@askexenow/exe-os 0.9.65 → 0.9.67

package/dist/bin/{exe-link.js → agentic-semantic-label.js}

@@ -15,334 +15,77 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
-// src/lib/keychain.ts
-var keychain_exports = {};
-__export(keychain_exports, {
-  deleteMasterKey: () => deleteMasterKey,
-  exportMnemonic: () => exportMnemonic,
-  getMasterKey: () => getMasterKey,
-  importMnemonic: () => importMnemonic,
-  setMasterKey: () => setMasterKey
-});
-import { readFile, writeFile, unlink, mkdir, chmod } from "fs/promises";
-import { existsSync } from "fs";
-import { execSync } from "child_process";
-import path from "path";
-import os from "os";
-function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path.join(os.homedir(), ".exe-os");
-}
-function getKeyPath() {
-  return path.join(getKeyDir(), "master.key");
-}
-function macKeychainGet() {
-  if (process.platform !== "darwin") return null;
-  try {
-    return execSync(
-      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
-      { encoding: "utf-8", timeout: 5e3 }
-    ).trim();
-  } catch {
-    return null;
-  }
-}
-function macKeychainSet(value) {
-  if (process.platform !== "darwin") return false;
-  try {
-    try {
-      execSync(
-        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
-        { timeout: 5e3 }
-      );
-    } catch {
-    }
-    execSync(
-      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
-      { timeout: 5e3 }
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-function macKeychainDelete() {
-  if (process.platform !== "darwin") return false;
-  try {
-    execSync(
-      `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
-      { timeout: 5e3 }
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-function linuxSecretGet() {
-  if (process.platform !== "linux") return null;
-  try {
-    return execSync(
-      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
-      { encoding: "utf-8", timeout: 5e3 }
-    ).trim();
-  } catch {
-    return null;
-  }
-}
-function linuxSecretSet(value) {
-  if (process.platform !== "linux") return false;
-  try {
-    execSync(
-      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
-      { timeout: 5e3 }
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-function linuxSecretDelete() {
-  if (process.platform !== "linux") return false;
-  try {
-    execSync(
-      `secret-tool clear service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
-      { timeout: 5e3 }
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function tryKeytar() {
-  try {
-    return await import("keytar");
-  } catch {
-    return null;
-  }
-}
-function deriveMachineKey() {
-  try {
-    const crypto4 = __require("crypto");
-    const material = [
-      os.hostname(),
-      os.userInfo().username,
-      os.arch(),
-      os.platform(),
-      // Machine ID on Linux (stable across reboots)
-      process.platform === "linux" ? readMachineId() : ""
-    ].join("|");
-    return crypto4.createHash("sha256").update(material).digest();
-  } catch {
-    return null;
-  }
-}
-function readMachineId() {
-  try {
-    const { readFileSync: readFileSync8 } = __require("fs");
-    return readFileSync8("/etc/machine-id", "utf-8").trim();
-  } catch {
-    return "";
+// src/types/memory.ts
+var EMBEDDING_DIM;
+var init_memory = __esm({
+  "src/types/memory.ts"() {
+    "use strict";
+    EMBEDDING_DIM = 1024;
   }
-}
-function encryptWithMachineKey(plaintext, machineKey) {
-  const crypto4 = __require("crypto");
-  const iv = crypto4.randomBytes(12);
-  const cipher = crypto4.createCipheriv("aes-256-gcm", machineKey, iv);
-  let encrypted = cipher.update(plaintext, "utf-8", "base64");
-  encrypted += cipher.final("base64");
-  const authTag = cipher.getAuthTag().toString("base64");
-  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
-}
-function decryptWithMachineKey(encrypted, machineKey) {
-  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
-  try {
-    const crypto4 = __require("crypto");
-    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
-    if (parts.length !== 3) return null;
-    const [ivB64, tagB64, cipherB64] = parts;
-    const iv = Buffer.from(ivB64, "base64");
-    const authTag = Buffer.from(tagB64, "base64");
-    const decipher = crypto4.createDecipheriv("aes-256-gcm", machineKey, iv);
-    decipher.setAuthTag(authTag);
-    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
-    decrypted += decipher.final("utf-8");
-    return decrypted;
-  } catch {
-    return null;
+});
+
+// src/lib/db-retry.ts
+function isBusyError(err) {
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    return msg.includes("sqlite_busy") || msg.includes("database is locked");
   }
+  return false;
 }
-async function writeMachineBoundFileFallback(b64) {
-  const dir = getKeyDir();
-  await mkdir(dir, { recursive: true });
-  const keyPath = getKeyPath();
-  const machineKey = deriveMachineKey();
-  if (machineKey) {
-    const encrypted = encryptWithMachineKey(b64, machineKey);
-    await writeFile(keyPath, encrypted + "\n", "utf-8");
-    await chmod(keyPath, 384);
-    return "encrypted";
-  }
-  await writeFile(keyPath, b64 + "\n", "utf-8");
-  await chmod(keyPath, 384);
-  return "plaintext";
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
 }
-async function getMasterKey() {
-  const nativeValue = macKeychainGet() ?? linuxSecretGet();
-  if (nativeValue) {
-    return Buffer.from(nativeValue, "base64");
-  }
-  const keytar = await tryKeytar();
-  if (keytar) {
+async function retryOnBusy(fn, label) {
+  let lastError;
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
     try {
-      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (keytarValue) {
-        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
-        if (migrated) {
-          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
-        }
-        return Buffer.from(keytarValue, "base64");
-      }
-    } catch {
-    }
-  }
-  const keyPath = getKeyPath();
-  if (!existsSync(keyPath)) {
-    process.stderr.write(
-      `[keychain] Key not found at ${keyPath} (HOME=${os.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
-`
-    );
-    return null;
-  }
-  try {
-    const content = (await readFile(keyPath, "utf-8")).trim();
-    let b64Value;
-    if (content.startsWith(ENCRYPTED_PREFIX)) {
-      const machineKey = deriveMachineKey();
-      if (!machineKey) {
-        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
-        return null;
-      }
-      const decrypted = decryptWithMachineKey(content, machineKey);
-      if (!decrypted) {
-        process.stderr.write(
-          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
-        );
-        return null;
-      }
-      b64Value = decrypted;
-    } else {
-      b64Value = content;
-    }
-    const key = Buffer.from(b64Value, "base64");
-    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
-    if (migrated) {
-      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
-      try {
-        await unlink(keyPath);
-        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
-      } catch {
-      }
-    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
-      const fallback = await writeMachineBoundFileFallback(b64Value);
-      if (fallback === "encrypted") {
-        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
-      } else {
-        process.stderr.write(
-          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
-        );
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (!isBusyError(err) || attempt === MAX_RETRIES) {
+        throw err;
       }
-    }
-    return key;
-  } catch (err) {
-    process.stderr.write(
-      `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
+      const backoff = BASE_DELAY_MS * Math.pow(2, attempt);
+      const jitter = Math.floor(Math.random() * MAX_JITTER_MS);
+      process.stderr.write(
+        `[exe-os] SQLITE_BUSY ${label} retry ${attempt + 1}/${MAX_RETRIES} \u2014 waiting ${backoff + jitter}ms
 `
-    );
-    return null;
-  }
-}
-async function setMasterKey(key) {
-  const b64 = key.toString("base64");
-  if (macKeychainSet(b64) || linuxSecretSet(b64)) {
-    return;
-  }
-  const keytar = await tryKeytar();
-  if (keytar) {
-    try {
-      await keytar.setPassword(SERVICE, ACCOUNT, b64);
-      return;
-    } catch {
+      );
+      await delay(backoff + jitter);
     }
   }
-  const fallback = await writeMachineBoundFileFallback(b64);
-  if (fallback === "encrypted") {
-    process.stderr.write("[keychain] Key stored encrypted (machine-bound).\n");
-  } else {
-    process.stderr.write(
-      "[keychain] WARNING: Key stored in plaintext file \u2014 no OS keychain available.\n"
-    );
-  }
+  throw lastError;
 }
-async function deleteMasterKey() {
-  macKeychainDelete();
-  linuxSecretDelete();
-  const keytar = await tryKeytar();
-  if (keytar) {
-    try {
-      await keytar.deletePassword(SERVICE, ACCOUNT);
-    } catch {
+function wrapWithRetry(client) {
+  return new Proxy(client, {
+    get(target, prop, receiver) {
+      if (prop === "execute") {
+        return (sql) => retryOnBusy(() => target.execute(sql), "execute");
+      }
+      if (prop === "batch") {
+        return (stmts, mode) => retryOnBusy(() => target.batch(stmts, mode), "batch");
+      }
+      return Reflect.get(target, prop, receiver);
     }
-  }
-  const keyPath = getKeyPath();
-  if (existsSync(keyPath)) {
-    await unlink(keyPath);
-  }
-}
-async function loadBip39() {
-  try {
-    return await import("bip39");
-  } catch {
-    throw new Error(
-      "bip39 package not found. Run: npm install -g bip39\nOr reinstall exe-os: npm install -g @askexenow/exe-os"
-    );
-  }
-}
-async function exportMnemonic(key) {
-  if (key.length !== 32) {
-    throw new Error(`Key must be 32 bytes, got ${key.length}`);
-  }
-  const { entropyToMnemonic } = await loadBip39();
-  return entropyToMnemonic(key.toString("hex"));
-}
-async function importMnemonic(mnemonic) {
-  const trimmed = mnemonic.trim();
-  const words = trimmed.split(/\s+/);
-  if (words.length !== 24) {
-    throw new Error(`Expected 24 words, got ${words.length}`);
-  }
-  const { validateMnemonic, mnemonicToEntropy } = await loadBip39();
-  if (!validateMnemonic(trimmed)) {
-    throw new Error("Invalid mnemonic \u2014 check for typos or missing words");
-  }
-  const entropy = mnemonicToEntropy(trimmed);
-  return Buffer.from(entropy, "hex");
+  });
 }
-var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
-var init_keychain = __esm({
-  "src/lib/keychain.ts"() {
+var MAX_RETRIES, BASE_DELAY_MS, MAX_JITTER_MS;
+var init_db_retry = __esm({
+  "src/lib/db-retry.ts"() {
     "use strict";
-    SERVICE = "exe-mem";
-    ACCOUNT = "master-key";
-    ENCRYPTED_PREFIX = "enc:";
+    MAX_RETRIES = 5;
+    BASE_DELAY_MS = 250;
+    MAX_JITTER_MS = 400;
   }
 });
 
 // src/lib/secure-files.ts
-import { chmodSync, existsSync as existsSync2, mkdirSync } from "fs";
-import { chmod as chmod2, mkdir as mkdir2 } from "fs/promises";
+import { chmodSync, existsSync, mkdirSync } from "fs";
+import { chmod, mkdir } from "fs/promises";
 async function ensurePrivateDir(dirPath) {
-  await mkdir2(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  await mkdir(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
   try {
-    await chmod2(dirPath, PRIVATE_DIR_MODE);
+    await chmod(dirPath, PRIVATE_DIR_MODE);
   } catch {
   }
 }
@@ -355,13 +98,13 @@ function ensurePrivateDirSync(dirPath) {
 }
 async function enforcePrivateFile(filePath) {
   try {
-    await chmod2(filePath, PRIVATE_FILE_MODE);
+    await chmod(filePath, PRIVATE_FILE_MODE);
   } catch {
   }
 }
 function enforcePrivateFileSync(filePath) {
   try {
-    if (existsSync2(filePath)) chmodSync(filePath, PRIVATE_FILE_MODE);
+    if (existsSync(filePath)) chmodSync(filePath, PRIVATE_FILE_MODE);
   } catch {
   }
 }
@@ -375,31 +118,16 @@ var init_secure_files = __esm({
 });
 
 // src/lib/config.ts
-var config_exports = {};
-__export(config_exports, {
-  CONFIG_MIGRATIONS: () => CONFIG_MIGRATIONS,
-  CONFIG_PATH: () => CONFIG_PATH,
-  CURRENT_CONFIG_VERSION: () => CURRENT_CONFIG_VERSION,
-  DB_PATH: () => DB_PATH,
-  EXE_AI_DIR: () => EXE_AI_DIR,
-  LEGACY_LANCE_PATH: () => LEGACY_LANCE_PATH,
-  MODELS_DIR: () => MODELS_DIR,
-  loadConfig: () => loadConfig,
-  loadConfigFrom: () => loadConfigFrom,
-  loadConfigSync: () => loadConfigSync,
-  migrateConfig: () => migrateConfig,
-  saveConfig: () => saveConfig
-});
-import { readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
-import { readFileSync, existsSync as existsSync3, renameSync } from "fs";
-import path2 from "path";
-import os2 from "os";
+import { readFile, writeFile } from "fs/promises";
+import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
+import path from "path";
+import os from "os";
 function resolveDataDir() {
   if (process.env.EXE_OS_DIR) return process.env.EXE_OS_DIR;
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
-  const newDir = path2.join(os2.homedir(), ".exe-os");
-  const legacyDir = path2.join(os2.homedir(), ".exe-mem");
-  if (!existsSync3(newDir) && existsSync3(legacyDir)) {
+  const newDir = path.join(os.homedir(), ".exe-os");
+  const legacyDir = path.join(os.homedir(), ".exe-mem");
+  if (!existsSync2(newDir) && existsSync2(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
       process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
@@ -460,14 +188,19 @@ function normalizeAutoUpdate(raw) {
   const userAU = raw.autoUpdate ?? {};
   raw.autoUpdate = { ...defaultAU, ...userAU };
 }
+function normalizeOrchestration(raw) {
+  const defaultOrg = DEFAULT_CONFIG.orchestration;
+  const userOrg = raw.orchestration ?? {};
+  raw.orchestration = { ...defaultOrg, ...userOrg };
+}
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   await ensurePrivateDir(dir);
-  const configPath = path2.join(dir, "config.json");
-  if (!existsSync3(configPath)) {
-    return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
+  const configPath = path.join(dir, "config.json");
+  if (!existsSync2(configPath)) {
+    return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
   }
-  const raw = await readFile2(configPath, "utf-8");
+  const raw = await readFile(configPath, "utf-8");
   try {
     let parsed = JSON.parse(raw);
     parsed = migrateLegacyConfig(parsed);
@@ -476,7 +209,7 @@ async function loadConfig() {
       process.stderr.write(`[exe-os] Config migrated from v${fromVersion} to v${migratedCfg.config_version}
 `);
       try {
-        await writeFile2(configPath, JSON.stringify(migratedCfg, null, 2) + "\n");
+        await writeFile(configPath, JSON.stringify(migratedCfg, null, 2) + "\n");
         await enforcePrivateFile(configPath);
       } catch {
       }
@@ -484,53 +217,18 @@ async function loadConfig() {
     normalizeScalingRoadmap(migratedCfg);
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
-    const config = { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db"), ...migratedCfg };
+    normalizeOrchestration(migratedCfg);
+    const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
-      config.dbPath = config.dbPath.replace(/^~/, os2.homedir());
+      config.dbPath = config.dbPath.replace(/^~/, os.homedir());
+    }
+    const envDbPath = path.join(dir, "memories.db");
+    if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
+      config.dbPath = envDbPath;
     }
     return config;
   } catch {
-    return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
-  }
-}
-function loadConfigSync() {
-  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  const configPath = path2.join(dir, "config.json");
-  if (!existsSync3(configPath)) {
-    return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
-  }
-  try {
-    const raw = readFileSync(configPath, "utf-8");
-    let parsed = JSON.parse(raw);
-    parsed = migrateLegacyConfig(parsed);
-    const { config: migratedCfg } = migrateConfig(parsed);
-    normalizeScalingRoadmap(migratedCfg);
-    normalizeSessionLifecycle(migratedCfg);
-    normalizeAutoUpdate(migratedCfg);
-    return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db"), ...migratedCfg };
-  } catch {
-    return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
-  }
-}
-async function saveConfig(config) {
-  const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await ensurePrivateDir(dir);
-  const configPath = path2.join(dir, "config.json");
-  await writeFile2(configPath, JSON.stringify(config, null, 2) + "\n");
-  await enforcePrivateFile(configPath);
-}
-async function loadConfigFrom(configPath) {
-  const raw = await readFile2(configPath, "utf-8");
-  try {
-    let parsed = JSON.parse(raw);
-    parsed = migrateLegacyConfig(parsed);
-    const { config: migratedCfg } = migrateConfig(parsed);
-    normalizeScalingRoadmap(migratedCfg);
-    normalizeSessionLifecycle(migratedCfg);
-    normalizeAutoUpdate(migratedCfg);
-    return { ...DEFAULT_CONFIG, ...migratedCfg };
-  } catch {
-    return { ...DEFAULT_CONFIG };
+    return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
   }
 }
 var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CONFIG_VERSION, DEFAULT_CONFIG, CONFIG_MIGRATIONS;
@@ -539,10 +237,10 @@ var init_config = __esm({
     "use strict";
     init_secure_files();
     EXE_AI_DIR = resolveDataDir();
-    DB_PATH = path2.join(EXE_AI_DIR, "memories.db");
-    MODELS_DIR = path2.join(EXE_AI_DIR, "models");
-    CONFIG_PATH = path2.join(EXE_AI_DIR, "config.json");
-    LEGACY_LANCE_PATH = path2.join(EXE_AI_DIR, "local.lance");
+    DB_PATH = path.join(EXE_AI_DIR, "memories.db");
+    MODELS_DIR = path.join(EXE_AI_DIR, "models");
+    CONFIG_PATH = path.join(EXE_AI_DIR, "config.json");
+    LEGACY_LANCE_PATH = path.join(EXE_AI_DIR, "local.lance");
     CURRENT_CONFIG_VERSION = 1;
     DEFAULT_CONFIG = {
       config_version: CURRENT_CONFIG_VERSION,
@@ -599,6 +297,10 @@ var init_config = __esm({
         checkOnBoot: true,
         autoInstall: false,
         checkIntervalMs: 24 * 60 * 60 * 1e3
+      },
+      orchestration: {
+        phase: "phase_1_coo",
+        phaseSetBy: "default"
       }
     };
     CONFIG_MIGRATIONS = [
@@ -614,126 +316,12 @@ var init_config = __esm({
   }
 });
 
-// src/lib/crypto.ts
-var crypto_exports = {};
-__export(crypto_exports, {
-  decryptSyncBlob: () => decryptSyncBlob,
-  encryptSyncBlob: () => encryptSyncBlob,
-  initSyncCrypto: () => initSyncCrypto,
-  isSyncCryptoInitialized: () => isSyncCryptoInitialized
-});
-import crypto from "crypto";
-function initSyncCrypto(masterKey) {
-  if (masterKey.length !== 32) {
-    throw new Error(`Master key must be 32 bytes, got ${masterKey.length}`);
-  }
-  _syncKey = Buffer.from(
-    crypto.hkdfSync("sha256", masterKey, "", SYNC_HKDF_INFO, 32)
-  );
-}
-function isSyncCryptoInitialized() {
-  return _syncKey !== null;
-}
-function requireSyncKey() {
-  if (!_syncKey) {
-    throw new Error("Sync crypto not initialized. Call initSyncCrypto(masterKey) first.");
-  }
-  return _syncKey;
-}
-function encryptSyncBlob(data) {
-  const key = requireSyncKey();
-  const iv = crypto.randomBytes(IV_LENGTH);
-  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
-  const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  return Buffer.concat([iv, encrypted, tag]).toString("base64");
-}
-function decryptSyncBlob(ciphertext) {
-  const key = requireSyncKey();
-  const combined = Buffer.from(ciphertext, "base64");
-  if (combined.length < IV_LENGTH + TAG_LENGTH) {
-    throw new Error("Sync blob too short to contain IV + tag");
-  }
-  const iv = combined.subarray(0, IV_LENGTH);
-  const tag = combined.subarray(combined.length - TAG_LENGTH);
-  const encrypted = combined.subarray(IV_LENGTH, combined.length - TAG_LENGTH);
-  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
-  decipher.setAuthTag(tag);
-  return Buffer.concat([decipher.update(encrypted), decipher.final()]);
-}
-var ALGORITHM, IV_LENGTH, TAG_LENGTH, SYNC_HKDF_INFO, _syncKey;
-var init_crypto = __esm({
-  "src/lib/crypto.ts"() {
-    "use strict";
-    ALGORITHM = "aes-256-gcm";
-    IV_LENGTH = 12;
-    TAG_LENGTH = 16;
-    SYNC_HKDF_INFO = "exe-mem-sync-v2";
-    _syncKey = null;
-  }
-});
-
-// src/lib/db-retry.ts
-function isBusyError(err) {
-  if (err instanceof Error) {
-    const msg = err.message.toLowerCase();
-    return msg.includes("sqlite_busy") || msg.includes("database is locked");
-  }
-  return false;
-}
-function delay(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-async function retryOnBusy(fn, label) {
-  let lastError;
-  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
-    try {
-      return await fn();
-    } catch (err) {
-      lastError = err;
-      if (!isBusyError(err) || attempt === MAX_RETRIES) {
-        throw err;
-      }
-      const backoff = BASE_DELAY_MS * Math.pow(2, attempt);
-      const jitter = Math.floor(Math.random() * MAX_JITTER_MS);
-      process.stderr.write(
-        `[exe-os] SQLITE_BUSY ${label} retry ${attempt + 1}/${MAX_RETRIES} \u2014 waiting ${backoff + jitter}ms
-`
-      );
-      await delay(backoff + jitter);
-    }
-  }
-  throw lastError;
-}
-function wrapWithRetry(client) {
-  return new Proxy(client, {
-    get(target, prop, receiver) {
-      if (prop === "execute") {
-        return (sql) => retryOnBusy(() => target.execute(sql), "execute");
-      }
-      if (prop === "batch") {
-        return (stmts, mode) => retryOnBusy(() => target.batch(stmts, mode), "batch");
-      }
-      return Reflect.get(target, prop, receiver);
-    }
-  });
-}
-var MAX_RETRIES, BASE_DELAY_MS, MAX_JITTER_MS;
-var init_db_retry = __esm({
-  "src/lib/db-retry.ts"() {
-    "use strict";
-    MAX_RETRIES = 5;
-    BASE_DELAY_MS = 250;
-    MAX_JITTER_MS = 400;
-  }
-});
-
 // src/lib/employees.ts
-import { readFile as readFile3, writeFile as writeFile3, mkdir as mkdir3 } from "fs/promises";
-import { existsSync as existsSync4, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
-import { execSync as execSync2 } from "child_process";
-import path3 from "path";
-import os3 from "os";
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
+import { execSync } from "child_process";
+import path2 from "path";
+import os2 from "os";
 function normalizeRole(role) {
   return (role ?? "").trim().toLowerCase();
 }
@@ -746,84 +334,29 @@ function getCoordinatorEmployee(employees) {
 function getCoordinatorName(employees = loadEmployeesSync()) {
   return getCoordinatorEmployee(employees)?.name ?? DEFAULT_COORDINATOR_TEMPLATE_NAME;
 }
-async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync4(employeesPath)) {
-    return [];
-  }
-  const raw = await readFile3(employeesPath, "utf-8");
-  try {
-    return JSON.parse(raw);
-  } catch {
-    return [];
-  }
-}
-async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
-  await mkdir3(path3.dirname(employeesPath), { recursive: true });
-  await writeFile3(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
-}
 function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync4(employeesPath)) return [];
+  if (!existsSync3(employeesPath)) return [];
   try {
     return JSON.parse(readFileSync2(employeesPath, "utf-8"));
   } catch {
     return [];
   }
 }
-function findExeBin() {
-  try {
-    return execSync2(process.platform === "win32" ? "where exe-os" : "which exe-os", { encoding: "utf8" }).trim();
-  } catch {
-    return null;
-  }
-}
-function registerBinSymlinks(name) {
-  const created = [];
-  const skipped = [];
-  const errors = [];
-  const exeBinPath = findExeBin();
-  if (!exeBinPath) {
-    errors.push("Could not find 'exe-os' in PATH");
-    return { created, skipped, errors };
-  }
-  const binDir = path3.dirname(exeBinPath);
-  let target;
-  try {
-    target = readlinkSync(exeBinPath);
-  } catch {
-    errors.push("Could not read 'exe' symlink");
-    return { created, skipped, errors };
-  }
-  for (const suffix of ["", "-opencode"]) {
-    const linkName = `${name}${suffix}`;
-    const linkPath = path3.join(binDir, linkName);
-    if (existsSync4(linkPath)) {
-      skipped.push(linkName);
-      continue;
-    }
-    try {
-      symlinkSync(target, linkPath);
-      created.push(linkName);
-    } catch (err) {
-      errors.push(`${linkName}: ${err instanceof Error ? err.message : String(err)}`);
-    }
-  }
-  return { created, skipped, errors };
-}
 var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, IDENTITY_DIR;
 var init_employees = __esm({
   "src/lib/employees.ts"() {
     "use strict";
     init_config();
-    EMPLOYEES_PATH = path3.join(EXE_AI_DIR, "exe-employees.json");
+    EMPLOYEES_PATH = path2.join(EXE_AI_DIR, "exe-employees.json");
     DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
     COORDINATOR_ROLE = "COO";
-    IDENTITY_DIR = path3.join(EXE_AI_DIR, "identity");
+    IDENTITY_DIR = path2.join(EXE_AI_DIR, "identity");
   }
 });
 
 // src/lib/database-adapter.ts
-import os4 from "os";
-import path4 from "path";
+import os3 from "os";
+import path3 from "path";
 import { createRequire } from "module";
 import { pathToFileURL } from "url";
 function quotedIdentifier(identifier) {
@@ -1134,8 +667,8 @@ async function loadPrismaClient() {
         }
         return new PrismaClient2();
       }
-      const exeDbRoot = process.env.EXE_DB_ROOT ?? path4.join(os4.homedir(), "exe-db");
-      const requireFromExeDb = createRequire(path4.join(exeDbRoot, "package.json"));
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path3.join(os3.homedir(), "exe-db");
+      const requireFromExeDb = createRequire(path3.join(exeDbRoot, "package.json"));
       const prismaEntry = requireFromExeDb.resolve("@prisma/client");
       const module = await import(pathToFileURL(prismaEntry).href);
       const PrismaClient = module.PrismaClient ?? module.default?.PrismaClient;
@@ -1405,19 +938,10 @@ var init_database_adapter = __esm({
   }
 });
 
-// src/types/memory.ts
-var EMBEDDING_DIM;
-var init_memory = __esm({
-  "src/types/memory.ts"() {
-    "use strict";
-    EMBEDDING_DIM = 1024;
-  }
-});
-
 // src/lib/daemon-auth.ts
-import crypto2 from "crypto";
-import path5 from "path";
-import { existsSync as existsSync5, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import crypto from "crypto";
+import path4 from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
 function normalizeToken(token) {
   if (!token) return null;
   const trimmed = token.trim();
@@ -1425,7 +949,7 @@ function normalizeToken(token) {
 }
 function readDaemonToken() {
   try {
-    if (!existsSync5(DAEMON_TOKEN_PATH)) return null;
+    if (!existsSync4(DAEMON_TOKEN_PATH)) return null;
     return normalizeToken(readFileSync3(DAEMON_TOKEN_PATH, "utf8"));
   } catch {
     return null;
@@ -1434,7 +958,7 @@ function readDaemonToken() {
 function ensureDaemonToken(seed) {
   const existing = readDaemonToken();
   if (existing) return existing;
-  const token = normalizeToken(seed) ?? crypto2.randomBytes(32).toString("hex");
+  const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
   ensurePrivateDirSync(EXE_AI_DIR);
   writeFileSync2(DAEMON_TOKEN_PATH, `${token}
 `, "utf8");
@@ -1447,18 +971,18 @@ var init_daemon_auth = __esm({
     "use strict";
     init_config();
     init_secure_files();
-    DAEMON_TOKEN_PATH = path5.join(EXE_AI_DIR, "exed.token");
+    DAEMON_TOKEN_PATH = path4.join(EXE_AI_DIR, "exed.token");
   }
 });
 
 // src/lib/exe-daemon-client.ts
 import net from "net";
-import os5 from "os";
+import os4 from "os";
 import { spawn } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync6, unlinkSync as unlinkSync2, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
-import path6 from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
+import { existsSync as existsSync5, unlinkSync as unlinkSync2, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
+import path5 from "path";
+import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
   if (_buffer.length > MAX_BUFFER) {
@@ -1485,7 +1009,7 @@ function handleData(chunk) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync6(PID_PATH)) {
+  if (existsSync5(PID_PATH)) {
     try {
       const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
@@ -1508,11 +1032,11 @@ function cleanupStaleFiles() {
   }
 }
 function findPackageRoot() {
-  let dir = path6.dirname(fileURLToPath2(import.meta.url));
-  const { root } = path6.parse(dir);
+  let dir = path5.dirname(fileURLToPath(import.meta.url));
+  const { root } = path5.parse(dir);
   while (dir !== root) {
-    if (existsSync6(path6.join(dir, "package.json"))) return dir;
-    dir = path6.dirname(dir);
+    if (existsSync5(path5.join(dir, "package.json"))) return dir;
+    dir = path5.dirname(dir);
   }
   return null;
 }
@@ -1532,14 +1056,14 @@ function getAvailableMemoryGB() {
       const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
       return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
     } catch {
-      return os5.freemem() / (1024 * 1024 * 1024);
+      return os4.freemem() / (1024 * 1024 * 1024);
     }
   }
-  return os5.freemem() / (1024 * 1024 * 1024);
+  return os4.freemem() / (1024 * 1024 * 1024);
 }
 function spawnDaemon() {
   const freeGB = getAvailableMemoryGB();
-  const totalGB = os5.totalmem() / (1024 * 1024 * 1024);
+  const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
@@ -1559,8 +1083,8 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path6.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync6(daemonPath)) {
+  const daemonPath = path5.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync5(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
@@ -1569,7 +1093,7 @@ function spawnDaemon() {
   const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path6.join(path6.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path5.join(path5.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -1719,9 +1243,9 @@ var init_exe_daemon_client = __esm({
     "use strict";
     init_config();
     init_daemon_auth();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path6.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path6.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path6.join(EXE_AI_DIR, "exed-spawn.lock");
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path5.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path5.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path5.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
@@ -2009,6 +1533,9 @@ function getClient() {
   if (_daemonClient && _daemonClient._isDaemonActive()) {
     return _daemonClient;
   }
+  if (!_resilientClient) {
+    return _adapterClient;
+  }
   return _resilientClient;
 }
 async function initDaemonClient() {
@@ -3041,6 +2568,127 @@ async function ensureSchema() {
       VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
     END;
   `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS agent_sessions (
+      id              TEXT PRIMARY KEY,
+      agent_id        TEXT NOT NULL,
+      project_name    TEXT,
+      started_at      TEXT NOT NULL,
+      last_event_at   TEXT NOT NULL,
+      event_count     INTEGER NOT NULL DEFAULT 0,
+      properties      TEXT DEFAULT '{}'
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
+      ON agent_sessions(agent_id, started_at);
+
+    CREATE TABLE IF NOT EXISTS agent_goals (
+      id                TEXT PRIMARY KEY,
+      statement         TEXT NOT NULL,
+      owner_agent_id    TEXT,
+      project_name      TEXT,
+      status            TEXT NOT NULL DEFAULT 'open',
+      priority          INTEGER NOT NULL DEFAULT 5,
+      success_criteria  TEXT,
+      parent_goal_id    TEXT,
+      due_at            TEXT,
+      achieved_at       TEXT,
+      supersedes_id     TEXT,
+      created_at        TEXT NOT NULL,
+      updated_at        TEXT NOT NULL,
+      source_memory_id  TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
+      ON agent_goals(project_name, status, priority);
+
+    CREATE TABLE IF NOT EXISTS agent_events (
+      id                  TEXT PRIMARY KEY,
+      event_type          TEXT NOT NULL,
+      occurred_at         TEXT NOT NULL,
+      sequence_index      INTEGER NOT NULL,
+      actor_agent_id      TEXT,
+      agent_role          TEXT,
+      project_name        TEXT,
+      session_id          TEXT,
+      task_id             TEXT,
+      goal_id             TEXT,
+      parent_event_id     TEXT,
+      intention           TEXT,
+      outcome             TEXT,
+      evidence_memory_id  TEXT,
+      impact              TEXT,
+      payload             TEXT DEFAULT '{}',
+      created_at          TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_time
+      ON agent_events(occurred_at, sequence_index);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
+      ON agent_events(session_id, sequence_index);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
+      ON agent_events(goal_id, occurred_at);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_memory
+      ON agent_events(evidence_memory_id);
+
+    CREATE TABLE IF NOT EXISTS agent_goal_links (
+      id           TEXT PRIMARY KEY,
+      goal_id      TEXT NOT NULL,
+      link_type    TEXT NOT NULL,
+      target_id    TEXT NOT NULL,
+      target_type  TEXT NOT NULL,
+      created_at   TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
+      ON agent_goal_links(goal_id, target_type);
+
+    CREATE TABLE IF NOT EXISTS agent_semantic_labels (
+      id                TEXT PRIMARY KEY,
+      source_memory_id  TEXT NOT NULL,
+      event_id          TEXT,
+      labeler           TEXT NOT NULL,
+      schema_version    INTEGER NOT NULL DEFAULT 1,
+      confidence        REAL NOT NULL DEFAULT 0,
+      labels            TEXT NOT NULL,
+      created_at        TEXT NOT NULL,
+      updated_at        TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
+      ON agent_semantic_labels(source_memory_id, labeler);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
+      ON agent_semantic_labels(event_id);
+
+    CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
+      id                  TEXT PRIMARY KEY,
+      project_name        TEXT,
+      session_id          TEXT,
+      window_start_at     TEXT NOT NULL,
+      window_end_at       TEXT NOT NULL,
+      event_count         INTEGER NOT NULL DEFAULT 0,
+      goal_count          INTEGER NOT NULL DEFAULT 0,
+      success_count       INTEGER NOT NULL DEFAULT 0,
+      failure_count       INTEGER NOT NULL DEFAULT 0,
+      risk_count          INTEGER NOT NULL DEFAULT 0,
+      summary             TEXT NOT NULL,
+      learnings           TEXT NOT NULL DEFAULT '[]',
+      next_actions        TEXT NOT NULL DEFAULT '[]',
+      evidence_event_ids  TEXT NOT NULL DEFAULT '[]',
+      confidence          REAL NOT NULL DEFAULT 0,
+      created_at          TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
+      ON agent_reflection_checkpoints(project_name, window_end_at);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
+      ON agent_reflection_checkpoints(session_id, window_end_at);
+  `);
   try {
     await client.execute({
       sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -3188,1719 +2836,1430 @@ var init_database = __esm({
   }
 });
 
-// src/lib/compress.ts
-import { brotliCompressSync, brotliDecompressSync, constants } from "zlib";
-function compress(input) {
-  if (input.length === 0) return Buffer.alloc(0);
-  return brotliCompressSync(input, {
-    params: {
-      [constants.BROTLI_PARAM_QUALITY]: 4
-    }
+// src/lib/shard-manager.ts
+var shard_manager_exports = {};
+__export(shard_manager_exports, {
+  auditShardHealth: () => auditShardHealth,
+  disposeShards: () => disposeShards,
+  ensureShardSchema: () => ensureShardSchema,
+  getOpenShardCount: () => getOpenShardCount,
+  getReadyShardClient: () => getReadyShardClient,
+  getShardClient: () => getShardClient,
+  getShardsDir: () => getShardsDir,
+  initShardManager: () => initShardManager,
+  isShardingEnabled: () => isShardingEnabled,
+  listShards: () => listShards,
+  shardExists: () => shardExists
+});
+import path7 from "path";
+import { existsSync as existsSync7, mkdirSync as mkdirSync2, readdirSync, renameSync as renameSync3, statSync as statSync3 } from "fs";
+import { createClient as createClient2 } from "@libsql/client";
+function initShardManager(encryptionKey) {
+  _encryptionKey = encryptionKey;
+  if (!existsSync7(SHARDS_DIR)) {
+    mkdirSync2(SHARDS_DIR, { recursive: true });
+  }
+  _shardingEnabled = true;
+  if (_evictionTimer) clearInterval(_evictionTimer);
+  _evictionTimer = setInterval(evictIdleShards, EVICTION_INTERVAL_MS);
+  _evictionTimer.unref();
+}
+function isShardingEnabled() {
+  return _shardingEnabled;
+}
+function getShardsDir() {
+  return SHARDS_DIR;
+}
+function getShardClient(projectName) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const safeName = safeShardName(projectName);
+  if (!safeName || safeName === "unknown") {
+    throw new Error(`Invalid project name for shard: "${projectName}" (resolved to "${safeName}")`);
+  }
+  const cached = _shards.get(safeName);
+  if (cached) {
+    _shardLastAccess.set(safeName, Date.now());
+    return cached;
+  }
+  while (_shards.size >= MAX_OPEN_SHARDS) {
+    evictLRU();
+  }
+  const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
+  const client = createClient2({
+    url: `file:${dbPath}`,
+    encryptionKey: _encryptionKey
   });
+  _shards.set(safeName, client);
+  _shardLastAccess.set(safeName, Date.now());
+  return client;
 }
-function decompress(input) {
-  if (input.length === 0) return Buffer.alloc(0);
-  return brotliDecompressSync(input);
+function shardExists(projectName) {
+  const safeName = safeShardName(projectName);
+  return existsSync7(path7.join(SHARDS_DIR, `${safeName}.db`));
+}
+function safeShardName(projectName) {
+  return projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
+}
+function listShards() {
+  if (!existsSync7(SHARDS_DIR)) return [];
+  return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
+}
+async function auditShardHealth(options = {}) {
+  if (!_encryptionKey) {
+    throw new Error("Shard manager not initialized. Call initShardManager() first.");
+  }
+  const repair = options.repair === true;
+  const dryRun = options.dryRun === true;
+  const names = listShards();
+  const shards = [];
+  for (const name of names) {
+    const dbPath = path7.join(SHARDS_DIR, `${name}.db`);
+    const stat = statSync3(dbPath);
+    const item = {
+      name,
+      path: dbPath,
+      ok: false,
+      unreadable: false,
+      error: null,
+      size: stat.size,
+      mtime: stat.mtime.toISOString(),
+      memoryCount: null
+    };
+    const client = createClient2({
+      url: `file:${dbPath}`,
+      encryptionKey: _encryptionKey
+    });
+    try {
+      await client.execute("SELECT COUNT(*) as cnt FROM sqlite_schema");
+      const hasMemories = await client.execute(
+        "SELECT COUNT(*) as cnt FROM sqlite_schema WHERE type = 'table' AND name = 'memories'"
+      );
+      if (Number(hasMemories.rows[0]?.cnt ?? 0) > 0) {
+        const mem = await client.execute("SELECT COUNT(*) as cnt FROM memories");
+        item.memoryCount = Number(mem.rows[0]?.cnt ?? 0);
+      }
+      item.ok = true;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      item.error = message;
+      item.unreadable = /SQLITE_NOTADB|file is not a database/i.test(message);
+      if (item.unreadable && repair && !dryRun) {
+        client.close();
+        _shards.delete(name);
+        _shardLastAccess.delete(name);
+        const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const archivedPath = path7.join(SHARDS_DIR, `${name}.db.broken-${stamp}`);
+        renameSync3(dbPath, archivedPath);
+        item.archivedPath = archivedPath;
+      }
+    } finally {
+      try {
+        client.close();
+      } catch {
+      }
+    }
+    shards.push(item);
+  }
+  return {
+    total: shards.length,
+    ok: shards.filter((s) => s.ok).length,
+    unreadable: shards.filter((s) => s.unreadable).length,
+    archived: shards.filter((s) => Boolean(s.archivedPath)).length,
+    shards
+  };
 }
-var init_compress = __esm({
-  "src/lib/compress.ts"() {
-    "use strict";
+async function ensureShardSchema(client) {
+  await client.execute("PRAGMA journal_mode = WAL");
+  await client.execute("PRAGMA busy_timeout = 30000");
+  try {
+    await client.execute("PRAGMA libsql_vector_search_ef = 128");
+  } catch {
   }
-});
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS memories (
+      id            TEXT PRIMARY KEY,
+      agent_id      TEXT NOT NULL,
+      agent_role    TEXT NOT NULL,
+      session_id    TEXT NOT NULL,
+      timestamp     TEXT NOT NULL,
+      tool_name     TEXT NOT NULL,
+      project_name  TEXT NOT NULL,
+      has_error     INTEGER NOT NULL DEFAULT 0,
+      raw_text      TEXT NOT NULL,
+      vector        F32_BLOB(1024),
+      version       INTEGER NOT NULL DEFAULT 0
+    );
 
-// src/lib/license.ts
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, existsSync as existsSync7, mkdirSync as mkdirSync2 } from "fs";
-import { randomUUID as randomUUID2 } from "crypto";
-import { createRequire as createRequire2 } from "module";
-import { pathToFileURL as pathToFileURL2 } from "url";
-import os6 from "os";
-import path7 from "path";
-import { jwtVerify, importSPKI } from "jose";
-function loadDeviceId() {
-  const deviceJsonPath = path7.join(EXE_AI_DIR, "device.json");
-  try {
-    if (existsSync7(deviceJsonPath)) {
-      const data = JSON.parse(readFileSync5(deviceJsonPath, "utf8"));
-      if (data.deviceId) return data.deviceId;
+    CREATE INDEX IF NOT EXISTS idx_memories_agent ON memories(agent_id);
+    CREATE INDEX IF NOT EXISTS idx_memories_timestamp ON memories(timestamp);
+    CREATE INDEX IF NOT EXISTS idx_memories_agent_project ON memories(agent_id, project_name);
+  `);
+  await client.executeMultiple(`
+    CREATE VIRTUAL TABLE IF NOT EXISTS memories_fts USING fts5(
+      raw_text,
+      content='memories',
+      content_rowid='rowid'
+    );
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_ai AFTER INSERT ON memories BEGIN
+      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_ad AFTER DELETE ON memories BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS memories_fts_au AFTER UPDATE ON memories BEGIN
+      INSERT INTO memories_fts(memories_fts, rowid, raw_text) VALUES('delete', old.rowid, old.raw_text);
+      INSERT INTO memories_fts(rowid, raw_text) VALUES (new.rowid, new.raw_text);
+    END;
+  `);
+  for (const col of [
+    "ALTER TABLE memories ADD COLUMN task_id TEXT",
+    "ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN author_device_id TEXT",
+    "ALTER TABLE memories ADD COLUMN scope TEXT NOT NULL DEFAULT 'business'",
+    "ALTER TABLE memories ADD COLUMN importance INTEGER DEFAULT 5",
+    "ALTER TABLE memories ADD COLUMN status TEXT DEFAULT 'active'",
+    "ALTER TABLE memories ADD COLUMN wiki_synced INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN graph_extracted INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN content_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN graph_extracted_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN confidence REAL DEFAULT 0.7",
+    "ALTER TABLE memories ADD COLUMN last_accessed TEXT",
+    // Wiki linkage columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN workspace_id TEXT",
+    "ALTER TABLE memories ADD COLUMN document_id TEXT",
+    "ALTER TABLE memories ADD COLUMN user_id TEXT",
+    "ALTER TABLE memories ADD COLUMN char_offset INTEGER",
+    "ALTER TABLE memories ADD COLUMN page_number INTEGER",
+    // Source provenance columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN source_path TEXT",
+    "ALTER TABLE memories ADD COLUMN source_type TEXT DEFAULT 'text'",
+    "ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3",
+    "ALTER TABLE memories ADD COLUMN supersedes_id TEXT",
+    // MS-11: draft staging, MS-6a: memory_type, MS-7: trajectory
+    "ALTER TABLE memories ADD COLUMN draft INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'",
+    "ALTER TABLE memories ADD COLUMN trajectory TEXT",
+    // Metadata enrichment columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN intent TEXT",
+    "ALTER TABLE memories ADD COLUMN outcome TEXT",
+    "ALTER TABLE memories ADD COLUMN domain TEXT",
+    "ALTER TABLE memories ADD COLUMN referenced_entities TEXT",
+    "ALTER TABLE memories ADD COLUMN retrieval_count INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN chain_position TEXT",
+    "ALTER TABLE memories ADD COLUMN review_status TEXT",
+    "ALTER TABLE memories ADD COLUMN context_window_pct INTEGER",
+    "ALTER TABLE memories ADD COLUMN file_paths TEXT",
+    "ALTER TABLE memories ADD COLUMN commit_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN duration_ms INTEGER",
+    "ALTER TABLE memories ADD COLUMN token_cost REAL",
+    "ALTER TABLE memories ADD COLUMN audience TEXT",
+    "ALTER TABLE memories ADD COLUMN language_type TEXT",
+    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT",
+    "ALTER TABLE memories ADD COLUMN deleted_at TEXT"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
     }
-  } catch {
   }
-  try {
-    if (existsSync7(DEVICE_ID_PATH)) {
-      const id2 = readFileSync5(DEVICE_ID_PATH, "utf8").trim();
-      if (id2) return id2;
+  for (const idx of [
+    "CREATE INDEX IF NOT EXISTS idx_memories_tier ON memories(tier)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_supersedes ON memories(supersedes_id) WHERE supersedes_id IS NOT NULL",
+    "CREATE INDEX IF NOT EXISTS idx_memories_scoped_content_hash ON memories(content_hash, agent_id, project_name, memory_type) WHERE content_hash IS NOT NULL"
+  ]) {
+    try {
+      await client.execute(idx);
+    } catch {
     }
+  }
+  try {
+    await client.execute("CREATE INDEX IF NOT EXISTS idx_memories_status ON memories(status)");
   } catch {
   }
-  const id = randomUUID2();
-  mkdirSync2(EXE_AI_DIR, { recursive: true });
-  writeFileSync3(DEVICE_ID_PATH, id, "utf8");
-  return id;
-}
-var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH;
-var init_license = __esm({
-  "src/lib/license.ts"() {
-    "use strict";
-    init_config();
-    LICENSE_PATH = path7.join(EXE_AI_DIR, "license.key");
-    CACHE_PATH = path7.join(EXE_AI_DIR, "license-cache.json");
-    DEVICE_ID_PATH = path7.join(EXE_AI_DIR, "device-id");
+  for (const idx of [
+    "CREATE INDEX IF NOT EXISTS idx_memories_workspace ON memories(workspace_id)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_document ON memories(document_id)",
+    "CREATE INDEX IF NOT EXISTS idx_memories_user ON memories(user_id)"
+  ]) {
+    try {
+      await client.execute(idx);
+    } catch {
+    }
   }
-});
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS entities (
+      id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      type TEXT NOT NULL,
+      first_seen TEXT NOT NULL,
+      last_seen TEXT NOT NULL,
+      properties TEXT DEFAULT '{}',
+      UNIQUE(name, type)
+    );
 
-// src/lib/crdt-sync.ts
-var crdt_sync_exports = {};
-__export(crdt_sync_exports, {
-  _setStatePath: () => _setStatePath,
-  applyRemoteUpdate: () => applyRemoteUpdate,
-  destroyCrdtDoc: () => destroyCrdtDoc,
-  getDiffUpdate: () => getDiffUpdate,
-  getFullState: () => getFullState,
-  getStateVector: () => getStateVector,
-  importExistingBehaviors: () => importExistingBehaviors,
-  importExistingMemories: () => importExistingMemories,
-  initCrdtDoc: () => initCrdtDoc,
-  isCrdtSyncEnabled: () => isCrdtSyncEnabled,
-  onUpdate: () => onUpdate,
-  readAllBehaviors: () => readAllBehaviors,
-  readAllMemories: () => readAllMemories,
-  rebuildFromDb: () => rebuildFromDb
-});
-import * as Y from "yjs";
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, existsSync as existsSync8, mkdirSync as mkdirSync3, unlinkSync as unlinkSync3 } from "fs";
-import path8 from "path";
-import { homedir } from "os";
-function getStatePath() {
-  return _statePathOverride ?? DEFAULT_STATE_PATH;
-}
-function _setStatePath(p) {
-  _statePathOverride = p;
-}
-function initCrdtDoc() {
-  if (doc) return doc;
-  doc = new Y.Doc();
-  const sp = getStatePath();
-  if (existsSync8(sp)) {
+    CREATE TABLE IF NOT EXISTS relationships (
+      id TEXT PRIMARY KEY,
+      source_entity_id TEXT NOT NULL,
+      target_entity_id TEXT NOT NULL,
+      type TEXT NOT NULL,
+      weight REAL DEFAULT 1.0,
+      timestamp TEXT NOT NULL,
+      properties TEXT DEFAULT '{}',
+      UNIQUE(source_entity_id, target_entity_id, type)
+    );
+
+    CREATE TABLE IF NOT EXISTS entity_memories (
+      entity_id TEXT NOT NULL,
+      memory_id TEXT NOT NULL,
+      PRIMARY KEY (entity_id, memory_id)
+    );
+
+    CREATE TABLE IF NOT EXISTS relationship_memories (
+      relationship_id TEXT NOT NULL,
+      memory_id TEXT NOT NULL,
+      PRIMARY KEY (relationship_id, memory_id)
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_entities_name ON entities(name);
+    CREATE INDEX IF NOT EXISTS idx_entities_type ON entities(type);
+    CREATE INDEX IF NOT EXISTS idx_relationships_source ON relationships(source_entity_id);
+    CREATE INDEX IF NOT EXISTS idx_relationships_target ON relationships(target_entity_id);
+    CREATE INDEX IF NOT EXISTS idx_relationships_type ON relationships(type);
+
+    CREATE TABLE IF NOT EXISTS hyperedges (
+      id TEXT PRIMARY KEY,
+      label TEXT NOT NULL,
+      relation TEXT NOT NULL,
+      confidence REAL DEFAULT 1.0,
+      timestamp TEXT NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS hyperedge_nodes (
+      hyperedge_id TEXT NOT NULL,
+      entity_id TEXT NOT NULL,
+      PRIMARY KEY (hyperedge_id, entity_id)
+    );
+  `);
+  for (const col of [
+    "ALTER TABLE relationships ADD COLUMN confidence REAL DEFAULT 1.0",
+    "ALTER TABLE relationships ADD COLUMN confidence_label TEXT DEFAULT 'extracted'"
+  ]) {
     try {
-      const state = readFileSync6(sp);
-      Y.applyUpdate(doc, new Uint8Array(state));
+      await client.execute(col);
     } catch {
-      console.warn("[crdt-sync] WARN: corrupted state file, rebuilding from DB");
-      try {
-        unlinkSync3(sp);
-      } catch {
-      }
-      rebuildFromDb().catch((err) => {
-        console.warn("[crdt-sync] rebuild from DB failed:", err);
-      });
     }
   }
-  doc.on("update", () => {
-    persistState();
-  });
-  return doc;
-}
-function getMemoriesMap() {
-  const d = initCrdtDoc();
-  return d.getMap("memories");
-}
-function getBehaviorsMap() {
-  const d = initCrdtDoc();
-  return d.getMap("behaviors");
-}
-function applyRemoteUpdate(update) {
-  const d = initCrdtDoc();
-  Y.applyUpdate(d, update);
-}
-function getFullState() {
-  const d = initCrdtDoc();
-  return Y.encodeStateAsUpdate(d);
-}
-function getDiffUpdate(remoteStateVector) {
-  const d = initCrdtDoc();
-  return Y.encodeStateAsUpdate(d, remoteStateVector);
-}
-function getStateVector() {
-  const d = initCrdtDoc();
-  return Y.encodeStateVector(d);
-}
-function importExistingMemories(memories) {
-  const map = getMemoriesMap();
-  const d = initCrdtDoc();
-  let imported = 0;
-  d.transact(() => {
-    for (const mem of memories) {
-      if (!mem.id) continue;
-      if (map.has(mem.id)) continue;
-      const entry = new Y.Map();
-      entry.set("id", mem.id);
-      entry.set("agent_id", mem.agent_id ?? null);
-      entry.set("agent_role", mem.agent_role ?? null);
-      entry.set("session_id", mem.session_id ?? null);
-      entry.set("timestamp", mem.timestamp ?? null);
-      entry.set("tool_name", mem.tool_name ?? null);
-      entry.set("project_name", mem.project_name ?? null);
-      entry.set("has_error", mem.has_error ?? 0);
-      entry.set("raw_text", mem.raw_text ?? "");
-      entry.set("version", mem.version ?? 0);
-      entry.set("author_device_id", mem.author_device_id ?? null);
-      entry.set("scope", mem.scope ?? "business");
-      map.set(mem.id, entry);
-      imported++;
+}
+async function getReadyShardClient(projectName) {
+  const safeName = safeShardName(projectName);
+  let client = getShardClient(projectName);
+  try {
+    await ensureShardSchema(client);
+    return client;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    if (!/SQLITE_NOTADB|file is not a database/i.test(message)) throw err;
+    client.close();
+    _shards.delete(safeName);
+    _shardLastAccess.delete(safeName);
+    const dbPath = path7.join(SHARDS_DIR, `${safeName}.db`);
+    if (existsSync7(dbPath)) {
+      const stat = statSync3(dbPath);
+      const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+      const archivedPath = path7.join(SHARDS_DIR, `${safeName}.db.broken-${stamp}`);
+      renameSync3(dbPath, archivedPath);
+      process.stderr.write(
+        `[shard-manager] Archived unreadable shard ${safeName}: ${archivedPath} (${stat.size} bytes, mtime ${stat.mtime.toISOString()})
+`
+      );
     }
-  });
-  return imported;
-}
-function importExistingBehaviors(behaviors) {
-  const map = getBehaviorsMap();
-  const d = initCrdtDoc();
-  let imported = 0;
-  d.transact(() => {
-    for (const beh of behaviors) {
-      if (!beh.id) continue;
-      if (map.has(beh.id)) continue;
-      const entry = new Y.Map();
-      entry.set("id", beh.id);
-      entry.set("agent_id", beh.agent_id ?? null);
-      entry.set("project_name", beh.project_name ?? null);
-      entry.set("domain", beh.domain ?? null);
-      entry.set("content", beh.content ?? null);
-      entry.set("active", beh.active ?? 1);
-      entry.set("priority", beh.priority ?? "p1");
-      entry.set("created_at", beh.created_at ?? null);
-      entry.set("updated_at", beh.updated_at ?? null);
-      map.set(beh.id, entry);
-      imported++;
+    client = getShardClient(projectName);
+    await ensureShardSchema(client);
+    return client;
+  }
+}
+function evictLRU() {
+  let oldest = null;
+  let oldestTime = Infinity;
+  for (const [name, time] of _shardLastAccess) {
+    if (time < oldestTime) {
+      oldestTime = time;
+      oldest = name;
     }
+  }
+  if (oldest) {
+    const client = _shards.get(oldest);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(oldest);
+    _shardLastAccess.delete(oldest);
+  }
+}
+function evictIdleShards() {
+  const now = Date.now();
+  const toEvict = [];
+  for (const [name, lastAccess] of _shardLastAccess) {
+    if (now - lastAccess > SHARD_IDLE_MS) {
+      toEvict.push(name);
+    }
+  }
+  for (const name of toEvict) {
+    const client = _shards.get(name);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(name);
+    _shardLastAccess.delete(name);
+  }
+}
+function getOpenShardCount() {
+  return _shards.size;
+}
+function disposeShards() {
+  if (_evictionTimer) {
+    clearInterval(_evictionTimer);
+    _evictionTimer = null;
+  }
+  for (const [, client] of _shards) {
+    client.close();
+  }
+  _shards.clear();
+  _shardLastAccess.clear();
+  _shardingEnabled = false;
+  _encryptionKey = null;
+}
+var SHARDS_DIR, SHARD_IDLE_MS, MAX_OPEN_SHARDS, EVICTION_INTERVAL_MS, _shards, _shardLastAccess, _evictionTimer, _encryptionKey, _shardingEnabled;
+var init_shard_manager = __esm({
+  "src/lib/shard-manager.ts"() {
+    "use strict";
+    init_config();
+    SHARDS_DIR = path7.join(EXE_AI_DIR, "shards");
+    SHARD_IDLE_MS = 5 * 60 * 1e3;
+    MAX_OPEN_SHARDS = 10;
+    EVICTION_INTERVAL_MS = 60 * 1e3;
+    _shards = /* @__PURE__ */ new Map();
+    _shardLastAccess = /* @__PURE__ */ new Map();
+    _evictionTimer = null;
+    _encryptionKey = null;
+    _shardingEnabled = false;
+  }
+});
+
+// src/lib/platform-procedures.ts
+var PLATFORM_PROCEDURES, PLATFORM_PROCEDURE_TITLES;
+var init_platform_procedures = __esm({
+  "src/lib/platform-procedures.ts"() {
+    "use strict";
+    PLATFORM_PROCEDURES = [
+      // --- Foundation: what is exe-os ---
+      {
+        title: "What is exe-os \u2014 the operating model every agent must understand",
+        domain: "architecture",
+        priority: "p0",
+        content: "Exe OS is an AI employee operating system. A founder runs 5-10 AI agents as a real org: COO, CTO, CMO, engineers, and content production specialists. Each agent has identity, expertise, and experience layers \u2014 persistent memory that makes them better over time. All data is local-first, E2EE, owned by the user. The MCP server is the ONLY data interface \u2014 never access the DB directly."
+      },
+      {
+        title: "Mode 1 \u2014 how exe-os runs inside Claude Code",
+        domain: "architecture",
+        priority: "p0",
+        content: "Mode 1: exe-os runs AS hooks + MCP + skills inside Claude Code, Codex, or OpenCode. The founder picks their default tool at setup. The COO manages employees in tmux sessions. Each coordinator session is a separate window/project. Employees run in their own tmux panes via create_task auto-spawn. The founder talks to the COO; the COO orchestrates the team. The tool is the shell, exe-os is the brain."
+      },
+      {
+        title: "Sessions explained \u2014 coordinator session names and projects",
+        domain: "architecture",
+        priority: "p0",
+        content: "Each coordinator session is an isolated project session. One might be exe-os development, another might be exe-wiki. Each session spawns its own employees using {employee}-{coordinatorSession}. Sessions share the same memory DB but tasks are scoped to the session that created them. A founder can run multiple projects simultaneously. Sessions never interfere with each other."
+      },
+      {
+        title: "Runtime settings \u2014 COO can view and change tools per agent",
+        domain: "workflow",
+        priority: "p1",
+        content: "exe-os supports three tools: Claude Code (Anthropic), Codex (OpenAI), and OpenCode (open source, 75+ providers). Each agent can use a different tool and model. COO uses set_agent_config MCP tool to view or change settings. Call with no args to show all agents. Call with agent_id + runtime + model to change. Users can also run `exe-os settings` from terminal for interactive arrow-key selection."
+      },
+      // --- Hierarchy and dispatch ---
+      {
+        title: "Chain of command \u2014 who talks to whom",
+        domain: "workflow",
+        priority: "p0",
+        content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
+      },
+      {
+        title: "Customer orchestration maturity \u2014 recommend, never trap",
+        domain: "workflow",
+        priority: "p1",
+        content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
+      },
+      {
+        title: "Single dispatch path \u2014 create_task only",
+        domain: "workflow",
+        priority: "p0",
+        content: "create_task is the ONLY way to dispatch work to another agent. No direct ensureEmployee calls, no manual tmux spawns, no send_message for actionable work. create_task \u2192 system auto-spawns \u2192 session correctly named. ONE PATH. No backdoors. No exceptions."
+      },
+      // --- Session isolation ---
+      {
+        title: "Session scoping \u2014 stay in your coordinator boundary",
+        domain: "security",
+        priority: "p0",
+        content: "Session scoping is mandatory. Managers dispatch to workers within their own coordinator session ONLY. Employee sessions use {employee}-{coordinatorSession}. Cross-session dispatch is blocked by the system. Verify session names before dispatch. Tasks are scoped to the creating coordinator session."
+      },
+      {
+        title: "Session isolation \u2014 never touch another session's work",
+        domain: "workflow",
+        priority: "p0",
+        content: "Sessions are isolated. A coordinator session owns ONLY tasks it dispatched. (1) Never close/update/cancel tasks from another coordinator session. (2) Never review work from a different session \u2014 report that it belongs to another session and skip. (3) Ignore other sessions' items in list_tasks results. (4) Employees inherit session: employee sessions work ONLY on their parent coordinator session's tasks. Cross-session work is a system violation."
+      },
+      // --- Engineering: session scoping in code ---
+      {
+        title: "Three-dimensional scoping \u2014 session, project, role \u2014 enforced in every query",
+        domain: "architecture",
+        priority: "p0",
+        content: "Every DB query, notification, review count, and task operation MUST be scoped on 3 dimensions: (1) Session \u2014 filter by session_scope matching the current coordinator session. (2) Project \u2014 filter by project_name. (3) Role \u2014 agents only see data at their hierarchy level. When writing ANY function that touches tasks, reviews, messages, or notifications: always accept a sessionScope parameter and pass it to the SQL WHERE clause. Unscoped queries are bugs. Test by running 2+ coordinator sessions simultaneously."
+      },
+      // --- Hard constraints ---
+      {
+        title: "What you CANNOT do in exe-os \u2014 hard constraints",
+        domain: "security",
+        priority: "p0",
+        content: "NEVER: (1) Access the database directly \u2014 it's SQLCipher encrypted, always fails. Use MCP tools only. (2) Manually spawn tmux sessions \u2014 create_task handles it. (3) Run git checkout main \u2014 agents work in worktrees. (4) Modify another agent's in-progress task. (5) Push to remote \u2014 the COO reviews and pushes. (6) Skip update_task(done) \u2014 it's the ONLY way your work gets reviewed. (7) Run git init."
+      },
+      {
+        title: "Customer patch triage \u2014 upstream bug vs customization",
+        domain: "support",
+        priority: "p0",
+        content: "When an agent encounters a suspected Exe OS bug, update breakage, MCP/tool failure, installer issue, memory/orchestration defect, or customer-local patch need, it MUST use create_bug_report. Do this before or alongside any local workaround so the report reaches AskExe support directly via the customer's license. Classify first: upstream_bug = reproducible exe-os/platform defect; customer_customization = identity, behavior, procedure, config, branding, workflow preference that belongs in customer-owned layers; emergency_hotfix = temporary local patch. For upstream bugs/emergency hotfixes include version, repro steps, expected/actual, files changed, workaround, and local diff summary. Avoid permanent platform-code patches unless founder approves; if a hotfix is unavoidable, document it in the bug report and re-check after npm update."
+      },
+      // --- Operations ---
+      {
+        title: "Managers must supervise deployed workers",
+        domain: "workflow",
+        priority: "p0",
+        content: `Every manager (COO/CTO/CMO) who dispatches work to a worker MUST actively monitor them. Check tmux capture-pane every 10 minutes. Verify they're working, not stuck. If idle at prompt with in_progress task \u2192 send intercom. If stuck \u2192 unblock or escalate. "Standing by" without checking is negligence.`
+      },
+      {
+        title: "COO boot health check \u2014 memory, cloud sync, daemon on every launch",
+        domain: "workflow",
+        priority: "p0",
+        content: "On every /exe boot, COO MUST check system health BEFORE other work: (1) daemon \u2014 is exed PID alive, (2) cloud sync \u2014 grep workers.log for recent cloud-sync errors, (3) memory count \u2014 total in DB, (4) sync delta \u2014 local vs cloud storage_bytes. Report as 4-line status table. If ANY check fails, surface to founder immediately. Do not proceed to tasks until health confirmed."
+      },
+      {
+        title: "exe-build-adv mandatory for 3+ files",
+        domain: "workflow",
+        priority: "p0",
+        content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
+      },
+      {
+        title: "Commit discipline \u2014 never leave verified work floating",
+        domain: "workflow",
+        priority: "p1",
+        content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
+      },
+      {
+        title: "Desktop and TUI are the same product",
+        domain: "architecture",
+        priority: "p0",
+        content: "Desktop and TUI are the SAME product in different renderers. Same data contracts, same interactions, same acceptance criteria. Desktop tab specs in ARCHITECTURE.md ARE the TUI specs. When building TUI, cross-reference Desktop spec. Different tab names, identical behavior. Never treat them as separate products."
+      },
+      // --- Orchestration golden path ---
+      {
+        title: "Task lifecycle \u2014 the golden path every agent follows",
+        domain: "workflow",
+        priority: "p0",
+        content: "create_task is dispatch + delivery. Task lifecycle: open \u2192 in_progress (you start) \u2192 done (update_task when finished) \u2192 needs_review (reviewer nudged) \u2192 closed (COO only via close_task). DB is the reliable delivery \u2014 intercom is just a speedup nudge. If you finish a task, self-chain: check for next task immediately (step 7). Never wait for a nudge. Never say 'standing by.'"
+      },
+      {
+        title: "Intercom is a speedup, not delivery \u2014 DB is the source of truth",
+        domain: "architecture",
+        priority: "p0",
+        content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
+      },
+      // --- MCP is the ONLY data interface ---
+      {
+        title: "MCP disconnect \u2014 ask the user, never work around it",
+        domain: "workflow",
+        priority: "p0",
+        content: "If MCP tools are unavailable, disconnected, or returning connection errors: STOP. Tell the user clearly: 'MCP server is disconnected. Please run /mcp to reconnect.' Do NOT attempt workarounds \u2014 no raw Node imports, no direct DB access, no CLI hacks, no daemon socket calls. MCP is the ONLY data interface. Working around it wastes time, hits bundling issues, and bypasses the contract boundary. Ask once, wait, proceed when reconnected."
+      },
+      // --- MCP Tool Catalog (Layer 0 — every agent knows what tools exist) ---
+      {
+        title: "MCP tools \u2014 memory and search",
+        domain: "tool-use",
+        priority: "p1",
+        content: "recall_my_memory: search your own memories (semantic + FTS). ask_team_memory: search a colleague's memories by agent name. store_memory: persist a memory (decisions, summaries, context). commit_memory: high-importance memory that survives consolidation. search_everything: unified search across memories, tasks, entities, conversations. get_session_context: temporal window of memories around a timestamp. consolidate_memories: merge duplicate/related memories into insights. get_memory_cardinality: count memories per agent (health check)."
+      },
+      {
+        title: "MCP tools \u2014 task orchestration",
+        domain: "tool-use",
+        priority: "p1",
+        content: "create_task: dispatch work to an employee (auto-spawns session). The ONLY dispatch path. list_tasks: query tasks by status, assignee, project. get_task: fetch full task details by ID. update_task: change status (in_progress, done, blocked, cancelled) + add result summary. close_task: finalize a reviewed task (COO only). checkpoint_task: save progress state for crash recovery. resume_employee: re-spawn an employee session for an existing task."
+      },
+      {
+        title: "MCP tools \u2014 knowledge graph (GraphRAG)",
+        domain: "tool-use",
+        priority: "p1",
+        content: "query_relationships: find connections between entities in the knowledge graph. get_entity_neighbors: explore an entity's direct connections. get_hot_entities: find most-referenced entities (trending topics). get_graph_stats: graph health \u2014 entity/relationship counts, density. export_graph: export graph data for visualization. merge_entities: deduplicate entities (alias resolution). find_similar_trajectories: match tool-call patterns to past task solutions."
+      },
+      {
+        title: "MCP tools \u2014 identity, behavior, and decisions",
+        domain: "tool-use",
+        priority: "p1",
+        content: "get_identity: read an agent's exe.md (Layer 1 identity). update_identity: write an agent's exe.md. Identity > behavior \u2014 use for permanent rules. store_behavior: record a correction or pattern for an agent (Layer 2 expertise). list_behaviors: view an agent's active behaviors. deactivate_behavior: soft-delete a stale or conflicting behavior. store_decision: record an ADR (architectural decision record). get_decision: retrieve a past decision by query. create_bug_report: customer-facing bug/support intake; use whenever an Exe OS bug or emergency hotfix is encountered so the report reaches AskExe directly. Customers only get report access; internal list/get/triage support tools are AskExe-only."
+      },
+      {
+        title: "MCP tools \u2014 communication and messaging",
+        domain: "tool-use",
+        priority: "p1",
+        content: "send_message: send supplementary context to another agent (NOT for actionable work \u2014 use create_task). acknowledge_messages: mark messages as read. send_whatsapp: send WhatsApp message via gateway (customer-facing alerts). query_conversations: search ingested conversations across all channels (WhatsApp, email, etc.)."
+      },
+      {
+        title: "MCP tools \u2014 wiki, documents, and content",
+        domain: "tool-use",
+        priority: "p1",
+        content: "wiki: read/list wiki pages only. Direct wiki write tools are removed; wiki updates flow through raw-data ingestion/projection into the curated wiki store. Legacy aliases: list_wiki_pages/get_wiki_page. crm: read/list/get CRM records from exe-db. raw_data: read capped raw landing-pad events from exe-db with payload opt-in. ingest_document: import a file (PDF, MD, etc.) into memory as chunks. list_documents: browse ingested documents by workspace. purge_document: remove a document and its memory chunks. set_document_importance: adjust chunk importance scores. rerank_documents: re-score document relevance for a query."
+      },
+      {
+        title: "MCP tools \u2014 system, operations, and admin",
+        domain: "tool-use",
+        priority: "p1",
+        content: "get_agent_spend: token usage per agent/session (cost tracking). list_agent_sessions: view agent session history. get_session_kills: audit log of killed sessions. get_daemon_health: check exed daemon status. get_auto_wake_status: daemon auto-wake configuration. get_worker_gate: check worker deployment gates. run_memory_audit: health check \u2014 duplicates, null vectors, orphaned rows. run_consolidation: trigger sleep-time memory consolidation. cloud_sync: force a cloud sync cycle. backup_vps: trigger VPS backup."
+      },
+      {
+        title: "MCP tools \u2014 config, licensing, and team",
+        domain: "tool-use",
+        priority: "p1",
+        content: "set_agent_config: view/change per-agent runtime and model settings. list_employees: view the employee roster. add_person: add a person to the CRM contacts roster. list_people: browse CRM contacts. get_person: fetch contact details. get_license_status: check license validity. create_license: generate a new license key (admin). list_licenses: view all issued licenses. activate_license: activate a license on a device."
+      },
+      {
+        title: "MCP tools \u2014 advanced (triggers, skills, orchestration)",
+        domain: "tool-use",
+        priority: "p1",
+        content: "create_trigger: set up a scheduled recurring agent job (cron). list_triggers: view active triggers. load_skill: load a slash-command skill dynamically. apply_starter_pack: import a pre-built behavior + identity pack for a role. export_orchestration: export full org state (tasks, behaviors, identities) as portable JSON. import_orchestration: import org state into a new instance. deploy_client: deploy a customer client instance. query_company_brain: unified RAG query across all company knowledge. create_reminder: set a text reminder (shown in boot brief). list_reminders: view pending reminders. complete_reminder: mark a reminder done. company_procedure: manage customer-owned company procedures (Layer 0; actions: store, list, deactivate). Legacy aliases: global_procedure, store_global_procedure, list_global_procedures, deactivate_global_procedure."
+      }
+    ];
+    PLATFORM_PROCEDURE_TITLES = new Set(
+      PLATFORM_PROCEDURES.map((p) => p.title)
+    );
+  }
+});
+
+// src/lib/global-procedures.ts
+var global_procedures_exports = {};
+__export(global_procedures_exports, {
+  deactivateGlobalProcedure: () => deactivateGlobalProcedure,
+  getGlobalProceduresBlock: () => getGlobalProceduresBlock,
+  loadGlobalProcedures: () => loadGlobalProcedures,
+  storeGlobalProcedure: () => storeGlobalProcedure
+});
+import { randomUUID as randomUUID2 } from "crypto";
+async function loadGlobalProcedures() {
+  const client = getClient();
+  const result = await client.execute({
+    sql: "SELECT * FROM company_procedures WHERE active = 1 ORDER BY priority ASC, created_at ASC",
+    args: []
   });
-  return imported;
-}
-function readAllMemories() {
-  const map = getMemoriesMap();
-  const records = [];
-  map.forEach((entry, id) => {
-    records.push({
-      id,
-      agent_id: entry.get("agent_id"),
-      agent_role: entry.get("agent_role"),
-      session_id: entry.get("session_id"),
-      timestamp: entry.get("timestamp"),
-      tool_name: entry.get("tool_name"),
-      project_name: entry.get("project_name"),
-      has_error: entry.get("has_error"),
-      raw_text: entry.get("raw_text"),
-      version: entry.get("version"),
-      author_device_id: entry.get("author_device_id"),
-      scope: entry.get("scope")
-    });
-  });
-  return records;
-}
-function readAllBehaviors() {
-  const map = getBehaviorsMap();
-  const records = [];
-  map.forEach((entry, id) => {
-    records.push({
-      id,
-      agent_id: entry.get("agent_id"),
-      project_name: entry.get("project_name"),
-      domain: entry.get("domain"),
-      content: entry.get("content"),
-      active: entry.get("active"),
-      priority: entry.get("priority"),
-      created_at: entry.get("created_at"),
-      updated_at: entry.get("updated_at")
-    });
-  });
-  return records;
-}
-function onUpdate(callback) {
-  const d = initCrdtDoc();
-  const handler = (update) => callback(update);
-  d.on("update", handler);
-  return () => d.off("update", handler);
-}
-function persistState() {
-  if (!doc) return;
-  try {
-    const sp = getStatePath();
-    const dir = path8.dirname(sp);
-    if (!existsSync8(dir)) mkdirSync3(dir, { recursive: true });
-    const state = Y.encodeStateAsUpdate(doc);
-    writeFileSync4(sp, Buffer.from(state));
-  } catch {
+  const allRows = result.rows;
+  const customerOnly = allRows.filter((p) => !PLATFORM_PROCEDURE_TITLES.has(p.title));
+  if (customerOnly.length > 0) {
+    _customerCache = customerOnly.map((p) => `### ${p.title}
+${p.content}`).join("\n\n");
+  } else {
+    _customerCache = "";
   }
+  _cacheLoaded = true;
+  return customerOnly;
 }
-function isCrdtSyncEnabled() {
-  return process.env.EXE_CRDT_SYNC !== "0";
+function getGlobalProceduresBlock() {
+  const sections = [];
+  if (_platformCache) sections.push(_platformCache);
+  if (_cacheLoaded && _customerCache) sections.push(_customerCache);
+  if (sections.length === 0) return "";
+  return `## Organization-Wide Procedures (MANDATORY \u2014 supersedes all other rules)
+
+${sections.join("\n\n")}
+`;
 }
-async function rebuildFromDb() {
-  const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
-  const client = getClient2();
-  const result = await client.execute(
-    "SELECT id, agent_id, agent_role, session_id, timestamp, tool_name, project_name, has_error, raw_text, version, author_device_id, scope FROM memories"
-  );
-  const memories = result.rows.map((row) => ({
-    id: String(row.id),
-    agent_id: row.agent_id,
-    agent_role: row.agent_role,
-    session_id: row.session_id,
-    timestamp: row.timestamp,
-    tool_name: row.tool_name,
-    project_name: row.project_name,
-    has_error: row.has_error,
-    raw_text: row.raw_text,
-    version: row.version,
-    author_device_id: row.author_device_id,
-    scope: row.scope
-  }));
-  const count = importExistingMemories(memories);
-  persistState();
-  return count;
+async function storeGlobalProcedure(input) {
+  const id = randomUUID2();
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const client = getClient();
+  await client.execute({
+    sql: `INSERT INTO company_procedures (id, title, content, priority, domain, active, created_at, updated_at)
+          VALUES (?, ?, ?, ?, ?, 1, ?, ?)`,
+    args: [id, input.title, input.content, input.priority ?? "p0", input.domain ?? null, now, now]
+  });
+  await loadGlobalProcedures();
+  return id;
 }
-function destroyCrdtDoc() {
-  if (doc) {
-    doc.destroy();
-    doc = null;
-  }
+async function deactivateGlobalProcedure(id) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const client = getClient();
+  const result = await client.execute({
+    sql: "UPDATE company_procedures SET active = 0, updated_at = ? WHERE id = ?",
+    args: [now, id]
+  });
+  await loadGlobalProcedures();
+  return result.rowsAffected > 0;
 }
-var DEFAULT_STATE_PATH, _statePathOverride, doc;
-var init_crdt_sync = __esm({
-  "src/lib/crdt-sync.ts"() {
+var _customerCache, _cacheLoaded, _platformCache;
+var init_global_procedures = __esm({
+  "src/lib/global-procedures.ts"() {
     "use strict";
-    DEFAULT_STATE_PATH = path8.join(homedir(), ".exe-os", "crdt-state.bin");
-    _statePathOverride = null;
-    doc = null;
+    init_database();
+    init_platform_procedures();
+    _customerCache = "";
+    _cacheLoaded = false;
+    _platformCache = PLATFORM_PROCEDURES.map((p) => `### ${p.title}
+${p.content}`).join("\n\n");
   }
 });
 
-// src/lib/db-backup.ts
-var db_backup_exports = {};
-__export(db_backup_exports, {
-  createBackup: () => createBackup,
-  findActiveDb: () => findActiveDb,
-  getBackupDir: () => getBackupDir,
-  getLatestBackup: () => getLatestBackup,
-  hasBackupToday: () => hasBackupToday,
-  listBackups: () => listBackups,
-  rotateBackups: () => rotateBackups
-});
-import { copyFileSync, existsSync as existsSync9, mkdirSync as mkdirSync4, readdirSync, unlinkSync as unlinkSync4, statSync as statSync2 } from "fs";
-import path9 from "path";
-function findActiveDb() {
-  for (const name of DB_NAMES) {
-    const p = path9.join(EXE_AI_DIR, name);
-    if (existsSync9(p)) return p;
+// src/lib/agentic-ontology.ts
+import { createHash as createHash2 } from "crypto";
+function stableId(...parts) {
+  return createHash2("sha256").update(parts.map((p) => String(p ?? "")).join("::")).digest("hex").slice(0, 32);
+}
+function clean(text, max = 240) {
+  return text.replace(/\u0000/g, "").replace(/```[\s\S]*?```/g, " ").replace(/\s+/g, " ").trim().slice(0, max);
+}
+function inferOntologyEventType(row) {
+  const lower = row.raw_text.toLowerCase();
+  if (row.has_error) return "error";
+  if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published)\b/.test(lower)) return "milestone";
+  if (/\b(blocked|failed|error|bug|regression|broken)\b/.test(lower)) return "problem";
+  if (/\b(decided|decision|adr|we chose|approved|rejected)\b/.test(lower)) return "decision";
+  if (/\b(goal|need to|we need|want to|trying to|objective)\b/.test(lower)) return "goal_signal";
+  if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) return "tool_action";
+  if (row.tool_name.startsWith("memory_card")) return "memory_card";
+  return "memory_observation";
+}
+function inferIntention(row) {
+  if (row.intent) return clean(row.intent, 220);
+  const text = clean(row.raw_text, 1e3);
+  const patterns = [
+    /(?:we need to|need to|let'?s|i want to|we should|goal is to|objective is to|trying to)\s+([^.!?\n]{8,220})/i,
+    /(?:so that|in order to)\s+([^.!?\n]{8,220})/i,
+    /(?:task|plan):\s*([^.!?\n]{8,220})/i
+  ];
+  for (const p of patterns) {
+    const m = text.match(p);
+    if (m?.[1]) return clean(m[1], 220);
+  }
+  if (["Bash", "Read", "Edit", "Write", "Grep", "Glob"].includes(row.tool_name)) {
+    return `${row.tool_name} during ${row.project_name}`;
   }
   return null;
 }
-function createBackup(reason = "manual") {
-  const dbPath = findActiveDb();
-  if (!dbPath) return null;
-  mkdirSync4(BACKUP_DIR, { recursive: true });
-  const dbName = path9.basename(dbPath, ".db");
-  const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
-  const backupName = `${dbName}-${reason}-${timestamp}.db`;
-  const backupPath = path9.join(BACKUP_DIR, backupName);
-  copyFileSync(dbPath, backupPath);
-  const walPath = dbPath + "-wal";
-  if (existsSync9(walPath)) {
-    try {
-      copyFileSync(walPath, backupPath + "-wal");
-    } catch {
-    }
-  }
-  const shmPath = dbPath + "-shm";
-  if (existsSync9(shmPath)) {
-    try {
-      copyFileSync(shmPath, backupPath + "-shm");
-    } catch {
-    }
-  }
-  return backupPath;
+function inferOutcome(row) {
+  if (row.outcome) return clean(row.outcome, 220);
+  if (row.has_error) return "error";
+  const lower = row.raw_text.toLowerCase();
+  if (/\b(done|complete|completed|fixed|resolved|shipped|deployed|pushed|published|passed)\b/.test(lower)) return "success_signal";
+  if (/\b(blocked|failed|error|regression|broken|not working|could not)\b/.test(lower)) return "failure_signal";
+  if (/\b(warning|risk|concern|caveat)\b/.test(lower)) return "risk_signal";
+  return null;
 }
-function rotateBackups(keepDays = DEFAULT_KEEP_DAYS) {
-  if (!existsSync9(BACKUP_DIR)) return 0;
-  const cutoff = Date.now() - keepDays * 24 * 60 * 60 * 1e3;
-  let deleted = 0;
-  try {
-    const files = readdirSync(BACKUP_DIR);
-    for (const file of files) {
-      if (!file.endsWith(".db") && !file.endsWith(".db-wal") && !file.endsWith(".db-shm")) continue;
-      const filePath = path9.join(BACKUP_DIR, file);
-      try {
-        const stat = statSync2(filePath);
-        if (stat.mtimeMs < cutoff) {
-          unlinkSync4(filePath);
-          deleted++;
-        }
-      } catch {
-      }
+function extractGoalCandidates(row) {
+  const text = clean(row.raw_text, 1600);
+  const patterns = [
+    /(?:we need to|need to|i want to|we should|goal is to|objective is to|trying to|let'?s)\s+([^.!?\n]{12,220})/gi,
+    /(?:success means|success criteria|so that)\s+([^.!?\n]{12,220})/gi
+  ];
+  const out = [];
+  for (const pattern of patterns) {
+    for (const m of text.matchAll(pattern)) {
+      const candidate = clean(m[1] ?? "", 220);
+      if (candidate.length >= 12 && !out.some((x) => x.toLowerCase() === candidate.toLowerCase())) out.push(candidate);
+      if (out.length >= 3) return out;
     }
-  } catch {
   }
-  return deleted;
+  return out;
 }
-function listBackups() {
-  if (!existsSync9(BACKUP_DIR)) return [];
-  try {
-    const files = readdirSync(BACKUP_DIR).filter((f) => f.endsWith(".db") && !f.endsWith("-wal") && !f.endsWith("-shm"));
-    return files.map((name) => {
-      const p = path9.join(BACKUP_DIR, name);
-      const stat = statSync2(p);
-      return { path: p, name, size: stat.size, date: stat.mtime };
-    }).sort((a, b) => b.date.getTime() - a.date.getTime());
-  } catch {
-    return [];
+function uniq(values, max = 6) {
+  const out = [];
+  for (const value of values.map((v) => clean(v, 220)).filter(Boolean)) {
+    if (!out.some((x) => x.toLowerCase() === value.toLowerCase())) out.push(value);
+    if (out.length >= max) break;
   }
+  return out;
 }
-function hasBackupToday(reason) {
-  const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
-  const backups = listBackups();
-  return backups.some((b) => b.name.includes(reason) && b.name.includes(today.replace(/-/g, "-")));
-}
-function getLatestBackup() {
-  const backups = listBackups();
-  return backups.length > 0 ? backups[0].path : null;
-}
-function getBackupDir() {
-  return BACKUP_DIR;
+function extractMatches(text, patterns, max = 5) {
+  const out = [];
+  for (const pattern of patterns) {
+    for (const match of text.matchAll(pattern)) {
+      const value = match[1] ?? match[0];
+      if (value) out.push(value);
+      if (out.length >= max) return uniq(out, max);
+    }
+  }
+  return uniq(out, max);
+}
+function inferSemanticLabel(row) {
+  const text = clean(row.raw_text, 2400);
+  const eventType = inferOntologyEventType(row);
+  const intention = inferIntention(row);
+  const outcome = inferOutcome(row);
+  const goals = extractGoalCandidates(row);
+  const milestones = extractMatches(text, [
+    /\b(?:completed|finished|fixed|resolved|shipped|deployed|published|pushed|passed)\b([^.!?\n]{0,180})/gi,
+    /(?:milestone|done):\s*([^.!?\n]{8,220})/gi
+  ]);
+  const problems = extractMatches(text, [
+    /\b(?:blocked by|failed because|bug|regression|broken|not working|error)\b([^.!?\n]{0,180})/gi,
+    /(?:problem|issue|risk):\s*([^.!?\n]{8,220})/gi
+  ]);
+  const decisions = extractMatches(text, [
+    /(?:decided|decision|adr|we chose|approved|rejected)\s+([^.!?\n]{8,220})/gi
+  ]);
+  const temporalAnchors = extractMatches(text, [
+    /\b(\d{4}-\d{2}-\d{2}(?:[T ][0-9:.+-Z]+)?)\b/g,
+    /\b(today|yesterday|tomorrow|this week|next week|last week|morning|afternoon|tonight)\b/gi
+  ], 8);
+  const nextActions = extractMatches(text, [
+    /(?:next|todo|follow[- ]?up|remaining|need to)\s*:?\s*([^.!?\n]{8,220})/gi
+  ]);
+  const actors = uniq([
+    row.agent_id,
+    ...extractMatches(text, [/\b(?:agent|employee|owner|assignee)[:= ]+([a-zA-Z][a-zA-Z0-9_-]{1,40})/gi], 5)
+  ], 6);
+  const successSignals = milestones.length ? milestones : outcome === "success_signal" ? [clean(text, 180)] : [];
+  const failureSignals = problems.length ? problems : outcome === "failure_signal" || row.has_error ? [clean(text, 180)] : [];
+  const impact = successSignals.length && failureSignals.length ? "mixed" : failureSignals.length ? "negative" : successSignals.length ? "positive" : "neutral";
+  const signalCount = goals.length + milestones.length + problems.length + decisions.length + nextActions.length;
+  return {
+    labeler: "deterministic",
+    schemaVersion: 1,
+    eventType,
+    intention,
+    outcome,
+    impact,
+    confidence: Math.min(0.95, 0.45 + signalCount * 0.08 + (intention ? 0.1 : 0) + (outcome ? 0.1 : 0)),
+    goals,
+    milestones,
+    problems,
+    decisions,
+    actors,
+    temporalAnchors,
+    successSignals,
+    failureSignals,
+    nextActions,
+    summary: clean(text, 280)
+  };
 }
-var BACKUP_DIR, DEFAULT_KEEP_DAYS, DB_NAMES;
-var init_db_backup = __esm({
-  "src/lib/db-backup.ts"() {
+var init_agentic_ontology = __esm({
+  "src/lib/agentic-ontology.ts"() {
     "use strict";
-    init_config();
-    BACKUP_DIR = path9.join(EXE_AI_DIR, "backups");
-    DEFAULT_KEEP_DAYS = 3;
-    DB_NAMES = ["memories.db", "exe-mem.db", "exe-os.db", "exe.db"];
   }
 });
 
-// src/lib/cloud-sync.ts
-var cloud_sync_exports = {};
-__export(cloud_sync_exports, {
-  assertSecureEndpoint: () => assertSecureEndpoint,
-  buildRosterBlob: () => buildRosterBlob,
-  cloudPull: () => cloudPull,
-  cloudPullBehaviors: () => cloudPullBehaviors,
-  cloudPullBlob: () => cloudPullBlob,
-  cloudPullConversations: () => cloudPullConversations,
-  cloudPullDocuments: () => cloudPullDocuments,
-  cloudPullGlobalProcedures: () => cloudPullGlobalProcedures,
-  cloudPullGraphRAG: () => cloudPullGraphRAG,
-  cloudPullRoster: () => cloudPullRoster,
-  cloudPullTasks: () => cloudPullTasks,
-  cloudPush: () => cloudPush,
-  cloudPushBehaviors: () => cloudPushBehaviors,
-  cloudPushBlob: () => cloudPushBlob,
-  cloudPushConversations: () => cloudPushConversations,
-  cloudPushDocuments: () => cloudPushDocuments,
-  cloudPushGlobalProcedures: () => cloudPushGlobalProcedures,
-  cloudPushGraphRAG: () => cloudPushGraphRAG,
-  cloudPushRoster: () => cloudPushRoster,
-  cloudPushTasks: () => cloudPushTasks,
-  cloudSync: () => cloudSync,
-  mergeConfig: () => mergeConfig,
-  mergeRosterFromRemote: () => mergeRosterFromRemote,
-  pushToPostgres: () => pushToPostgres,
-  recordRosterDeletion: () => recordRosterDeletion
-});
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, existsSync as existsSync10, readdirSync as readdirSync2, mkdirSync as mkdirSync5, appendFileSync, unlinkSync as unlinkSync5, openSync as openSync2, closeSync as closeSync2, statSync as statSync3 } from "fs";
-import crypto3 from "crypto";
-import path10 from "path";
-import { homedir as homedir2 } from "os";
-function sqlSafe(v) {
-  return v === void 0 ? null : v;
-}
-function logError(msg) {
-  try {
-    const logPath = path10.join(homedir2(), ".exe-os", "workers.log");
-    appendFileSync(logPath, `${(/* @__PURE__ */ new Date()).toISOString()} ${msg}
-`);
-  } catch {
-  }
+// src/lib/store.ts
+init_memory();
+init_database();
+
+// src/lib/keychain.ts
+import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
+import { existsSync as existsSync6, statSync as statSync2 } from "fs";
+import { execSync as execSync2 } from "child_process";
+import path6 from "path";
+import os5 from "os";
+var SERVICE = "exe-os";
+var LEGACY_SERVICE = "exe-mem";
+var ACCOUNT = "master-key";
+function getKeyDir() {
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path6.join(os5.homedir(), ".exe-os");
 }
-function isTruthyEnv(value) {
-  return /^(1|true|yes|on)$/i.test(value ?? "");
+function getKeyPath() {
+  return path6.join(getKeyDir(), "master.key");
+}
+function nativeKeychainAllowed() {
+  return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
 }
-function loadPgClient() {
-  if (_pgFailed) return null;
-  const configPath = path10.join(EXE_AI_DIR, "config.json");
-  let cloudPostgresUrl;
-  let configEnabled = false;
+var linuxSecretAvailability = null;
+function linuxSecretAvailable() {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "linux") return false;
+  if (linuxSecretAvailability !== null) return linuxSecretAvailability;
   try {
-    if (existsSync10(configPath)) {
-      const cfg = JSON.parse(readFileSync7(configPath, "utf8"));
-      cloudPostgresUrl = cfg.cloud?.postgresUrl;
-      configEnabled = cfg.cloud?.syncToPostgres === true;
-    }
+    execSync2("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
   } catch {
+    linuxSecretAvailability = false;
+    return false;
   }
-  const envEnabled = isTruthyEnv(process.env.EXE_CLOUD_SYNC_TO_POSTGRES);
-  if (!envEnabled && !configEnabled) {
-    return null;
-  }
-  const url = process.env.DATABASE_URL || cloudPostgresUrl;
-  if (!url) {
-    _pgFailed = true;
-    return null;
-  }
-  if (!_pgPromise) {
-    _pgPromise = (async () => {
-      if (!process.env.DATABASE_URL) process.env.DATABASE_URL = url;
-      const { createRequire: createRequire3 } = await import("module");
-      const { pathToFileURL: pathToFileURL3 } = await import("url");
-      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
-      if (explicitPath) {
-        const mod2 = await import(pathToFileURL3(explicitPath).href);
-        const Ctor2 = mod2.PrismaClient ?? mod2.default?.PrismaClient;
-        if (!Ctor2) throw new Error(`No PrismaClient at ${explicitPath}`);
-        return new Ctor2();
-      }
-      const exeDbRoot = process.env.EXE_DB_ROOT ?? path10.join(homedir2(), "exe-db");
-      const req = createRequire3(path10.join(exeDbRoot, "package.json"));
-      const entry = req.resolve("@prisma/client");
-      const mod = await import(pathToFileURL3(entry).href);
-      const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
-      if (!Ctor) throw new Error("No PrismaClient");
-      return new Ctor();
-    })().catch(() => {
-      _pgFailed = true;
-      _pgPromise = null;
-      throw new Error("pg_unavailable");
-    });
-  }
-  return _pgPromise;
-}
-async function pushToPostgres(records) {
-  const loader = loadPgClient();
-  if (!loader) return 0;
-  let prisma;
   try {
-    prisma = await loader;
+    execSync2("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
+    linuxSecretAvailability = true;
   } catch {
-    return 0;
-  }
-  let inserted = 0;
-  for (const rec of records) {
-    try {
-      await prisma.$executeRawUnsafe(
-        `INSERT INTO raw.raw_events (id, source, source_id, event_type, payload, metadata, timestamp)
-         VALUES (gen_random_uuid(), 'cloud_sync', $1, 'memory', $2::jsonb, $3::jsonb, $4)
-         ON CONFLICT (source, source_id, event_type) DO NOTHING`,
-        String(rec.id ?? ""),
-        JSON.stringify(rec),
-        JSON.stringify({ agent_id: rec.agent_id, project_name: rec.project_name, tool_name: rec.tool_name }),
-        rec.timestamp ? new Date(String(rec.timestamp)) : /* @__PURE__ */ new Date()
-      );
-      inserted++;
-    } catch {
-    }
+    linuxSecretAvailability = false;
   }
-  return inserted;
+  return linuxSecretAvailability;
 }
-async function withRosterLock(fn) {
-  try {
-    const fd = openSync2(ROSTER_LOCK_PATH, "wx");
-    closeSync2(fd);
-    writeFileSync5(ROSTER_LOCK_PATH, String(Date.now()));
-  } catch (err) {
-    if (err.code === "EEXIST") {
-      try {
-        const ts = parseInt(readFileSync7(ROSTER_LOCK_PATH, "utf-8"), 10);
-        if (Date.now() - ts < LOCK_STALE_MS) {
-          throw new Error("Roster merge already in progress \u2014 another sync is running");
-        }
-        unlinkSync5(ROSTER_LOCK_PATH);
-        const fd = openSync2(ROSTER_LOCK_PATH, "wx");
-        closeSync2(fd);
-        writeFileSync5(ROSTER_LOCK_PATH, String(Date.now()));
-      } catch (retryErr) {
-        if (retryErr instanceof Error && retryErr.message.includes("already in progress")) throw retryErr;
-        throw new Error("Roster merge already in progress \u2014 another sync is running");
-      }
-    } else {
-      throw err;
-    }
-  }
+function isRootOnlyTrustedServerKeyFile(keyPath) {
+  if (process.platform !== "linux") return false;
   try {
-    return await fn();
-  } finally {
-    try {
-      unlinkSync5(ROSTER_LOCK_PATH);
-    } catch {
-    }
+    const uid = typeof os5.userInfo().uid === "number" ? os5.userInfo().uid : -1;
+    const st = statSync2(keyPath);
+    if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    if (uid === 0) return true;
+    const exeOsDir = process.env.EXE_OS_DIR;
+    return Boolean(exeOsDir && path6.resolve(keyPath).startsWith(path6.resolve(exeOsDir) + path6.sep));
+  } catch {
+    return false;
   }
 }
-async function fetchWithRetry(url, init) {
-  const MAX_RETRIES2 = 3;
-  const BASE_DELAY_MS2 = 200;
-  let lastError;
-  for (let attempt = 0; attempt <= MAX_RETRIES2; attempt++) {
-    try {
-      const signal = AbortSignal.timeout(FETCH_TIMEOUT_MS);
-      const resp = await fetch(url, { ...init, signal });
-      if (resp && resp.status >= 500 && attempt < MAX_RETRIES2) {
-        await new Promise((r) => setTimeout(r, BASE_DELAY_MS2 * Math.pow(2, attempt)));
-        continue;
-      }
-      return resp;
-    } catch (err) {
-      lastError = err;
-      if (attempt === MAX_RETRIES2) throw err;
-      await new Promise((r) => setTimeout(r, BASE_DELAY_MS2 * Math.pow(2, attempt)));
-    }
+function macKeychainGet(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return null;
+  if (process.platform !== "darwin") return null;
+  try {
+    return execSync2(
+      `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
+  } catch {
+    return null;
   }
-  throw lastError;
 }
-function assertSecureEndpoint(endpoint) {
-  if (endpoint.startsWith("https://")) return;
-  if (endpoint.startsWith("http://")) {
+function macKeychainSet(value, service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "darwin") return false;
+  try {
     try {
-      const parsed = new URL(endpoint);
-      if (LOCALHOST_PATTERNS.test(parsed.hostname)) return;
+      execSync2(
+        `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
+        { timeout: 5e3 }
+      );
     } catch {
-      return;
     }
-    throw new Error(
-      `Insecure cloud endpoint rejected: "${endpoint}". Use https:// for remote hosts. Plain http:// is only allowed for localhost.`
+    execSync2(
+      `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
+      { timeout: 5e3 }
     );
-  }
-}
-async function cloudPush(records, maxVersion, config) {
-  if (records.length === 0) return true;
-  assertSecureEndpoint(config.endpoint);
-  try {
-    const json = JSON.stringify(records);
-    const compressed = compress(Buffer.from(json, "utf8"));
-    const blob = encryptSyncBlob(compressed);
-    const resp = await fetchWithRetry(`${config.endpoint}/sync/push`, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${config.apiKey}`,
-        "Content-Type": "application/json",
-        "X-Device-Id": loadDeviceId(),
-        "X-Expected-Version": String(maxVersion)
-      },
-      body: JSON.stringify({ version: maxVersion, blob })
-    });
-    if (resp == null) {
-      logError("[cloud-sync] PUSH FAILED: no response from server");
-      return false;
-    }
-    if (resp.status === 409) {
-      logError("[cloud-sync] PUSH VERSION CONFLICT \u2014 re-pull required before next push");
-      return false;
-    }
-    return resp.ok;
-  } catch (err) {
-    logError(`[cloud-sync] PUSH FAILED: ${err instanceof Error ? err.message : String(err)}`);
+    return true;
+  } catch {
     return false;
   }
 }
-async function cloudPull(sinceVersion, config) {
-  assertSecureEndpoint(config.endpoint);
+function macKeychainDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "darwin") return false;
   try {
-    const response = await fetchWithRetry(`${config.endpoint}/sync/pull`, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${config.apiKey}`,
-        "Content-Type": "application/json",
-        "X-Device-Id": loadDeviceId()
-      },
-      body: JSON.stringify({ since_version: sinceVersion })
-    });
-    if (response == null) {
-      logError("[cloud-sync] PULL FAILED: no response from server");
-      return { records: [], maxVersion: sinceVersion };
-    }
-    if (!response.ok) return { records: [], maxVersion: sinceVersion };
-    const data = await response.json();
-    const allRecords = [];
-    for (const { blob } of data.blobs ?? []) {
-      try {
-        const compressed = decryptSyncBlob(blob);
-        const json = decompress(compressed).toString("utf8");
-        const records = JSON.parse(json);
-        allRecords.push(...records);
-      } catch {
-        continue;
-      }
-    }
-    return { records: allRecords, maxVersion: data.max_version ?? sinceVersion };
-  } catch (err) {
-    logError(`[cloud-sync] PULL FAILED: ${err instanceof Error ? err.message : String(err)}`);
-    return { records: [], maxVersion: sinceVersion };
+    execSync2(
+      `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
+  } catch {
+    return false;
   }
 }
-async function cloudSync(config) {
-  if (!isSyncCryptoInitialized()) {
-    try {
-      const { getMasterKey: getMasterKey2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));
-      const masterKey = await getMasterKey2();
-      if (masterKey) {
-        initSyncCrypto(masterKey);
-      } else {
-        throw new Error("No master key found");
-      }
-    } catch (err) {
-      throw new Error(`[cloud-sync] Cannot initialize encryption: ${err instanceof Error ? err.message : String(err)}`);
-    }
-  }
-  let client;
+function linuxSecretGet(service = SERVICE) {
+  if (!linuxSecretAvailable()) return null;
   try {
-    client = getClient();
+    return execSync2(
+      `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
+      { encoding: "utf-8", timeout: 5e3 }
+    ).trim();
   } catch {
-    throw new Error("[cloud-sync] Database not initialized. Call initStore() before cloudSync().");
-  }
-  try {
-    const relink = await client.execute("SELECT value FROM sync_meta WHERE key = 'cloud_relink_required' LIMIT 1");
-    if (String(relink.rows[0]?.value ?? "") === "1") {
-      throw new Error("[cloud-sync] Paused after key rotation. Re-link/reupload cloud sync with the new recovery phrase before syncing.");
-    }
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    if (msg.includes("Paused after key rotation")) throw err;
+    return null;
   }
+}
+function linuxSecretSet(value, service = SERVICE) {
+  if (!linuxSecretAvailable()) return false;
   try {
-    const { getRawClient: getRawClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
-    await getRawClient2().execute("PRAGMA wal_checkpoint(PASSIVE)");
+    execSync2(
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
+    );
+    return true;
   } catch {
+    return false;
   }
+}
+function linuxSecretDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "linux") return false;
   try {
-    await client.execute(
-      "CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)"
+    execSync2(
+      `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
+      { timeout: 5e3 }
     );
-  } catch (e) {
-    logError(`[cloud-sync] sync_meta CREATE failed: ${e instanceof Error ? e.message : String(e)}`);
-  }
-  const pullMeta = await client.execute(
-    "SELECT value FROM sync_meta WHERE key = 'last_cloud_pull_version'"
-  );
-  const lastPullVersion = pullMeta.rows.length > 0 ? Number(pullMeta.rows[0].value) : 0;
-  const pullResult = await cloudPull(lastPullVersion, config);
-  let pulled = 0;
-  if (pullResult.records.length > 0) {
-    if (isCrdtSyncEnabled()) {
-      const { initCrdtDoc: initCrdtDoc2, importExistingMemories: importExistingMemories2, readAllMemories: readAllMemories2 } = await Promise.resolve().then(() => (init_crdt_sync(), crdt_sync_exports));
-      initCrdtDoc2();
-      importExistingMemories2(
-        pullResult.records.map((rec) => ({
-          id: String(rec.id ?? ""),
-          agent_id: rec.agent_id,
-          agent_role: rec.agent_role,
-          session_id: rec.session_id,
-          timestamp: rec.timestamp,
-          tool_name: rec.tool_name,
-          project_name: rec.project_name,
-          has_error: rec.has_error ?? 0,
-          raw_text: rec.raw_text ?? "",
-          version: rec.version ?? 0,
-          author_device_id: rec.author_device_id,
-          scope: rec.scope ?? "business"
-        }))
-      );
-      const pulledIds = new Set(pullResult.records.map((r) => String(r.id ?? "")));
-      const merged = readAllMemories2().filter((rec) => pulledIds.has(rec.id));
-      const stmts = merged.map((rec) => ({
-        sql: `INSERT OR REPLACE INTO memories
-              (id, agent_id, agent_role, session_id, timestamp,
-               tool_name, project_name, has_error, raw_text, version,
-               author_device_id, scope)
-              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-        args: [
-          sqlSafe(rec.id),
-          sqlSafe(rec.agent_id),
-          sqlSafe(rec.agent_role),
-          sqlSafe(rec.session_id),
-          sqlSafe(rec.timestamp),
-          sqlSafe(rec.tool_name),
-          sqlSafe(rec.project_name),
-          sqlSafe(rec.has_error ?? 0),
-          sqlSafe(rec.raw_text ?? ""),
-          sqlSafe(rec.version ?? 0),
-          sqlSafe(rec.author_device_id),
-          sqlSafe(rec.scope ?? "business")
-        ]
-      }));
-      if (stmts.length > 0) await client.batch(stmts, "write");
-      pulled = pullResult.records.length;
-    } else {
-      const stmts = pullResult.records.map((rec) => ({
-        sql: `INSERT OR REPLACE INTO memories
-              (id, agent_id, agent_role, session_id, timestamp,
-               tool_name, project_name, has_error, raw_text, version,
-               author_device_id, scope)
-              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-        args: [
-          sqlSafe(rec.id),
-          sqlSafe(rec.agent_id),
-          sqlSafe(rec.agent_role),
-          sqlSafe(rec.session_id),
-          sqlSafe(rec.timestamp),
-          sqlSafe(rec.tool_name),
-          sqlSafe(rec.project_name),
-          sqlSafe(rec.has_error ?? 0),
-          sqlSafe(rec.raw_text ?? ""),
-          sqlSafe(rec.version ?? 0),
-          sqlSafe(rec.author_device_id),
-          sqlSafe(rec.scope ?? "business")
-        ]
-      }));
-      await client.batch(stmts, "write");
-      pulled = pullResult.records.length;
-    }
-  }
-  if (pulled > 0) {
-    try {
-      await pushToPostgres(pullResult.records);
-    } catch {
-    }
-  }
-  if (pullResult.maxVersion > lastPullVersion) {
-    await client.execute({
-      sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('last_cloud_pull_version', ?)",
-      args: [String(pullResult.maxVersion)]
-    });
-  }
-  const pushMeta = await client.execute(
-    "SELECT value FROM sync_meta WHERE key = 'last_cloud_push_version'"
-  );
-  const lastPushVersion = pushMeta.rows.length > 0 ? Number(pushMeta.rows[0].value) : 0;
-  let pushed = 0;
-  let batchCursor = lastPushVersion;
-  while (true) {
-    const recordsResult = await client.execute({
-      sql: `SELECT id, agent_id, agent_role, session_id, timestamp,
-                   tool_name, project_name, has_error, raw_text, version,
-                   author_device_id, scope
-            FROM memories
-            WHERE version > ?
-              AND (scope IS NULL OR scope != 'personal')
-            ORDER BY version ASC
-            LIMIT ?`,
-      args: [batchCursor, PUSH_BATCH_SIZE]
-    });
-    if (recordsResult.rows.length === 0) break;
-    const records = recordsResult.rows.map((row) => ({
-      id: row.id,
-      agent_id: row.agent_id,
-      agent_role: row.agent_role,
-      session_id: row.session_id,
-      timestamp: row.timestamp,
-      tool_name: row.tool_name,
-      project_name: row.project_name,
-      has_error: row.has_error,
-      raw_text: row.raw_text,
-      version: row.version,
-      author_device_id: row.author_device_id,
-      scope: row.scope
-    }));
-    const maxVersion = Number(records[records.length - 1].version);
-    const pushOk = await cloudPush(records, maxVersion, config);
-    if (!pushOk) break;
-    try {
-      await pushToPostgres(records);
-    } catch {
-    }
-    await client.execute({
-      sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('last_cloud_push_version', ?)",
-      args: [String(maxVersion)]
-    });
-    pushed += records.length;
-    batchCursor = maxVersion;
-    if (recordsResult.rows.length < PUSH_BATCH_SIZE) break;
-  }
-  try {
-    await cloudPushRoster(config);
-  } catch (err) {
-    logError(`[cloud-sync] Roster push: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  try {
-    await cloudPullRoster(config);
-  } catch (err) {
-    logError(`[cloud-sync] Roster pull: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  try {
-    await cloudPushGlobalProcedures(config);
-  } catch (err) {
-    logError(`[cloud-sync] Company procedures push: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  try {
-    await cloudPullGlobalProcedures(config);
-  } catch (err) {
-    logError(`[cloud-sync] Company procedures pull: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  const countRows = async (sql) => {
-    try {
-      return Number((await client.execute(sql)).rows[0]?.cnt ?? 0);
-    } catch {
-      return 0;
-    }
-  };
-  let behaviorsResult = { pushed: 0, pulled: 0 };
-  try {
-    await cloudPushBehaviors(config);
-    behaviorsResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM behaviors WHERE active = 1");
-  } catch (err) {
-    logError(`[cloud-sync] Behaviors push: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  try {
-    const pullResult2 = await cloudPullBehaviors(config);
-    behaviorsResult.pulled = pullResult2.pulled;
-  } catch (err) {
-    logError(`[cloud-sync] Behaviors pull: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  let graphragResult = { pushed: 0, pulled: 0 };
-  try {
-    await cloudPushGraphRAG(config);
-    graphragResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM entities");
-  } catch (err) {
-    logError(`[cloud-sync] GraphRAG push: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  try {
-    const pullResult2 = await cloudPullGraphRAG(config);
-    graphragResult.pulled = pullResult2.pulled;
-  } catch (err) {
-    logError(`[cloud-sync] GraphRAG pull: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  let tasksResult = { pushed: 0, pulled: 0 };
-  try {
-    await cloudPushTasks(config);
-    tasksResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM tasks");
-  } catch (err) {
-    logError(`[cloud-sync] Tasks push: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  try {
-    const pullResult2 = await cloudPullTasks(config);
-    tasksResult.pulled = pullResult2.pulled;
-  } catch (err) {
-    logError(`[cloud-sync] Tasks pull: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  let conversationsResult = { pushed: 0, pulled: 0 };
-  try {
-    await cloudPushConversations(config);
-    conversationsResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM conversations");
-  } catch (err) {
-    logError(`[cloud-sync] Conversations push: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  try {
-    const pullResult2 = await cloudPullConversations(config);
-    conversationsResult.pulled = pullResult2.pulled;
-  } catch (err) {
-    logError(`[cloud-sync] Conversations pull: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  let documentsResult = { pushed: 0, pulled: 0 };
-  try {
-    await cloudPushDocuments(config);
-    documentsResult.pushed = await countRows("SELECT COUNT(*) as cnt FROM documents");
-  } catch (err) {
-    logError(`[cloud-sync] Documents push: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  try {
-    const pullResult2 = await cloudPullDocuments(config);
-    documentsResult.pulled = pullResult2.pulled;
-  } catch (err) {
-    logError(`[cloud-sync] Documents pull: ${err instanceof Error ? err.message : String(err)}`);
+    return true;
+  } catch {
+    return false;
   }
-  let rosterResult = { employees: 0, identities: 0 };
+}
+async function tryKeytar() {
+  if (!nativeKeychainAllowed()) return null;
   try {
-    const employees = await loadEmployees();
-    rosterResult.employees = employees.length;
-    const idDir = path10.join(EXE_AI_DIR, "identity");
-    if (existsSync10(idDir)) {
-      rosterResult.identities = readdirSync2(idDir).filter((f) => f.endsWith(".md")).length;
-    }
+    return await import("keytar");
   } catch {
+    return null;
   }
-  const totalMemories = await countRows("SELECT COUNT(*) as cnt FROM memories WHERE status = 'active' OR status IS NULL");
+}
+var ENCRYPTED_PREFIX = "enc:";
+function deriveMachineKey() {
   try {
-    const { getLatestBackup: getLatestBackup2 } = await Promise.resolve().then(() => (init_db_backup(), db_backup_exports));
-    const latestBackup = getLatestBackup2();
-    if (latestBackup) {
-      const backupSize = statSync3(latestBackup).size;
-      const MAX_CLOUD_BACKUP_BYTES = 50 * 1024 * 1024;
-      if (backupSize <= MAX_CLOUD_BACKUP_BYTES) {
-        const backupData = readFileSync7(latestBackup);
-        const deviceId = loadDeviceId() ?? "unknown";
-        const encrypted = encryptSyncBlob(backupData);
-        const backupRes = await fetchWithRetry(`${config.endpoint}/sync/push-db-backup`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json", Authorization: `Bearer ${config.apiKey}` },
-          body: JSON.stringify({
-            device_id: deviceId,
-            filename: path10.basename(latestBackup),
-            blob: encrypted,
-            size: backupData.length
-          })
-        });
-        if (backupRes && !backupRes.ok) {
-          logError(`[cloud-sync] DB backup upload failed: ${backupRes.status}`);
-        }
-      }
-    }
-  } catch (err) {
-    logError(`[cloud-sync] DB backup upload error: ${err instanceof Error ? err.message : String(err)}`);
+    const crypto2 = __require("crypto");
+    const material = [
+      os5.hostname(),
+      os5.userInfo().username,
+      os5.arch(),
+      os5.platform(),
+      // Machine ID on Linux (stable across reboots)
+      process.platform === "linux" ? readMachineId() : ""
+    ].join("|");
+    return crypto2.createHash("sha256").update(material).digest();
+  } catch {
+    return null;
   }
-  return {
-    pushed,
-    pulled,
-    totalMemories,
-    behaviors: behaviorsResult,
-    graphrag: graphragResult,
-    tasks: tasksResult,
-    conversations: conversationsResult,
-    documents: documentsResult,
-    roster: rosterResult
-  };
 }
-function recordRosterDeletion(name) {
-  let deletions = [];
+function readMachineId() {
   try {
-    if (existsSync10(ROSTER_DELETIONS_PATH)) {
-      deletions = JSON.parse(readFileSync7(ROSTER_DELETIONS_PATH, "utf-8"));
-    }
+    const { readFileSync: readFileSync5 } = __require("fs");
+    return readFileSync5("/etc/machine-id", "utf-8").trim();
   } catch {
+    return "";
   }
-  if (!deletions.includes(name)) deletions.push(name);
-  writeFileSync5(ROSTER_DELETIONS_PATH, JSON.stringify(deletions));
 }
-function consumeRosterDeletions() {
+function encryptWithMachineKey(plaintext, machineKey) {
+  const crypto2 = __require("crypto");
+  const iv = crypto2.randomBytes(12);
+  const cipher = crypto2.createCipheriv("aes-256-gcm", machineKey, iv);
+  let encrypted = cipher.update(plaintext, "utf-8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag().toString("base64");
+  return `${ENCRYPTED_PREFIX}${iv.toString("base64")}:${authTag}:${encrypted}`;
+}
+function decryptWithMachineKey(encrypted, machineKey) {
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
-    if (!existsSync10(ROSTER_DELETIONS_PATH)) return [];
-    const deletions = JSON.parse(readFileSync7(ROSTER_DELETIONS_PATH, "utf-8"));
-    writeFileSync5(ROSTER_DELETIONS_PATH, "[]");
-    return deletions;
+    const crypto2 = __require("crypto");
+    const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
+    if (parts.length !== 3) return null;
+    const [ivB64, tagB64, cipherB64] = parts;
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+    const decipher = crypto2.createDecipheriv("aes-256-gcm", machineKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(cipherB64, "base64", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
   } catch {
-    return [];
+    return null;
   }
 }
-function buildRosterBlob(paths) {
-  const rosterPath = paths?.rosterPath ?? path10.join(EXE_AI_DIR, "exe-employees.json");
-  const identityDir = paths?.identityDir ?? path10.join(EXE_AI_DIR, "identity");
-  const configPath = paths?.configPath ?? path10.join(EXE_AI_DIR, "config.json");
-  let roster = [];
-  if (existsSync10(rosterPath)) {
-    try {
-      roster = JSON.parse(readFileSync7(rosterPath, "utf-8"));
-    } catch {
-    }
+async function writeMachineBoundFileFallback(b64) {
+  const dir = getKeyDir();
+  await mkdir3(dir, { recursive: true });
+  const keyPath = getKeyPath();
+  const machineKey = deriveMachineKey();
+  if (machineKey) {
+    const encrypted = encryptWithMachineKey(b64, machineKey);
+    await writeFile3(keyPath, encrypted + "\n", "utf-8");
+    await chmod2(keyPath, 384);
+    return "encrypted";
   }
-  const identities = {};
-  if (existsSync10(identityDir)) {
-    for (const file of readdirSync2(identityDir).filter((f) => f.endsWith(".md"))) {
-      try {
-        identities[file] = readFileSync7(path10.join(identityDir, file), "utf-8");
-      } catch {
+  await writeFile3(keyPath, b64 + "\n", "utf-8");
+  await chmod2(keyPath, 384);
+  return "plaintext";
+}
+async function getMasterKey() {
+  let nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (!nativeValue) {
+    const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
+    if (legacyValue) {
+      const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
+      if (migrated) {
+        macKeychainDelete(LEGACY_SERVICE);
+        linuxSecretDelete(LEGACY_SERVICE);
+        process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
       }
+      nativeValue = legacyValue;
     }
   }
-  let config;
-  if (existsSync10(configPath)) {
-    try {
-      config = JSON.parse(readFileSync7(configPath, "utf-8"));
-    } catch {
-    }
+  if (nativeValue) {
+    return Buffer.from(nativeValue, "base64");
   }
-  let agentConfig;
-  const agentConfigPath = path10.join(EXE_AI_DIR, "agent-config.json");
-  if (existsSync10(agentConfigPath)) {
+  const keytar = await tryKeytar();
+  if (keytar) {
     try {
-      agentConfig = JSON.parse(readFileSync7(agentConfigPath, "utf-8"));
+      const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
+      const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
+      if (legacyKeytarValue) {
+        const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
+        if (migrated) {
+          process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+          try {
+            await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
+          } catch {
+          }
+        }
+        return Buffer.from(legacyKeytarValue, "base64");
+      }
     } catch {
     }
   }
-  const deletedNames = consumeRosterDeletions();
-  const content = JSON.stringify({ roster, identities, config, agentConfig, deletedNames });
-  const hash = crypto3.createHash("sha256").update(content).digest("hex").slice(0, 16);
-  return { roster, identities, config, agentConfig, deletedNames, version: hash };
-}
-async function cloudPushRoster(config) {
-  assertSecureEndpoint(config.endpoint);
-  const blob = buildRosterBlob();
-  if (blob.roster.length === 0) return true;
-  try {
-    const client = getClient();
-    const meta = await client.execute(
-      "SELECT value FROM sync_meta WHERE key = 'last_roster_push_version'"
+  const keyPath = getKeyPath();
+  if (!existsSync6(keyPath)) {
+    process.stderr.write(
+      `[keychain] Key not found at ${keyPath} (HOME=${os5.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
+`
     );
-    const lastVersion = meta.rows.length > 0 ? Number(meta.rows[0].value) : 0;
-    if (blob.version === lastVersion) return true;
-  } catch {
+    return null;
   }
   try {
-    const json = JSON.stringify(blob);
-    const compressed = compress(Buffer.from(json, "utf8"));
-    const encrypted = encryptSyncBlob(compressed);
-    const resp = await fetchWithRetry(`${config.endpoint}/sync/push-roster`, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${config.apiKey}`,
-        "Content-Type": "application/json",
-        "X-Device-Id": loadDeviceId()
-      },
-      body: JSON.stringify({ blob: encrypted })
-    });
-    if (resp.ok) {
+    const content = (await readFile3(keyPath, "utf-8")).trim();
+    let b64Value;
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      const machineKey = deriveMachineKey();
+      if (!machineKey) {
+        process.stderr.write("[keychain] Cannot derive machine key to decrypt stored key.\n");
+        return null;
+      }
+      const decrypted = decryptWithMachineKey(content, machineKey);
+      if (!decrypted) {
+        process.stderr.write(
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase during setup: exe-os setup\n"
+        );
+        return null;
+      }
+      b64Value = decrypted;
+    } else {
+      b64Value = content;
+    }
+    const key = Buffer.from(b64Value, "base64");
+    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+      return key;
+    }
+    const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
+    if (migrated) {
+      process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
       try {
-        const client = getClient();
-        await client.execute({
-          sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('last_roster_push_version', ?)",
-          args: [String(blob.version)]
-        });
+        await unlink(keyPath);
+        process.stderr.write("[keychain] Removed legacy master.key file after native keychain migration.\n");
       } catch {
       }
-    }
-    return resp.ok;
-  } catch (err) {
-    process.stderr.write(`[cloud-sync] ROSTER PUSH FAILED: ${err instanceof Error ? err.message : String(err)}
-`);
-    return false;
-  }
-}
-async function cloudPullRoster(config) {
-  assertSecureEndpoint(config.endpoint);
-  try {
-    const resp = await fetchWithRetry(`${config.endpoint}/sync/pull-roster`, {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${config.apiKey}`,
-        "X-Device-Id": loadDeviceId()
+    } else if (!content.startsWith(ENCRYPTED_PREFIX)) {
+      const fallback = await writeMachineBoundFileFallback(b64Value);
+      if (fallback === "encrypted") {
+        process.stderr.write("[keychain] Upgraded legacy plaintext master.key to machine-bound encrypted fallback.\n");
+      } else {
+        process.stderr.write(
+          "[keychain] WARNING: Could not encrypt legacy master.key \u2014 plaintext fallback remains.\n"
+        );
       }
-    });
-    if (!resp.ok) return { added: 0 };
-    const data = await resp.json();
-    if (!data.blob) return { added: 0 };
-    const compressed = decryptSyncBlob(data.blob);
-    const json = decompress(compressed).toString("utf8");
-    const remote = JSON.parse(json);
-    return mergeRosterFromRemote(remote);
+    }
+    return key;
   } catch (err) {
-    process.stderr.write(`[cloud-sync] ROSTER PULL FAILED: ${err instanceof Error ? err.message : String(err)}
-`);
-    return { added: 0 };
+    process.stderr.write(
+      `[keychain] Key read failed at ${keyPath}: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+    return null;
   }
 }
-function mergeConfig(remoteConfig, configPath) {
-  const cfgPath = configPath ?? path10.join(EXE_AI_DIR, "config.json");
-  let local = {};
-  if (existsSync10(cfgPath)) {
-    try {
-      local = JSON.parse(readFileSync7(cfgPath, "utf-8"));
-    } catch {
-    }
-  }
-  const merged = { ...remoteConfig, ...local };
-  const dir = path10.dirname(cfgPath);
-  ensurePrivateDirSync(dir);
-  writeFileSync5(cfgPath, JSON.stringify(merged, null, 2), "utf-8");
-  enforcePrivateFileSync(cfgPath);
-}
-async function mergeRosterFromRemote(remote, paths) {
-  return withRosterLock(async () => {
-    const rosterPath = paths?.rosterPath ?? void 0;
-    const identityDir = paths?.identityDir ?? path10.join(EXE_AI_DIR, "identity");
-    const localEmployees = await loadEmployees(rosterPath);
-    const localNames = new Set(localEmployees.map((e) => e.name));
-    let added = 0;
-    let identitiesUpdated = 0;
-    for (const remoteEmp of remote.roster) {
-      if (!localNames.has(remoteEmp.name)) {
-        localEmployees.push(remoteEmp);
-        localNames.add(remoteEmp.name);
-        added++;
-        try {
-          registerBinSymlinks(remoteEmp.name);
-        } catch {
-        }
-      }
-      const lookupKey = `${remoteEmp.name}.md`;
-      const matchedKey = Object.keys(remote.identities).find(
-        (k) => k.toLowerCase() === lookupKey.toLowerCase()
-      ) ?? lookupKey;
-      const remoteIdentity = remote.identities[matchedKey];
-      if (remoteIdentity) {
-        if (!existsSync10(identityDir)) mkdirSync5(identityDir, { recursive: true });
-        const idPath = path10.join(identityDir, `${remoteEmp.name}.md`);
-        let localIdentity = null;
+
+// src/lib/store.ts
+init_config();
+
+// src/lib/state-bus.ts
+var StateBus = class {
+  handlers = /* @__PURE__ */ new Map();
+  globalHandlers = /* @__PURE__ */ new Set();
+  /** Emit an event to all subscribers */
+  emit(event) {
+    const typeHandlers = this.handlers.get(event.type);
+    if (typeHandlers) {
+      for (const handler of typeHandlers) {
         try {
-          localIdentity = existsSync10(idPath) ? readFileSync7(idPath, "utf-8") : null;
+          handler(event);
         } catch {
         }
-        if (localIdentity !== remoteIdentity) {
-          writeFileSync5(idPath, remoteIdentity, "utf-8");
-          identitiesUpdated++;
-        }
       }
     }
-    let removed = 0;
-    if (remote.deletedNames && remote.deletedNames.length > 0) {
-      const toRemove = new Set(remote.deletedNames);
-      const filtered = localEmployees.filter((e) => !toRemove.has(e.name));
-      removed = localEmployees.length - filtered.length;
-      if (removed > 0) {
-        localEmployees.length = 0;
-        localEmployees.push(...filtered);
-      }
-    }
-    if (added > 0 || removed > 0) {
-      await saveEmployees(localEmployees, rosterPath);
-    }
-    if (remote.config && Object.keys(remote.config).length > 0) {
+    for (const handler of this.globalHandlers) {
       try {
-        mergeConfig(remote.config, paths?.configPath);
+        handler(event);
       } catch {
       }
     }
-    if (remote.agentConfig && Object.keys(remote.agentConfig).length > 0) {
-      try {
-        const agentConfigPath = path10.join(EXE_AI_DIR, "agent-config.json");
-        let local = {};
-        if (existsSync10(agentConfigPath)) {
-          try {
-            local = JSON.parse(readFileSync7(agentConfigPath, "utf-8"));
-          } catch {
-          }
-        }
-        const merged = { ...remote.agentConfig, ...local };
-        ensurePrivateDirSync(path10.dirname(agentConfigPath));
-        writeFileSync5(agentConfigPath, JSON.stringify(merged, null, 2) + "\n", "utf-8");
-        enforcePrivateFileSync(agentConfigPath);
-      } catch {
-      }
+  }
+  /** Subscribe to a specific event type */
+  on(type, handler) {
+    if (!this.handlers.has(type)) {
+      this.handlers.set(type, /* @__PURE__ */ new Set());
     }
-    return { added, identitiesUpdated };
-  });
+    this.handlers.get(type).add(handler);
+  }
+  /** Subscribe to ALL events */
+  onAny(handler) {
+    this.globalHandlers.add(handler);
+  }
+  /** Unsubscribe from a specific event type */
+  off(type, handler) {
+    this.handlers.get(type)?.delete(handler);
+  }
+  /** Unsubscribe from ALL events */
+  offAny(handler) {
+    this.globalHandlers.delete(handler);
+  }
+  /** Remove all listeners */
+  clear() {
+    this.handlers.clear();
+    this.globalHandlers.clear();
+  }
+};
+var orgBus = new StateBus();
+
+// src/lib/memory-write-governor.ts
+import { createHash } from "crypto";
+
+// src/lib/store.ts
+var INIT_MAX_RETRIES = 3;
+var INIT_RETRY_DELAY_MS = 1e3;
+function isBusyError2(err) {
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    return msg.includes("sqlite_busy") || msg.includes("database is locked");
+  }
+  return false;
 }
-async function cloudPushBlob(route, data, metaKey, config) {
-  if (data.length === 0) return { ok: true };
-  assertSecureEndpoint(config.endpoint);
-  const json = JSON.stringify(data);
-  const version = Buffer.from(json).length;
+async function retryOnBusy2(fn, label) {
+  for (let attempt = 0; attempt <= INIT_MAX_RETRIES; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      if (!isBusyError2(err) || attempt === INIT_MAX_RETRIES) throw err;
+      process.stderr.write(
+        `[store] SQLITE_BUSY during ${label}, retry ${attempt + 1}/${INIT_MAX_RETRIES}
+`
+      );
+      await new Promise((r) => setTimeout(r, INIT_RETRY_DELAY_MS * (attempt + 1)));
+    }
+  }
+  throw new Error("unreachable");
+}
+var _pendingRecords = [];
+var _batchSize = 20;
+var _flushIntervalMs = 1e4;
+var _flushTimer = null;
+var _flushing = false;
+var _nextVersion = 1;
+async function initStore(options) {
+  if (_flushTimer !== null) {
+    clearInterval(_flushTimer);
+    _flushTimer = null;
+  }
+  _pendingRecords = [];
+  _flushing = false;
+  _batchSize = options?.batchSize ?? 20;
+  _flushIntervalMs = options?.flushIntervalMs ?? 1e4;
+  let dbPath = options?.dbPath;
+  if (!dbPath) {
+    const config = await loadConfig();
+    dbPath = config.dbPath;
+  }
+  let masterKey = options?.masterKey ?? null;
+  if (!masterKey) {
+    masterKey = await getMasterKey();
+    if (!masterKey) {
+      throw new Error(
+        "No encryption key found. Run /exe-setup to generate one."
+      );
+    }
+  }
+  const hexKey = masterKey.toString("hex");
+  await initTurso({
+    dbPath,
+    encryptionKey: hexKey
+  });
+  await retryOnBusy2(() => ensureSchema(), "ensureSchema");
   try {
-    const client = getClient();
-    const meta = await client.execute({
-      sql: "SELECT value FROM sync_meta WHERE key = ?",
-      args: [metaKey]
-    });
-    const lastVersion = meta.rows.length > 0 ? Number(meta.rows[0].value) : 0;
-    if (version === lastVersion) return { ok: true };
+    const { initDaemonClient: initDaemonClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+    await initDaemonClient2();
   } catch {
   }
-  try {
-    const compressed = compress(Buffer.from(json, "utf8"));
-    const encrypted = encryptSyncBlob(compressed);
-    const resp = await fetchWithRetry(`${config.endpoint}${route}`, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${config.apiKey}`,
-        "Content-Type": "application/json",
-        "X-Device-Id": loadDeviceId()
-      },
-      body: JSON.stringify({ blob: encrypted })
-    });
-    if (resp.ok) {
-      try {
-        const client = getClient();
-        await client.execute({
-          sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES (?, ?)",
-          args: [metaKey, String(version)]
-        });
-      } catch {
-      }
+  if (!options?.lightweight) {
+    try {
+      const { initShardManager: initShardManager2 } = await Promise.resolve().then(() => (init_shard_manager(), shard_manager_exports));
+      initShardManager2(hexKey);
+    } catch {
+    }
+    const client = getClient();
+    const vResult = await retryOnBusy2(
+      () => client.execute("SELECT MAX(version) as max_v FROM memories"),
+      "version-query"
+    );
+    _nextVersion = (Number(vResult.rows[0]?.max_v) || 0) + 1;
+    try {
+      const { loadGlobalProcedures: loadGlobalProcedures2 } = await Promise.resolve().then(() => (init_global_procedures(), global_procedures_exports));
+      await loadGlobalProcedures2();
+    } catch {
     }
-    return { ok: resp.ok };
-  } catch (err) {
-    logError(`[cloud-sync] PUSH ${route}: ${err instanceof Error ? err.message : String(err)}`);
-    return { ok: false };
   }
 }
-async function cloudPullBlob(route, config) {
-  assertSecureEndpoint(config.endpoint);
+
+// src/bin/agentic-semantic-label.ts
+init_database();
+init_agentic_ontology();
+
+// src/lib/agentic-llm-labeler.ts
+init_agentic_ontology();
+import OpenAI from "openai";
+function jsonFromText(text) {
+  const trimmed = text.trim().replace(/^```json\s*/i, "").replace(/^```\s*/i, "").replace(/```$/i, "").trim();
   try {
-    const resp = await fetchWithRetry(`${config.endpoint}${route}`, {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${config.apiKey}`,
-        "X-Device-Id": loadDeviceId()
-      }
-    });
-    if (!resp.ok) return null;
-    const data = await resp.json();
-    if (!data.blob) return null;
-    const compressed = decryptSyncBlob(data.blob);
-    const json = decompress(compressed).toString("utf8");
-    return JSON.parse(json);
-  } catch (err) {
-    logError(`[cloud-sync] PULL ${route}: ${err instanceof Error ? err.message : String(err)}`);
+    return JSON.parse(trimmed);
+  } catch {
     return null;
   }
 }
-async function cloudPushGlobalProcedures(config) {
-  const client = getClient();
-  const result = await client.execute("SELECT * FROM company_procedures LIMIT 1000");
-  const rows = result.rows;
-  const { ok } = await cloudPushBlob(
-    "/sync/push-global-procedures",
-    rows,
-    "last_company_procedures_push_version",
-    config
-  );
-  return ok;
-}
-async function cloudPullGlobalProcedures(config) {
-  const remoteProcs = await cloudPullBlob(
-    "/sync/pull-global-procedures",
-    config
-  );
-  if (!remoteProcs || remoteProcs.length === 0) return { pulled: 0 };
-  const client = getClient();
-  const stmts = remoteProcs.map((p) => ({
-    sql: `INSERT INTO company_procedures
-          (id, title, content, priority, domain, active, created_at, updated_at)
-          VALUES (?, ?, ?, ?, ?, ?, ?, ?)
-          ON CONFLICT(id) DO UPDATE SET
-            title = excluded.title,
-            content = excluded.content,
-            priority = excluded.priority,
-            domain = excluded.domain,
-            active = excluded.active,
-            updated_at = excluded.updated_at
-          WHERE excluded.updated_at > company_procedures.updated_at`,
-    args: [
-      sqlSafe(p.id),
-      sqlSafe(p.title),
-      sqlSafe(p.content),
-      sqlSafe(p.priority ?? "p0"),
-      sqlSafe(p.domain),
-      sqlSafe(p.active ?? 1),
-      sqlSafe(p.created_at),
-      sqlSafe(p.updated_at)
-    ]
-  }));
-  await client.batch(stmts, "write");
-  return { pulled: remoteProcs.length };
-}
-async function cloudPushBehaviors(config) {
-  const client = getClient();
-  const result = await client.execute("SELECT * FROM behaviors LIMIT 10000");
-  const rows = result.rows;
-  const { ok } = await cloudPushBlob(
-    "/sync/push-behaviors",
-    rows,
-    "last_behaviors_push_version",
-    config
-  );
-  return ok;
-}
-async function cloudPullBehaviors(config) {
-  const remoteBehaviors = await cloudPullBlob(
-    "/sync/pull-behaviors",
-    config
-  );
-  if (!remoteBehaviors || remoteBehaviors.length === 0) return { pulled: 0 };
-  const client = getClient();
-  let pulled = 0;
-  for (const behavior of remoteBehaviors) {
-    const existing = await client.execute({
-      sql: `SELECT COUNT(*) as cnt FROM behaviors
-            WHERE agent_id = ? AND content = ?`,
-      args: [sqlSafe(behavior.agent_id), sqlSafe(behavior.content)]
-    });
-    if (Number(existing.rows[0]?.cnt) > 0) continue;
-    await client.execute({
-      sql: `INSERT OR IGNORE INTO behaviors
-            (id, agent_id, project_name, domain, content, active, priority, created_at, updated_at)
-            VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-      args: [
-        sqlSafe(behavior.id),
-        sqlSafe(behavior.agent_id),
-        sqlSafe(behavior.project_name),
-        sqlSafe(behavior.domain),
-        sqlSafe(behavior.content),
-        sqlSafe(behavior.active ?? 1),
-        sqlSafe(behavior.priority ?? "p1"),
-        sqlSafe(behavior.created_at),
-        sqlSafe(behavior.updated_at)
-      ]
-    });
-    pulled++;
-  }
-  return { pulled };
+function stringArray(value, max = 6) {
+  if (!Array.isArray(value)) return [];
+  return value.map(String).map((v) => clean(v, 220)).filter(Boolean).slice(0, max);
 }
-async function cloudPushGraphRAG(config) {
-  const client = getClient();
-  const [entities, relationships, aliases, entityMems, relMems, hyperedges, hyperedgeNodes] = await Promise.all([
-    client.execute("SELECT * FROM entities LIMIT 50000"),
-    client.execute("SELECT * FROM relationships LIMIT 50000"),
-    client.execute("SELECT * FROM entity_aliases LIMIT 50000"),
-    client.execute("SELECT * FROM entity_memories LIMIT 50000"),
-    client.execute("SELECT * FROM relationship_memories LIMIT 50000"),
-    client.execute("SELECT * FROM hyperedges LIMIT 50000"),
-    client.execute("SELECT * FROM hyperedge_nodes LIMIT 50000")
-  ]);
-  const blob = {
-    entities: entities.rows,
-    relationships: relationships.rows,
-    entity_aliases: aliases.rows,
-    entity_memories: entityMems.rows,
-    relationship_memories: relMems.rows,
-    hyperedges: hyperedges.rows,
-    hyperedge_nodes: hyperedgeNodes.rows
+function normalizeLlmLabel(raw, fallback) {
+  const impact = ["positive", "negative", "neutral", "mixed"].includes(String(raw.impact)) ? String(raw.impact) : fallback.impact;
+  const confidenceRaw = Number(raw.confidence ?? fallback.confidence);
+  return {
+    labeler: "llm",
+    schemaVersion: 1,
+    eventType: String(raw.eventType ?? fallback.eventType),
+    intention: raw.intention == null ? fallback.intention : clean(String(raw.intention), 260),
+    outcome: raw.outcome == null ? fallback.outcome : clean(String(raw.outcome), 260),
+    impact,
+    confidence: Number.isFinite(confidenceRaw) ? Math.max(0, Math.min(1, confidenceRaw)) : fallback.confidence,
+    goals: stringArray(raw.goals).length ? stringArray(raw.goals) : fallback.goals,
+    milestones: stringArray(raw.milestones).length ? stringArray(raw.milestones) : fallback.milestones,
+    problems: stringArray(raw.problems).length ? stringArray(raw.problems) : fallback.problems,
+    decisions: stringArray(raw.decisions).length ? stringArray(raw.decisions) : fallback.decisions,
+    actors: stringArray(raw.actors).length ? stringArray(raw.actors) : fallback.actors,
+    temporalAnchors: stringArray(raw.temporalAnchors, 10).length ? stringArray(raw.temporalAnchors, 10) : fallback.temporalAnchors,
+    successSignals: stringArray(raw.successSignals).length ? stringArray(raw.successSignals) : fallback.successSignals,
+    failureSignals: stringArray(raw.failureSignals).length ? stringArray(raw.failureSignals) : fallback.failureSignals,
+    nextActions: stringArray(raw.nextActions).length ? stringArray(raw.nextActions) : fallback.nextActions,
+    summary: clean(String(raw.summary ?? fallback.summary), 360)
   };
-  const { ok } = await cloudPushBlob(
-    "/sync/push-graphrag",
-    [blob],
-    "last_graphrag_push_version",
-    config
-  );
-  return ok;
-}
-async function cloudPullGraphRAG(config) {
-  const data = await cloudPullBlob(
-    "/sync/pull-graphrag",
-    config
-  );
-  if (!data || data.length === 0) return { pulled: 0 };
-  const blob = data[0];
-  const client = getClient();
-  let pulled = 0;
-  if (blob.entities.length > 0) {
-    const stmts = blob.entities.map((e) => ({
-      sql: `INSERT OR IGNORE INTO entities (id, name, type, first_seen, last_seen, properties)
-            VALUES (?, ?, ?, ?, ?, ?)`,
-      args: [sqlSafe(e.id), sqlSafe(e.name), sqlSafe(e.type), sqlSafe(e.first_seen), sqlSafe(e.last_seen), sqlSafe(e.properties ?? "{}")]
-    }));
-    await client.batch(stmts, "write");
-    pulled += stmts.length;
-  }
-  if (blob.relationships.length > 0) {
-    const stmts = blob.relationships.map((r) => ({
-      sql: `INSERT OR IGNORE INTO relationships
-            (id, source_entity_id, target_entity_id, type, weight, timestamp, properties, confidence, confidence_label)
-            VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-      args: [
-        sqlSafe(r.id),
-        sqlSafe(r.source_entity_id),
-        sqlSafe(r.target_entity_id),
-        sqlSafe(r.type),
-        sqlSafe(r.weight ?? 1),
-        sqlSafe(r.timestamp),
-        sqlSafe(r.properties ?? "{}"),
-        sqlSafe(r.confidence ?? 1),
-        sqlSafe(r.confidence_label ?? "extracted")
-      ]
-    }));
-    await client.batch(stmts, "write");
-    pulled += stmts.length;
-  }
-  if (blob.entity_aliases.length > 0) {
-    const stmts = blob.entity_aliases.map((a) => ({
-      sql: `INSERT OR IGNORE INTO entity_aliases (alias, canonical_entity_id) VALUES (?, ?)`,
-      args: [sqlSafe(a.alias), sqlSafe(a.canonical_entity_id)]
-    }));
-    await client.batch(stmts, "write");
-    pulled += stmts.length;
-  }
-  if (blob.entity_memories.length > 0) {
-    const stmts = blob.entity_memories.map((em) => ({
-      sql: `INSERT OR IGNORE INTO entity_memories (entity_id, memory_id) VALUES (?, ?)`,
-      args: [sqlSafe(em.entity_id), sqlSafe(em.memory_id)]
-    }));
-    await client.batch(stmts, "write");
-    pulled += stmts.length;
-  }
-  if (blob.relationship_memories.length > 0) {
-    const stmts = blob.relationship_memories.map((rm) => ({
-      sql: `INSERT OR IGNORE INTO relationship_memories (relationship_id, memory_id) VALUES (?, ?)`,
-      args: [sqlSafe(rm.relationship_id), sqlSafe(rm.memory_id)]
-    }));
-    await client.batch(stmts, "write");
-    pulled += stmts.length;
-  }
-  if (blob.hyperedges.length > 0) {
-    const stmts = blob.hyperedges.map((h) => ({
-      sql: `INSERT OR IGNORE INTO hyperedges (id, label, relation, confidence, timestamp)
-            VALUES (?, ?, ?, ?, ?)`,
-      args: [sqlSafe(h.id), sqlSafe(h.label), sqlSafe(h.relation), sqlSafe(h.confidence ?? 1), sqlSafe(h.timestamp)]
-    }));
-    await client.batch(stmts, "write");
-    pulled += stmts.length;
-  }
-  if (blob.hyperedge_nodes.length > 0) {
-    const stmts = blob.hyperedge_nodes.map((hn) => ({
-      sql: `INSERT OR IGNORE INTO hyperedge_nodes (hyperedge_id, entity_id) VALUES (?, ?)`,
-      args: [sqlSafe(hn.hyperedge_id), sqlSafe(hn.entity_id)]
-    }));
-    await client.batch(stmts, "write");
-    pulled += stmts.length;
-  }
-  return { pulled };
-}
-async function cloudPushTasks(config) {
-  const client = getClient();
-  const result = await client.execute("SELECT * FROM tasks LIMIT 10000");
-  const rows = result.rows;
-  const { ok } = await cloudPushBlob(
-    "/sync/push-tasks",
-    rows,
-    "last_tasks_push_version",
-    config
-  );
-  return ok;
-}
-async function cloudPullTasks(config) {
-  const remoteTasks = await cloudPullBlob(
-    "/sync/pull-tasks",
-    config
-  );
-  if (!remoteTasks || remoteTasks.length === 0) return { pulled: 0 };
-  const client = getClient();
-  const stmts = remoteTasks.map((t) => ({
-    sql: `INSERT OR IGNORE INTO tasks
-          (id, title, assigned_to, assigned_by, project_name, priority, status, task_file, created_at, updated_at,
-           blocked_by, parent_task_id, budget_tokens, budget_fallback_model, tokens_used, tokens_warned_at)
-          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-    args: [
-      sqlSafe(t.id),
-      sqlSafe(t.title),
-      sqlSafe(t.assigned_to),
-      sqlSafe(t.assigned_by),
-      sqlSafe(t.project_name),
-      sqlSafe(t.priority ?? "p1"),
-      sqlSafe(t.status ?? "open"),
-      sqlSafe(t.task_file),
-      sqlSafe(t.created_at),
-      sqlSafe(t.updated_at),
-      sqlSafe(t.blocked_by),
-      sqlSafe(t.parent_task_id),
-      sqlSafe(t.budget_tokens),
-      sqlSafe(t.budget_fallback_model),
-      sqlSafe(t.tokens_used ?? 0),
-      sqlSafe(t.tokens_warned_at)
-    ]
-  }));
-  await client.batch(stmts, "write");
-  return { pulled: remoteTasks.length };
-}
-async function cloudPushConversations(config) {
-  const client = getClient();
-  const result = await client.execute("SELECT * FROM conversations LIMIT 50000");
-  const rows = result.rows;
-  const { ok } = await cloudPushBlob(
-    "/sync/push-conversations",
-    rows,
-    "last_conversations_push_version",
-    config
-  );
-  return ok;
-}
-async function cloudPullConversations(config) {
-  const remoteConvos = await cloudPullBlob(
-    "/sync/pull-conversations",
-    config
-  );
-  if (!remoteConvos || remoteConvos.length === 0) return { pulled: 0 };
-  const client = getClient();
-  const stmts = remoteConvos.map((c) => ({
-    sql: `INSERT OR IGNORE INTO conversations
-          (id, platform, external_id, sender_id, sender_name, sender_phone, sender_email,
-           recipient_id, channel_id, thread_id, reply_to_id, content_text, content_media,
-           content_metadata, agent_response, agent_name, timestamp, ingested_at)
-          VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-    args: [
-      sqlSafe(c.id),
-      sqlSafe(c.platform),
-      sqlSafe(c.external_id),
-      sqlSafe(c.sender_id),
-      sqlSafe(c.sender_name),
-      sqlSafe(c.sender_phone),
-      sqlSafe(c.sender_email),
-      sqlSafe(c.recipient_id),
-      sqlSafe(c.channel_id),
-      sqlSafe(c.thread_id),
-      sqlSafe(c.reply_to_id),
-      sqlSafe(c.content_text),
-      sqlSafe(c.content_media),
-      sqlSafe(c.content_metadata),
-      sqlSafe(c.agent_response),
-      sqlSafe(c.agent_name),
-      sqlSafe(c.timestamp),
-      sqlSafe(c.ingested_at)
-    ]
-  }));
-  await client.batch(stmts, "write");
-  return { pulled: remoteConvos.length };
 }
-async function cloudPushDocuments(config) {
-  const client = getClient();
-  const [workspaces, documents] = await Promise.all([
-    client.execute("SELECT * FROM workspaces LIMIT 1000"),
-    client.execute("SELECT * FROM documents LIMIT 10000")
-  ]);
-  const blob = {
-    workspaces: workspaces.rows,
-    documents: documents.rows
-  };
-  const { ok } = await cloudPushBlob(
-    "/sync/push-documents",
-    [blob],
-    "last_documents_push_version",
-    config
-  );
-  return ok;
-}
-async function cloudPullDocuments(config) {
-  const data = await cloudPullBlob(
-    "/sync/pull-documents",
-    config
-  );
-  if (!data || data.length === 0) return { pulled: 0 };
-  const blob = data[0];
-  const client = getClient();
-  let pulled = 0;
-  if (blob.workspaces.length > 0) {
-    const stmts = blob.workspaces.map((w) => ({
-      sql: `INSERT OR IGNORE INTO workspaces (id, slug, name, owner_agent_id, created_at, metadata)
-            VALUES (?, ?, ?, ?, ?, ?)`,
-      args: [sqlSafe(w.id), sqlSafe(w.slug), sqlSafe(w.name), sqlSafe(w.owner_agent_id), sqlSafe(w.created_at), sqlSafe(w.metadata)]
-    }));
-    await client.batch(stmts, "write");
-    pulled += stmts.length;
-  }
-  if (blob.documents.length > 0) {
-    const stmts = blob.documents.map((d) => ({
-      sql: `INSERT OR IGNORE INTO documents
-            (id, workspace_id, filename, mime, source_type, user_id, uploaded_at, metadata)
-            VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
-      args: [
-        sqlSafe(d.id),
-        sqlSafe(d.workspace_id),
-        sqlSafe(d.filename),
-        sqlSafe(d.mime),
-        sqlSafe(d.source_type),
-        sqlSafe(d.user_id),
-        sqlSafe(d.uploaded_at),
-        sqlSafe(d.metadata)
-      ]
-    }));
-    await client.batch(stmts, "write");
-    pulled += stmts.length;
-  }
-  return { pulled };
-}
-var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, _pgPromise, _pgFailed, ROSTER_DELETIONS_PATH;
-var init_cloud_sync = __esm({
-  "src/lib/cloud-sync.ts"() {
-    "use strict";
-    init_database();
-    init_crypto();
-    init_compress();
-    init_license();
-    init_config();
-    init_crdt_sync();
-    init_employees();
-    init_secure_files();
-    LOCALHOST_PATTERNS = /^(localhost|127\.0\.0\.1|\[::1\])$/i;
-    FETCH_TIMEOUT_MS = 3e4;
-    PUSH_BATCH_SIZE = 5e3;
-    ROSTER_LOCK_PATH = path10.join(EXE_AI_DIR, "roster-merge.lock");
-    LOCK_STALE_MS = 3e4;
-    _pgPromise = null;
-    _pgFailed = false;
-    ROSTER_DELETIONS_PATH = path10.join(EXE_AI_DIR, "roster-deletions.json");
-  }
-});
+async function labelMemoryWithLlm(row, opts = {}) {
+  const fallback = inferSemanticLabel(row);
+  const apiKey = opts.apiKey ?? process.env.OPENAI_API_KEY ?? process.env.API_ROUTER_KEY;
+  const baseURL = opts.baseUrl ?? process.env.OPENAI_BASE_URL ?? process.env.API_ROUTER_URL;
+  const model = opts.model ?? process.env.EXE_AGENTIC_LABEL_MODEL;
+  if (!apiKey || !model) return fallback;
+  const client = new OpenAI({ apiKey, baseURL: baseURL || void 0 });
+  const prompt = `Label this agent-memory event for agentic memory. Return ONLY valid JSON with keys:
+{
+  "eventType": "tool_action|milestone|problem|error|decision|goal_signal|memory_observation|memory_card",
+  "intention": string|null,
+  "outcome": string|null,
+  "impact": "positive|negative|neutral|mixed",
+  "confidence": number between 0 and 1,
+  "goals": string[],
+  "milestones": string[],
+  "problems": string[],
+  "decisions": string[],
+  "actors": string[],
+  "temporalAnchors": string[],
+  "successSignals": string[],
+  "failureSignals": string[],
+  "nextActions": string[],
+  "summary": string
+}
+Focus on explicit goals, chronology, intended action, actual outcome, and whether the event moved the goal forward.
 
-// src/bin/exe-link.ts
-init_keychain();
-import { createInterface } from "readline";
-
-// src/lib/is-main.ts
-import { realpathSync } from "fs";
-import { fileURLToPath } from "url";
-function isMainModule(importMetaUrl) {
-  if (process.argv[1] == null) return false;
-  if (process.argv[1].includes("mcp/server")) return false;
+Metadata: ${JSON.stringify({ agent_id: row.agent_id, role: row.agent_role, project: row.project_name, session: row.session_id, timestamp: row.timestamp, tool: row.tool_name, has_error: row.has_error })}
+Text: ${clean(row.raw_text, 5e3)}`;
   try {
-    const scriptPath = realpathSync(process.argv[1]);
-    const modulePath = realpathSync(fileURLToPath(importMetaUrl));
-    return scriptPath === modulePath;
+    const response = await client.chat.completions.create({
+      model,
+      messages: [
+        { role: "system", content: "You are a precise ontology labeler. Output compact JSON only." },
+        { role: "user", content: prompt }
+      ],
+      max_tokens: opts.maxTokens ?? 900,
+      response_format: { type: "json_object" }
+    });
+    const raw = jsonFromText(response.choices[0]?.message?.content ?? "");
+    return raw ? normalizeLlmLabel(raw, fallback) : fallback;
   } catch {
-    return importMetaUrl === `file://${process.argv[1]}` || importMetaUrl === new URL(process.argv[1], "file://").href;
+    return fallback;
   }
 }
-
-// src/bin/exe-link.ts
-async function main() {
-  const mode = process.argv[2];
-  if (mode === "export") {
-    const key = await getMasterKey();
-    if (!key) {
-      console.error("No master key found. Run /exe-setup first.");
-      process.exit(1);
-    }
-    const mnemonic = await exportMnemonic(key);
-    console.log("Your 24-word recovery phrase:\n");
-    const showFull = process.argv.includes("--show-full");
-    if (showFull) {
-      console.log(`  ${mnemonic}
-`);
-    } else {
-      const words = mnemonic.split(" ");
-      const masked = words.length > 4 ? [...words.slice(0, 2), ...words.slice(2, -2).map(() => "****"), ...words.slice(-2)].join(" ") : mnemonic;
-      console.log(`  ${masked}
-`);
-      console.log("To reveal full phrase: run with --show-full\n");
-    }
-    console.log("Write this down and enter it on your new device with /exe-link import.");
-    console.log("Anyone with this phrase can decrypt your memories.");
-    console.log("\u26A0  Clear your terminal history after copying.");
-  } else if (mode === "import") {
-    const rl = createInterface({ input: process.stdin, output: process.stdout });
-    const mnemonic = await new Promise((resolve) => {
-      rl.question("Paste your 24-word recovery phrase: ", (answer) => {
-        rl.close();
-        resolve(answer.trim());
-      });
+async function resolveClient(client) {
+  if (client) return client;
+  const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+  return getClient2();
+}
+async function upsertSemanticLabel(row, label, client) {
+  const db = await resolveClient(client);
+  const eventId = stableId("event", row.id);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.execute({
+    sql: `INSERT INTO agent_semantic_labels
+      (id, source_memory_id, event_id, labeler, schema_version, confidence, labels, created_at, updated_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(id) DO UPDATE SET confidence = excluded.confidence, labels = excluded.labels,
+        updated_at = excluded.updated_at`,
+    args: [
+      stableId("semantic", row.id, label.labeler, label.schemaVersion),
+      row.id,
+      eventId,
+      label.labeler,
+      label.schemaVersion,
+      label.confidence,
+      JSON.stringify(label),
+      now,
+      now
+    ]
+  });
+  if (label.labeler === "llm") {
+    await db.execute({
+      sql: `UPDATE agent_events SET intention = COALESCE(?, intention), outcome = COALESCE(?, outcome),
+            impact = COALESCE(?, impact)
+            WHERE id = ?`,
+      args: [label.intention, label.outcome, label.impact, eventId]
     });
-    try {
-      const key = await importMnemonic(mnemonic);
-      await setMasterKey(key);
-      console.log("Master key imported and stored securely.");
-      try {
-        const { loadConfig: loadConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-        const { initSyncCrypto: initSyncCrypto2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
-        const { cloudPullRoster: cloudPullRoster2 } = await Promise.resolve().then(() => (init_cloud_sync(), cloud_sync_exports));
-        const config = await loadConfig2();
-        if (config.cloud?.apiKey && config.cloud?.endpoint) {
-          initSyncCrypto2(key);
-          const result = await cloudPullRoster2({ apiKey: config.cloud.apiKey, endpoint: config.cloud.endpoint });
-          if (result.added > 0) {
-            console.log(`Pulled ${result.added} employee(s) from Exe Cloud.`);
-          }
-        }
-      } catch {
-      }
-      console.log("Run /exe-setup to configure sync and download the embedding model.");
-    } catch (err) {
-      console.error(err instanceof Error ? err.message : String(err));
-      process.exit(1);
-    }
-  } else {
-    console.error("Usage:");
-    console.error("  exe-link export   \u2014 show 24-word mnemonic for current key");
-    console.error("  exe-link import   \u2014 paste mnemonic to import key on new device");
-    process.exit(1);
   }
 }
-if (isMainModule(import.meta.url)) {
-  main().catch((err) => {
-    console.error(err instanceof Error ? err.message : String(err));
-    process.exit(1);
+
+// src/bin/agentic-semantic-label.ts
+function arg(name) {
+  const i = process.argv.indexOf(name);
+  return i >= 0 ? process.argv[i + 1] : void 0;
+}
+async function main() {
+  const limit = Number(arg("--limit") ?? "100");
+  const project = arg("--project");
+  const llm = process.argv.includes("--llm");
+  await initStore();
+  const db = getClient();
+  const where = project ? "WHERE project_name = ?" : "";
+  const rows = await db.execute({
+    sql: `SELECT id, agent_id, agent_role, session_id, timestamp, tool_name, project_name, has_error, raw_text,
+                 version, task_id, intent, outcome, domain, trajectory
+          FROM memories ${where}
+          ORDER BY timestamp DESC
+          LIMIT ?`,
+    args: project ? [project, limit] : [limit]
   });
+  let count = 0;
+  for (const row of rows.rows) {
+    const label = llm ? await labelMemoryWithLlm(row) : inferSemanticLabel(row);
+    await upsertSemanticLabel(row, label, db);
+    count++;
+    if (count % 25 === 0) process.stderr.write(`[agentic-semantic-label] labeled ${count}
+`);
+  }
+  process.stderr.write(`[agentic-semantic-label] Complete: ${count} memories labeled (${llm ? "llm-if-configured" : "deterministic"}).
+`);
+  process.exit(0);
 }
-export {
-  main
-};
+main().catch((err) => {
+  process.stderr.write(`[agentic-semantic-label] FATAL: ${err instanceof Error ? err.message : String(err)}
+`);
+  process.exit(1);
+});