachineKey() {
 }
 function readMachineId() {
   try {
-    const { readFileSync: readFileSync10 } = __require("fs");
-    return readFileSync10("/etc/machine-id", "utf-8").trim();
+    const { readFileSync: readFileSync12 } = __require("fs");
+    return readFileSync12("/etc/machine-id", "utf-8").trim();
   } catch {
     return "";
   }
@@ -4600,7 +5248,19 @@ async function writeMachineBoundFileFallback(b64) {
   return "plaintext";
 }
 async function getMasterKey() {
-  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  let nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (!nativeValue) {
+    const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
+    if (legacyValue) {
+      const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
+      if (migrated) {
+        macKeychainDelete(LEGACY_SERVICE);
+        linuxSecretDelete(LEGACY_SERVICE);
+        process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
+      }
+      nativeValue = legacyValue;
+    }
+  }
   if (nativeValue) {
     return Buffer.from(nativeValue, "base64");
   }
@@ -4608,12 +5268,17 @@ async function getMasterKey() {
   if (keytar) {
     try {
       const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (keytarValue) {
-        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+      const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
+      if (legacyKeytarValue) {
+        const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
         if (migrated) {
           process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+          try {
+            await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
+          } catch {
+          }
         }
-        return Buffer.from(keytarValue, "base64");
+        return Buffer.from(legacyKeytarValue, "base64");
       }
     } catch {
     }
@@ -4638,7 +5303,7 @@ async function getMasterKey() {
       const decrypted = decryptWithMachineKey(content, machineKey);
       if (!decrypted) {
         process.stderr.write(
-          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase during setup: exe-os setup\n"
         );
         return null;
       }
@@ -4647,6 +5312,9 @@ async function getMasterKey() {
       b64Value = content;
     }
     const key = Buffer.from(b64Value, "base64");
+    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+      return key;
+    }
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -5013,6 +5681,11 @@ async function flushBatch() {
       await insertMemoryCardsForBatch2(batch);
     } catch {
     }
+    try {
+      const { insertOntologyForBatch: insertOntologyForBatch2 } = await Promise.resolve().then(() => (init_agentic_ontology(), agentic_ontology_exports));
+      await insertOntologyForBatch2(batch);
+    } catch {
+    }
     schedulePostWriteMemoryHygiene(batch.map((row) => row.id));
     _pendingRecords.splice(0, batch.length);
     try {
@@ -5081,7 +5754,7 @@ import {
   existsSync as existsSync8,
   mkdirSync as mkdirSync3,
   readdirSync as readdirSync2,
-  statSync as statSync3,
+  statSync as statSync4,
   unlinkSync as unlinkSync3,
   writeFileSync as writeFileSync3
 } from "fs";
@@ -5153,7 +5826,7 @@ function sweepStaleBehaviorExports(now = Date.now()) {
   for (const entry of entries) {
     const filePath = path8.join(BEHAVIORS_EXPORT_DIR, entry);
     try {
-      const stat = statSync3(filePath);
+      const stat = statSync4(filePath);
       if (now - stat.mtimeMs > STALE_EXPORT_AGE_MS) {
         unlinkSync3(filePath);
       }
@@ -5231,7 +5904,7 @@ When done with a task: call update_task with status "done" and a result summary.
 Always call store_memory to persist important decisions.
 `;
 function resolveAgent(argv) {
-  const invokedAs = path15.basename(argv[1] ?? "");
+  const invokedAs = path16.basename(argv[1] ?? "");
   if (invokedAs && invokedAs !== "exe-start-codex" && !invokedAs.endsWith(".js")) {
     const agent2 = invokedAs.replace(/-codex$/, "").toLowerCase();
     return { agent: agent2, passthrough: argv.slice(2) };
@@ -5257,24 +5930,24 @@ function resolveAgent(argv) {
   return { agent, passthrough, sessionName };
 }
 function loadIdentity(agent) {
-  const dir = path15.join(os11.homedir(), ".exe-os", "identity");
-  const exact = path15.join(dir, `${agent}.md`);
-  if (existsSync14(exact)) {
-    const content = readFileSync9(exact, "utf-8").trim();
+  const dir = path16.join(os12.homedir(), ".exe-os", "identity");
+  const exact = path16.join(dir, `${agent}.md`);
+  if (existsSync15(exact)) {
+    const content = readFileSync11(exact, "utf-8").trim();
     if (content) return content;
   }
   try {
     const files = readdirSync4(dir);
     const match = files.find((f) => f.toLowerCase() === `${agent.toLowerCase()}.md`);
     if (match) {
-      const content = readFileSync9(path15.join(dir, match), "utf-8").trim();
+      const content = readFileSync11(path16.join(dir, match), "utf-8").trim();
       if (content) return content;
     }
   } catch {
   }
   try {
-    const rosterPath = path15.join(os11.homedir(), ".exe-os", "exe-employees.json");
-    const roster = JSON.parse(readFileSync9(rosterPath, "utf8"));
+    const rosterPath = path16.join(os12.homedir(), ".exe-os", "exe-employees.json");
+    const roster = JSON.parse(readFileSync11(rosterPath, "utf8"));
     const emp = roster.find((e) => e.name.toLowerCase() === agent.toLowerCase());
     if (emp?.systemPrompt && emp.systemPrompt.trim().length > 20) {
       return emp.systemPrompt;
@@ -5284,22 +5957,22 @@ function loadIdentity(agent) {
   return null;
 }
 function writePromptFile(agent, identity, behaviorsPath, globalProcedures) {
-  const promptDir = path15.join(os11.homedir(), ".exe-os", "codex-prompt");
-  mkdirSync7(promptDir, { recursive: true });
+  const promptDir = path16.join(os12.homedir(), ".exe-os", "codex-prompt");
+  mkdirSync8(promptDir, { recursive: true });
   let prompt = "";
   if (globalProcedures) {
     prompt += globalProcedures + "\n\n";
   }
   prompt += identity;
-  if (behaviorsPath && existsSync14(behaviorsPath)) {
-    const behaviors = readFileSync9(behaviorsPath, "utf-8").trim();
+  if (behaviorsPath && existsSync15(behaviorsPath)) {
+    const behaviors = readFileSync11(behaviorsPath, "utf-8").trim();
     if (behaviors) {
       prompt += "\n\n" + behaviors;
     }
   }
   prompt += "\n" + BOOT_INSTRUCTIONS;
-  const outPath = path15.join(promptDir, `${agent}.md`);
-  writeFileSync8(outPath, prompt, "utf-8");
+  const outPath = path16.join(promptDir, `${agent}.md`);
+  writeFileSync9(outPath, prompt, "utf-8");
   return outPath;
 }
 async function main() {
@@ -5390,8 +6063,8 @@ async function main() {
   process.env.EXE_RUNTIME = "codex";
   const empRole = (() => {
     try {
-      const emps = readFileSync9(
-        path15.join(os11.homedir(), ".exe-os", "exe-employees.json"),
+      const emps = readFileSync11(
+        path16.join(os12.homedir(), ".exe-os", "exe-employees.json"),
         "utf-8"
       );
       const found = JSON.parse(emps).find(
@@ -5428,14 +6101,14 @@ async function main() {
   if (WORKTREE_ROLES.has(empRole)) {
     try {
       const { execSync: es } = await import("child_process");
-      const worktreeDir = path15.join(process.cwd(), ".worktrees", worktreeName);
+      const worktreeDir = path16.join(process.cwd(), ".worktrees", worktreeName);
       const branchName = `${worktreeName}/codex-${Date.now()}`;
-      if (existsSync14(worktreeDir)) {
+      if (existsSync15(worktreeDir)) {
         worktreePath = worktreeDir;
         process.stderr.write(`[exe-start-codex] Reusing worktree at ${worktreeDir}
 `);
       } else {
-        mkdirSync7(path15.dirname(worktreeDir), { recursive: true });
+        mkdirSync8(path16.dirname(worktreeDir), { recursive: true });
         es(`git worktree add "${worktreeDir}" -b "${branchName}" HEAD`, {
           encoding: "utf-8",
           timeout: 3e4