@askexenow/exe-os 0.9.65 → 0.9.67

package/dist/bin/setup.js

@@ -139,6 +139,11 @@ function normalizeAutoUpdate(raw) {
   const userAU = raw.autoUpdate ?? {};
   raw.autoUpdate = { ...defaultAU, ...userAU };
 }
+function normalizeOrchestration(raw) {
+  const defaultOrg = DEFAULT_CONFIG.orchestration;
+  const userOrg = raw.orchestration ?? {};
+  raw.orchestration = { ...defaultOrg, ...userOrg };
+}
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   await ensurePrivateDir(dir);
@@ -163,10 +168,15 @@ async function loadConfig() {
     normalizeScalingRoadmap(migratedCfg);
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
+    normalizeOrchestration(migratedCfg);
     const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
     if (config.dbPath.startsWith("~")) {
       config.dbPath = config.dbPath.replace(/^~/, os.homedir());
     }
+    const envDbPath = path.join(dir, "memories.db");
+    if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
+      config.dbPath = envDbPath;
+    }
     return config;
   } catch {
     return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
@@ -186,7 +196,16 @@ function loadConfigSync() {
     normalizeScalingRoadmap(migratedCfg);
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
-    return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
+    normalizeOrchestration(migratedCfg);
+    const config = { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db"), ...migratedCfg };
+    if (config.dbPath.startsWith("~")) {
+      config.dbPath = config.dbPath.replace(/^~/, os.homedir());
+    }
+    const envDbPath = path.join(dir, "memories.db");
+    if (process.env.EXE_OS_DIR && config.dbPath !== envDbPath && !existsSync2(config.dbPath) && existsSync2(envDbPath)) {
+      config.dbPath = envDbPath;
+    }
+    return config;
   } catch {
     return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
   }
@@ -207,6 +226,7 @@ async function loadConfigFrom(configPath) {
     normalizeScalingRoadmap(migratedCfg);
     normalizeSessionLifecycle(migratedCfg);
     normalizeAutoUpdate(migratedCfg);
+    normalizeOrchestration(migratedCfg);
     return { ...DEFAULT_CONFIG, ...migratedCfg };
   } catch {
     return { ...DEFAULT_CONFIG };
@@ -278,6 +298,10 @@ var init_config = __esm({
         checkOnBoot: true,
         autoInstall: false,
         checkIntervalMs: 24 * 60 * 60 * 1e3
+      },
+      orchestration: {
+        phase: "phase_1_coo",
+        phaseSetBy: "default"
       }
     };
     CONFIG_MIGRATIONS = [
@@ -298,12 +322,13 @@ var keychain_exports = {};
 __export(keychain_exports, {
   deleteMasterKey: () => deleteMasterKey,
   exportMnemonic: () => exportMnemonic,
+  getKeyStorageInfo: () => getKeyStorageInfo,
   getMasterKey: () => getMasterKey,
   importMnemonic: () => importMnemonic,
   setMasterKey: () => setMasterKey
 });
 import { readFile as readFile2, writeFile as writeFile2, unlink, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync3 } from "fs";
+import { existsSync as existsSync3, statSync } from "fs";
 import { execSync } from "child_process";
 import path2 from "path";
 import os2 from "os";
@@ -313,29 +338,65 @@ function getKeyDir() {
 function getKeyPath() {
   return path2.join(getKeyDir(), "master.key");
 }
-function macKeychainGet() {
+function nativeKeychainAllowed() {
+  return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
+}
+function linuxSecretAvailable() {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "linux") return false;
+  if (linuxSecretAvailability !== null) return linuxSecretAvailability;
+  try {
+    execSync("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
+  } catch {
+    linuxSecretAvailability = false;
+    return false;
+  }
+  try {
+    execSync("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
+    linuxSecretAvailability = true;
+  } catch {
+    linuxSecretAvailability = false;
+  }
+  return linuxSecretAvailability;
+}
+function isRootOnlyTrustedServerKeyFile(keyPath) {
+  if (process.platform !== "linux") return false;
+  try {
+    const uid = typeof os2.userInfo().uid === "number" ? os2.userInfo().uid : -1;
+    const st = statSync(keyPath);
+    if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    if (uid === 0) return true;
+    const exeOsDir = process.env.EXE_OS_DIR;
+    return Boolean(exeOsDir && path2.resolve(keyPath).startsWith(path2.resolve(exeOsDir) + path2.sep));
+  } catch {
+    return false;
+  }
+}
+function macKeychainGet(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return null;
   if (process.platform !== "darwin") return null;
   try {
     return execSync(
-      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
       { encoding: "utf-8", timeout: 5e3 }
     ).trim();
   } catch {
     return null;
   }
 }
-function macKeychainSet(value) {
+function macKeychainSet(value, service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "darwin") return false;
   try {
     try {
       execSync(
-        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
         { timeout: 5e3 }
       );
     } catch {
     }
     execSync(
-      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
       { timeout: 5e3 }
     );
     return true;
@@ -343,11 +404,12 @@ function macKeychainSet(value) {
     return false;
   }
 }
-function macKeychainDelete() {
+function macKeychainDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "darwin") return false;
   try {
     execSync(
-      `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+      `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -355,22 +417,22 @@ function macKeychainDelete() {
     return false;
   }
 }
-function linuxSecretGet() {
-  if (process.platform !== "linux") return null;
+function linuxSecretGet(service = SERVICE) {
+  if (!linuxSecretAvailable()) return null;
   try {
     return execSync(
-      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { encoding: "utf-8", timeout: 5e3 }
     ).trim();
   } catch {
     return null;
   }
 }
-function linuxSecretSet(value) {
-  if (process.platform !== "linux") return false;
+function linuxSecretSet(value, service = SERVICE) {
+  if (!linuxSecretAvailable()) return false;
   try {
     execSync(
-      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -378,11 +440,12 @@ function linuxSecretSet(value) {
     return false;
   }
 }
-function linuxSecretDelete() {
+function linuxSecretDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "linux") return false;
   try {
     execSync(
-      `secret-tool clear service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -391,6 +454,7 @@ function linuxSecretDelete() {
   }
 }
 async function tryKeytar() {
+  if (!nativeKeychainAllowed()) return null;
   try {
     return await import("keytar");
   } catch {
@@ -415,8 +479,8 @@ function deriveMachineKey() {
 }
 function readMachineId() {
   try {
-    const { readFileSync: readFileSync13 } = __require("fs");
-    return readFileSync13("/etc/machine-id", "utf-8").trim();
+    const { readFileSync: readFileSync14 } = __require("fs");
+    return readFileSync14("/etc/machine-id", "utf-8").trim();
   } catch {
     return "";
   }
@@ -464,7 +528,19 @@ async function writeMachineBoundFileFallback(b64) {
   return "plaintext";
 }
 async function getMasterKey() {
-  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  let nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (!nativeValue) {
+    const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
+    if (legacyValue) {
+      const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
+      if (migrated) {
+        macKeychainDelete(LEGACY_SERVICE);
+        linuxSecretDelete(LEGACY_SERVICE);
+        process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
+      }
+      nativeValue = legacyValue;
+    }
+  }
   if (nativeValue) {
     return Buffer.from(nativeValue, "base64");
   }
@@ -472,12 +548,17 @@ async function getMasterKey() {
   if (keytar) {
     try {
       const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (keytarValue) {
-        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+      const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
+      if (legacyKeytarValue) {
+        const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
         if (migrated) {
           process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+          try {
+            await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
+          } catch {
+          }
         }
-        return Buffer.from(keytarValue, "base64");
+        return Buffer.from(legacyKeytarValue, "base64");
       }
     } catch {
     }
@@ -502,7 +583,7 @@ async function getMasterKey() {
       const decrypted = decryptWithMachineKey(content, machineKey);
       if (!decrypted) {
         process.stderr.write(
-          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase during setup: exe-os setup\n"
         );
         return null;
       }
@@ -511,6 +592,9 @@ async function getMasterKey() {
       b64Value = content;
     }
     const key = Buffer.from(b64Value, "base64");
+    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+      return key;
+    }
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -538,6 +622,97 @@ async function getMasterKey() {
     return null;
   }
 }
+async function getKeyStorageInfo() {
+  if (macKeychainGet()) {
+    return {
+      kind: "macos-keychain",
+      secure: true,
+      note: "stored in macOS Keychain via built-in security CLI"
+    };
+  }
+  if (macKeychainGet(LEGACY_SERVICE)) {
+    return {
+      kind: "macos-keychain",
+      secure: true,
+      note: "stored in legacy macOS Keychain service exe-mem; next key read migrates it to exe-os"
+    };
+  }
+  if (linuxSecretGet()) {
+    return {
+      kind: "linux-secret-service",
+      secure: true,
+      note: "stored in Linux Secret Service via secret-tool"
+    };
+  }
+  if (linuxSecretGet(LEGACY_SERVICE)) {
+    return {
+      kind: "linux-secret-service",
+      secure: true,
+      note: "stored in legacy Linux Secret Service service exe-mem; next key read migrates it to exe-os"
+    };
+  }
+  const keytar = await tryKeytar();
+  if (keytar) {
+    try {
+      if (await keytar.getPassword(SERVICE, ACCOUNT)) {
+        return {
+          kind: "legacy-keytar",
+          secure: true,
+          note: "stored in legacy keytar backend; will migrate to native keychain when possible"
+        };
+      }
+      if (await keytar.getPassword(LEGACY_SERVICE, ACCOUNT)) {
+        return {
+          kind: "legacy-keytar",
+          secure: true,
+          note: "stored in legacy keytar service exe-mem; will migrate to native exe-os keychain when possible"
+        };
+      }
+    } catch {
+    }
+  }
+  const keyPath = getKeyPath();
+  if (!existsSync3(keyPath)) {
+    return {
+      kind: "missing",
+      secure: false,
+      path: keyPath,
+      note: "no key found in OS keychain, legacy keytar, or file fallback"
+    };
+  }
+  try {
+    const content = (await readFile2(keyPath, "utf-8")).trim();
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      return {
+        kind: "encrypted-file",
+        secure: true,
+        path: keyPath,
+        note: "stored in machine-bound encrypted file fallback"
+      };
+    }
+    if (isRootOnlyTrustedServerKeyFile(keyPath)) {
+      return {
+        kind: "server-secret-file",
+        secure: true,
+        path: keyPath,
+        note: "stored as root-only trusted server secret file"
+      };
+    }
+    return {
+      kind: "plaintext-file",
+      secure: false,
+      path: keyPath,
+      note: "stored in legacy plaintext file; reading it will migrate or encrypt it"
+    };
+  } catch {
+    return {
+      kind: "missing",
+      secure: false,
+      path: keyPath,
+      note: "key file exists but could not be read"
+    };
+  }
+}
 async function setMasterKey(key) {
   const b64 = key.toString("base64");
   if (macKeychainSet(b64) || linuxSecretSet(b64)) {
@@ -563,10 +738,13 @@ async function setMasterKey(key) {
 async function deleteMasterKey() {
   macKeychainDelete();
   linuxSecretDelete();
+  macKeychainDelete(LEGACY_SERVICE);
+  linuxSecretDelete(LEGACY_SERVICE);
   const keytar = await tryKeytar();
   if (keytar) {
     try {
       await keytar.deletePassword(SERVICE, ACCOUNT);
+      await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
     } catch {
     }
   }
@@ -604,12 +782,14 @@ async function importMnemonic(mnemonic) {
   const entropy = mnemonicToEntropy(trimmed);
   return Buffer.from(entropy, "hex");
 }
-var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
+var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
 var init_keychain = __esm({
   "src/lib/keychain.ts"() {
     "use strict";
-    SERVICE = "exe-mem";
+    SERVICE = "exe-os";
+    LEGACY_SERVICE = "exe-mem";
     ACCOUNT = "master-key";
+    linuxSecretAvailability = null;
     ENCRYPTED_PREFIX = "enc:";
   }
 });
@@ -665,7 +845,7 @@ import net from "net";
 import os3 from "os";
 import { spawn } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync6, unlinkSync as unlinkSync2, readFileSync as readFileSync3, openSync, closeSync, statSync } from "fs";
+import { existsSync as existsSync6, unlinkSync as unlinkSync2, readFileSync as readFileSync3, openSync, closeSync, statSync as statSync2 } from "fs";
 import path5 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
@@ -815,7 +995,7 @@ function acquireSpawnLock() {
     return true;
   } catch {
     try {
-      const stat = statSync(SPAWN_LOCK_PATH);
+      const stat = statSync2(SPAWN_LOCK_PATH);
       if (Date.now() - stat.mtimeMs > SPAWN_LOCK_STALE_MS) {
         try {
           unlinkSync2(SPAWN_LOCK_PATH);
@@ -976,7 +1156,7 @@ function killAndRespawnDaemon() {
 }
 function isDaemonTooYoung() {
   try {
-    const stat = statSync(PID_PATH);
+    const stat = statSync2(PID_PATH);
     return Date.now() - stat.mtimeMs < MIN_DAEMON_AGE_MS;
   } catch {
     return false;
@@ -1129,10 +1309,10 @@ async function disposeEmbedder() {
 async function embedDirect(text) {
   const llamaCpp = await import("node-llama-cpp");
   const { MODELS_DIR: MODELS_DIR2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-  const { existsSync: existsSync17 } = await import("fs");
-  const path17 = await import("path");
-  const modelPath = path17.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
-  if (!existsSync17(modelPath)) {
+  const { existsSync: existsSync18 } = await import("fs");
+  const path18 = await import("path");
+  const modelPath = path18.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
+  if (!existsSync18(modelPath)) {
     throw new Error(`Embedding model not found at ${modelPath}. Run '/exe-setup' to download it.`);
   }
   const llama = await llamaCpp.getLlama();
@@ -1421,8 +1601,8 @@ async function validateLicense(apiKey, deviceId) {
 }
 function getCacheAgeMs() {
   try {
-    const { statSync: statSync4 } = __require("fs");
-    const s = statSync4(CACHE_PATH);
+    const { statSync: statSync5 } = __require("fs");
+    const s = statSync5(CACHE_PATH);
     return Date.now() - s.mtimeMs;
   } catch {
     return Infinity;
@@ -2972,6 +3152,9 @@ function getClient() {
   if (_daemonClient && _daemonClient._isDaemonActive()) {
     return _daemonClient;
   }
+  if (!_resilientClient) {
+    return _adapterClient;
+  }
   return _resilientClient;
 }
 async function initDaemonClient() {
@@ -4004,6 +4187,127 @@ async function ensureSchema() {
       VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
     END;
   `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS agent_sessions (
+      id              TEXT PRIMARY KEY,
+      agent_id        TEXT NOT NULL,
+      project_name    TEXT,
+      started_at      TEXT NOT NULL,
+      last_event_at   TEXT NOT NULL,
+      event_count     INTEGER NOT NULL DEFAULT 0,
+      properties      TEXT DEFAULT '{}'
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
+      ON agent_sessions(agent_id, started_at);
+
+    CREATE TABLE IF NOT EXISTS agent_goals (
+      id                TEXT PRIMARY KEY,
+      statement         TEXT NOT NULL,
+      owner_agent_id    TEXT,
+      project_name      TEXT,
+      status            TEXT NOT NULL DEFAULT 'open',
+      priority          INTEGER NOT NULL DEFAULT 5,
+      success_criteria  TEXT,
+      parent_goal_id    TEXT,
+      due_at            TEXT,
+      achieved_at       TEXT,
+      supersedes_id     TEXT,
+      created_at        TEXT NOT NULL,
+      updated_at        TEXT NOT NULL,
+      source_memory_id  TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
+      ON agent_goals(project_name, status, priority);
+
+    CREATE TABLE IF NOT EXISTS agent_events (
+      id                  TEXT PRIMARY KEY,
+      event_type          TEXT NOT NULL,
+      occurred_at         TEXT NOT NULL,
+      sequence_index      INTEGER NOT NULL,
+      actor_agent_id      TEXT,
+      agent_role          TEXT,
+      project_name        TEXT,
+      session_id          TEXT,
+      task_id             TEXT,
+      goal_id             TEXT,
+      parent_event_id     TEXT,
+      intention           TEXT,
+      outcome             TEXT,
+      evidence_memory_id  TEXT,
+      impact              TEXT,
+      payload             TEXT DEFAULT '{}',
+      created_at          TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_time
+      ON agent_events(occurred_at, sequence_index);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
+      ON agent_events(session_id, sequence_index);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
+      ON agent_events(goal_id, occurred_at);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_memory
+      ON agent_events(evidence_memory_id);
+
+    CREATE TABLE IF NOT EXISTS agent_goal_links (
+      id           TEXT PRIMARY KEY,
+      goal_id      TEXT NOT NULL,
+      link_type    TEXT NOT NULL,
+      target_id    TEXT NOT NULL,
+      target_type  TEXT NOT NULL,
+      created_at   TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
+      ON agent_goal_links(goal_id, target_type);
+
+    CREATE TABLE IF NOT EXISTS agent_semantic_labels (
+      id                TEXT PRIMARY KEY,
+      source_memory_id  TEXT NOT NULL,
+      event_id          TEXT,
+      labeler           TEXT NOT NULL,
+      schema_version    INTEGER NOT NULL DEFAULT 1,
+      confidence        REAL NOT NULL DEFAULT 0,
+      labels            TEXT NOT NULL,
+      created_at        TEXT NOT NULL,
+      updated_at        TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
+      ON agent_semantic_labels(source_memory_id, labeler);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
+      ON agent_semantic_labels(event_id);
+
+    CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
+      id                  TEXT PRIMARY KEY,
+      project_name        TEXT,
+      session_id          TEXT,
+      window_start_at     TEXT NOT NULL,
+      window_end_at       TEXT NOT NULL,
+      event_count         INTEGER NOT NULL DEFAULT 0,
+      goal_count          INTEGER NOT NULL DEFAULT 0,
+      success_count       INTEGER NOT NULL DEFAULT 0,
+      failure_count       INTEGER NOT NULL DEFAULT 0,
+      risk_count          INTEGER NOT NULL DEFAULT 0,
+      summary             TEXT NOT NULL,
+      learnings           TEXT NOT NULL DEFAULT '[]',
+      next_actions        TEXT NOT NULL DEFAULT '[]',
+      evidence_event_ids  TEXT NOT NULL DEFAULT '[]',
+      confidence          REAL NOT NULL DEFAULT 0,
+      created_at          TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
+      ON agent_reflection_checkpoints(project_name, window_end_at);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
+      ON agent_reflection_checkpoints(session_id, window_end_at);
+  `);
   try {
     await client.execute({
       sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -4408,7 +4712,7 @@ __export(db_backup_exports, {
   listBackups: () => listBackups,
   rotateBackups: () => rotateBackups
 });
-import { copyFileSync, existsSync as existsSync11, mkdirSync as mkdirSync4, readdirSync, unlinkSync as unlinkSync5, statSync as statSync2 } from "fs";
+import { copyFileSync, existsSync as existsSync11, mkdirSync as mkdirSync4, readdirSync, unlinkSync as unlinkSync5, statSync as statSync3 } from "fs";
 import path11 from "path";
 function findActiveDb() {
   for (const name of DB_NAMES) {
@@ -4452,7 +4756,7 @@ function rotateBackups(keepDays = DEFAULT_KEEP_DAYS) {
       if (!file.endsWith(".db") && !file.endsWith(".db-wal") && !file.endsWith(".db-shm")) continue;
       const filePath = path11.join(BACKUP_DIR, file);
       try {
-        const stat = statSync2(filePath);
+        const stat = statSync3(filePath);
         if (stat.mtimeMs < cutoff) {
           unlinkSync5(filePath);
           deleted++;
@@ -4470,7 +4774,7 @@ function listBackups() {
     const files = readdirSync(BACKUP_DIR).filter((f) => f.endsWith(".db") && !f.endsWith("-wal") && !f.endsWith("-shm"));
     return files.map((name) => {
       const p = path11.join(BACKUP_DIR, name);
-      const stat = statSync2(p);
+      const stat = statSync3(p);
       return { path: p, name, size: stat.size, date: stat.mtime };
     }).sort((a, b) => b.date.getTime() - a.date.getTime());
   } catch {
@@ -4503,8 +4807,10 @@ var init_db_backup = __esm({
 // src/lib/cloud-sync.ts
 var cloud_sync_exports = {};
 __export(cloud_sync_exports, {
+  CLOUD_REUPLOAD_REQUIRED_MESSAGE: () => CLOUD_REUPLOAD_REQUIRED_MESSAGE,
   assertSecureEndpoint: () => assertSecureEndpoint,
   buildRosterBlob: () => buildRosterBlob,
+  clearCloudReuploadRequired: () => clearCloudReuploadRequired,
   cloudPull: () => cloudPull,
   cloudPullBehaviors: () => cloudPullBehaviors,
   cloudPullBlob: () => cloudPullBlob,
@@ -4523,13 +4829,16 @@ __export(cloud_sync_exports, {
   cloudPushGraphRAG: () => cloudPushGraphRAG,
   cloudPushRoster: () => cloudPushRoster,
   cloudPushTasks: () => cloudPushTasks,
+  cloudResetMemoryBlobs: () => cloudResetMemoryBlobs,
   cloudSync: () => cloudSync,
+  getCloudReuploadRequired: () => getCloudReuploadRequired,
+  markCloudReuploadRequired: () => markCloudReuploadRequired,
   mergeConfig: () => mergeConfig,
   mergeRosterFromRemote: () => mergeRosterFromRemote,
   pushToPostgres: () => pushToPostgres,
   recordRosterDeletion: () => recordRosterDeletion
 });
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync6, existsSync as existsSync12, readdirSync as readdirSync2, mkdirSync as mkdirSync5, appendFileSync, unlinkSync as unlinkSync6, openSync as openSync2, closeSync as closeSync2, statSync as statSync3 } from "fs";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync6, existsSync as existsSync12, readdirSync as readdirSync2, mkdirSync as mkdirSync5, appendFileSync, unlinkSync as unlinkSync6, openSync as openSync2, closeSync as closeSync2, statSync as statSync4 } from "fs";
 import crypto3 from "crypto";
 import path12 from "path";
 import { homedir as homedir2 } from "os";
@@ -4576,18 +4885,36 @@ function loadPgClient() {
       const { pathToFileURL: pathToFileURL3 } = await import("url");
       const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
       if (explicitPath) {
-        const mod2 = await import(pathToFileURL3(explicitPath).href);
-        const Ctor2 = mod2.PrismaClient ?? mod2.default?.PrismaClient;
-        if (!Ctor2) throw new Error(`No PrismaClient at ${explicitPath}`);
-        return new Ctor2();
+        const mod = await import(pathToFileURL3(explicitPath).href);
+        const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+        if (!Ctor) throw new Error(`No PrismaClient at ${explicitPath}`);
+        return new Ctor();
       }
       const exeDbRoot = process.env.EXE_DB_ROOT ?? path12.join(homedir2(), "exe-db");
-      const req = createRequire3(path12.join(exeDbRoot, "package.json"));
-      const entry = req.resolve("@prisma/client");
-      const mod = await import(pathToFileURL3(entry).href);
-      const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
-      if (!Ctor) throw new Error("No PrismaClient");
-      return new Ctor();
+      const packagePath = path12.join(exeDbRoot, "package.json");
+      if (existsSync12(packagePath)) {
+        const req = createRequire3(packagePath);
+        const entry = req.resolve("@prisma/client");
+        const mod = await import(pathToFileURL3(entry).href);
+        const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+        if (!Ctor) throw new Error("No PrismaClient");
+        return new Ctor();
+      }
+      const { Pool } = await import("pg");
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      return {
+        async $queryRawUnsafe(query, ...values) {
+          const result = await pool.query(query, values);
+          return result.rows;
+        },
+        async $executeRawUnsafe(query, ...values) {
+          const result = await pool.query(query, values);
+          return result.rowCount ?? 0;
+        },
+        async $disconnect() {
+          await pool.end();
+        }
+      };
     })().catch(() => {
       _pgFailed = true;
       _pgPromise = null;
@@ -4608,7 +4935,7 @@ async function pushToPostgres(records) {
   let inserted = 0;
   for (const rec of records) {
     try {
-      await prisma.$executeRawUnsafe(
+      const changed = await prisma.$executeRawUnsafe(
         `INSERT INTO raw.raw_events (id, source, source_id, event_type, payload, metadata, timestamp)
          VALUES (gen_random_uuid(), 'cloud_sync', $1, 'memory', $2::jsonb, $3::jsonb, $4)
          ON CONFLICT (source, source_id, event_type) DO NOTHING`,
@@ -4617,7 +4944,7 @@ async function pushToPostgres(records) {
         JSON.stringify({ agent_id: rec.agent_id, project_name: rec.project_name, tool_name: rec.tool_name }),
         rec.timestamp ? new Date(String(rec.timestamp)) : /* @__PURE__ */ new Date()
       );
-      inserted++;
+      inserted += Number(changed ?? 0);
     } catch {
     }
   }
@@ -4722,6 +5049,23 @@ async function cloudPush(records, maxVersion, config) {
     return false;
   }
 }
+async function cloudResetMemoryBlobs(config) {
+  assertSecureEndpoint(config.endpoint);
+  const resp = await fetchWithRetry(`${config.endpoint}/sync/reset-memory`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${config.apiKey}`,
+      "Content-Type": "application/json",
+      "X-Device-Id": loadDeviceId()
+    },
+    body: JSON.stringify({ confirm: "LOCAL DB IS SOURCE OF TRUTH" })
+  });
+  if (!resp.ok) {
+    throw new Error(`cloud reset failed: HTTP ${resp.status}`);
+  }
+  const data = await resp.json();
+  return { deleted: Number(data.deleted ?? 0), freedBytes: Number(data.freed_bytes ?? 0) };
+}
 async function cloudPull(sinceVersion, config) {
   assertSecureEndpoint(config.endpoint);
   try {
@@ -4741,22 +5085,61 @@ async function cloudPull(sinceVersion, config) {
     if (!response.ok) return { records: [], maxVersion: sinceVersion };
     const data = await response.json();
     const allRecords = [];
-    for (const { blob } of data.blobs ?? []) {
+    let maxReadableVersion = sinceVersion;
+    let skippedBlobs = 0;
+    for (const { version, blob } of data.blobs ?? []) {
       try {
         const compressed = decryptSyncBlob(blob);
         const json = decompress(compressed).toString("utf8");
         const records = JSON.parse(json);
         allRecords.push(...records);
+        const recordMax = records.reduce((max, rec) => {
+          const v = Number(rec.version ?? 0);
+          return Number.isFinite(v) ? Math.max(max, v) : max;
+        }, 0);
+        const blobVersion = Number(version ?? 0);
+        maxReadableVersion = Math.max(
+          maxReadableVersion,
+          Number.isFinite(blobVersion) ? blobVersion : 0,
+          recordMax
+        );
       } catch {
+        skippedBlobs++;
         continue;
       }
     }
-    return { records: allRecords, maxVersion: data.max_version ?? sinceVersion };
+    if (skippedBlobs > 0) {
+      logError(`[cloud-sync] PULL skipped ${skippedBlobs} undecryptable blob(s); pull cursor advanced only to last readable version ${maxReadableVersion}`);
+    }
+    return { records: allRecords, maxVersion: maxReadableVersion };
   } catch (err) {
     logError(`[cloud-sync] PULL FAILED: ${err instanceof Error ? err.message : String(err)}`);
     return { records: [], maxVersion: sinceVersion };
   }
 }
+async function getCloudReuploadRequired(client = getClient()) {
+  try {
+    await client.execute("CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+    const result = await client.execute("SELECT key, value FROM sync_meta WHERE key IN ('cloud_reupload_required', 'cloud_relink_required')");
+    return result.rows.some((row) => String(row.value ?? "") === "1");
+  } catch {
+    return false;
+  }
+}
+async function clearCloudReuploadRequired(client = getClient()) {
+  await client.execute("CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+  await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '0')");
+  await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_relink_required', '0')");
+  await client.execute({
+    sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reuploaded_at', ?)",
+    args: [(/* @__PURE__ */ new Date()).toISOString()]
+  });
+  await client.execute("DELETE FROM sync_meta WHERE key IN ('last_cloud_pull_version', 'last_cloud_push_version')");
+}
+async function markCloudReuploadRequired(client = getClient()) {
+  await client.execute("CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+  await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1')");
+}
 async function cloudSync(config) {
   if (!isSyncCryptoInitialized()) {
     try {
@@ -4778,13 +5161,10 @@ async function cloudSync(config) {
     throw new Error("[cloud-sync] Database not initialized. Call initStore() before cloudSync().");
   }
   try {
-    const relink = await client.execute("SELECT value FROM sync_meta WHERE key = 'cloud_relink_required' LIMIT 1");
-    if (String(relink.rows[0]?.value ?? "") === "1") {
-      throw new Error("[cloud-sync] Paused after key rotation. Re-link/reupload cloud sync with the new recovery phrase before syncing.");
-    }
+    if (await getCloudReuploadRequired(client)) throw new Error(CLOUD_REUPLOAD_REQUIRED_MESSAGE);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
-    if (msg.includes("Paused after key rotation")) throw err;
+    if (msg === CLOUD_REUPLOAD_REQUIRED_MESSAGE || msg.includes("key rotation")) throw err;
   }
   try {
     const { getRawClient: getRawClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
@@ -5042,7 +5422,7 @@ async function cloudSync(config) {
     const { getLatestBackup: getLatestBackup2 } = await Promise.resolve().then(() => (init_db_backup(), db_backup_exports));
     const latestBackup = getLatestBackup2();
     if (latestBackup) {
-      const backupSize = statSync3(latestBackup).size;
+      const backupSize = statSync4(latestBackup).size;
       const MAX_CLOUD_BACKUP_BYTES = 50 * 1024 * 1024;
       if (backupSize <= MAX_CLOUD_BACKUP_BYTES) {
         const backupData = readFileSync8(latestBackup);
@@ -5713,7 +6093,7 @@ async function cloudPullDocuments(config) {
   }
   return { pulled };
 }
-var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, _pgPromise, _pgFailed, ROSTER_DELETIONS_PATH;
+var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, _pgPromise, _pgFailed, CLOUD_REUPLOAD_REQUIRED_MESSAGE, ROSTER_DELETIONS_PATH;
 var init_cloud_sync = __esm({
   "src/lib/cloud-sync.ts"() {
     "use strict";
@@ -5732,43 +6112,194 @@ var init_cloud_sync = __esm({
     LOCK_STALE_MS = 3e4;
     _pgPromise = null;
     _pgFailed = false;
+    CLOUD_REUPLOAD_REQUIRED_MESSAGE = "Cloud sync is blocked because this device rotated its memory encryption key. Run `exe-os cloud reupload` first to re-upload the cloud backup with the new key.";
     ROSTER_DELETIONS_PATH = path12.join(EXE_AI_DIR, "roster-deletions.json");
   }
 });
 
+// src/lib/key-backup-status.ts
+var key_backup_status_exports = {};
+__export(key_backup_status_exports, {
+  getKeyBackupStatus: () => getKeyBackupStatus,
+  keyBackupMarkerPath: () => keyBackupMarkerPath,
+  markKeyBackupConfirmed: () => markKeyBackupConfirmed
+});
+import { existsSync as existsSync13, mkdirSync as mkdirSync6, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "fs";
+import path13 from "path";
+function keyBackupMarkerPath() {
+  return path13.join(EXE_AI_DIR, "key-backup-confirmed.json");
+}
+function getKeyBackupStatus() {
+  const marker = keyBackupMarkerPath();
+  if (!existsSync13(marker)) return { exists: false };
+  try {
+    const parsed = JSON.parse(readFileSync9(marker, "utf8"));
+    return {
+      exists: true,
+      confirmedAt: parsed.confirmedAt,
+      source: parsed.source
+    };
+  } catch {
+    return { exists: true };
+  }
+}
+function markKeyBackupConfirmed(source) {
+  mkdirSync6(EXE_AI_DIR, { recursive: true, mode: 448 });
+  writeFileSync7(
+    keyBackupMarkerPath(),
+    JSON.stringify({ confirmedAt: (/* @__PURE__ */ new Date()).toISOString(), source }, null, 2) + "\n",
+    { mode: 384 }
+  );
+}
+var init_key_backup_status = __esm({
+  "src/lib/key-backup-status.ts"() {
+    "use strict";
+    init_config();
+  }
+});
+
+// src/lib/orchestration-phase.ts
+var orchestration_phase_exports = {};
+__export(orchestration_phase_exports, {
+  ORCHESTRATION_PHASES: () => ORCHESTRATION_PHASES,
+  applyDefaultOrchestrationPhase: () => applyDefaultOrchestrationPhase,
+  getConfigOrchestrationPhase: () => getConfigOrchestrationPhase,
+  getOrchestrationPhaseInfo: () => getOrchestrationPhaseInfo,
+  loadOrchestrationPhase: () => loadOrchestrationPhase,
+  normalizeOrchestrationPhase: () => normalizeOrchestrationPhase,
+  phaseReminderLine: () => phaseReminderLine,
+  setOrchestrationPhase: () => setOrchestrationPhase
+});
+function normalizeOrchestrationPhase(input) {
+  if (typeof input !== "string") return "phase_1_coo";
+  const normalized = input.trim().toLowerCase().replace(/\s+/g, "_");
+  if (["1", "phase1", "phase_1", "coo", "coo_mode", "chief_of_staff", "phase_1_coo"].includes(normalized)) {
+    return "phase_1_coo";
+  }
+  if (["2", "phase2", "phase_2", "executives", "executive", "executive_bench", "phase_2_executives"].includes(normalized)) {
+    return "phase_2_executives";
+  }
+  if (["3", "phase3", "phase_3", "parallel", "parallel_org", "parallel_execution", "phase_3_parallel_org"].includes(normalized)) {
+    return "phase_3_parallel_org";
+  }
+  if (ORCHESTRATION_PHASES.includes(normalized)) return normalized;
+  return "phase_1_coo";
+}
+function getOrchestrationPhaseInfo(phase) {
+  return PHASE_INFO[normalizeOrchestrationPhase(phase)];
+}
+function getConfigOrchestrationPhase(config) {
+  const orchestration = config.orchestration;
+  return normalizeOrchestrationPhase(orchestration?.phase);
+}
+function applyDefaultOrchestrationPhase(config) {
+  if (!config.orchestration) {
+    config.orchestration = {
+      phase: "phase_1_coo",
+      phaseSetAt: (/* @__PURE__ */ new Date()).toISOString(),
+      phaseSetBy: "setup-default"
+    };
+    return config;
+  }
+  if (!config.orchestration.phase) {
+    config.orchestration = {
+      ...config.orchestration,
+      phase: "phase_1_coo",
+      phaseSetAt: config.orchestration.phaseSetAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+      phaseSetBy: config.orchestration.phaseSetBy ?? "setup-default"
+    };
+  }
+  return config;
+}
+async function loadOrchestrationPhase() {
+  const config = await loadConfig();
+  return getOrchestrationPhaseInfo(config.orchestration?.phase);
+}
+async function setOrchestrationPhase(phaseInput, setBy = "user") {
+  const config = await loadConfig();
+  const phase = normalizeOrchestrationPhase(phaseInput);
+  config.orchestration = {
+    ...config.orchestration ?? {},
+    phase,
+    phaseSetAt: (/* @__PURE__ */ new Date()).toISOString(),
+    phaseSetBy: setBy
+  };
+  await saveConfig(config);
+  return getOrchestrationPhaseInfo(phase);
+}
+function phaseReminderLine(phase) {
+  const info = getOrchestrationPhaseInfo(phase);
+  return `${info.shortLabel}: ${info.focus}. ${info.nextSuggestion}`;
+}
+var ORCHESTRATION_PHASES, PHASE_INFO;
+var init_orchestration_phase = __esm({
+  "src/lib/orchestration-phase.ts"() {
+    "use strict";
+    init_config();
+    ORCHESTRATION_PHASES = [
+      "phase_1_coo",
+      "phase_2_executives",
+      "phase_3_parallel_org"
+    ];
+    PHASE_INFO = {
+      phase_1_coo: {
+        phase: "phase_1_coo",
+        shortLabel: "Phase 1 \u2014 COO mode",
+        label: "Phase 1 \u2014 COO / Chief of Staff mode",
+        focus: "building company context before delegation",
+        nextSuggestion: "Unlock executives when technical, marketing, ops, legal, or finance work repeats."
+      },
+      phase_2_executives: {
+        phase: "phase_2_executives",
+        shortLabel: "Phase 2 \u2014 Executive bench",
+        label: "Phase 2 \u2014 Executive bench",
+        focus: "COO works with domain executives like CTO/CMO before specialist fan-out",
+        nextSuggestion: "Unlock parallel execution when review gates, permissions, and workflows are ready."
+      },
+      phase_3_parallel_org: {
+        phase: "phase_3_parallel_org",
+        shortLabel: "Phase 3 \u2014 Parallel org",
+        label: "Phase 3 \u2014 Parallel execution org",
+        focus: "executives can delegate to specialists in parallel with review gates",
+        nextSuggestion: "Keep review/CI/permission gates healthy; downgrade anytime if you want simpler COO-only mode."
+      }
+    };
+  }
+});
+
 // src/lib/preferences.ts
 var preferences_exports = {};
 __export(preferences_exports, {
   loadPreferences: () => loadPreferences,
   savePreferences: () => savePreferences
 });
-import { existsSync as existsSync13, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "fs";
-import path13 from "path";
+import { existsSync as existsSync14, readFileSync as readFileSync10, writeFileSync as writeFileSync8 } from "fs";
+import path14 from "path";
 import os7 from "os";
 function loadPreferences(homeDir = os7.homedir()) {
-  const configPath = path13.join(homeDir, ".exe-os", "config.json");
-  if (!existsSync13(configPath)) return {};
+  const configPath = path14.join(homeDir, ".exe-os", "config.json");
+  if (!existsSync14(configPath)) return {};
   try {
-    const config = JSON.parse(readFileSync9(configPath, "utf-8"));
+    const config = JSON.parse(readFileSync10(configPath, "utf-8"));
     return config.preferences ?? {};
   } catch {
     return {};
   }
 }
 function savePreferences(prefs, homeDir = os7.homedir()) {
-  const configDir = path13.join(homeDir, ".exe-os");
-  const configPath = path13.join(configDir, "config.json");
+  const configDir = path14.join(homeDir, ".exe-os");
+  const configPath = path14.join(configDir, "config.json");
   ensurePrivateDirSync(configDir);
   let config = {};
-  if (existsSync13(configPath)) {
+  if (existsSync14(configPath)) {
     try {
-      config = JSON.parse(readFileSync9(configPath, "utf-8"));
+      config = JSON.parse(readFileSync10(configPath, "utf-8"));
     } catch {
       config = {};
     }
   }
   config.preferences = prefs;
-  writeFileSync7(configPath, JSON.stringify(config, null, 2) + "\n");
+  writeFileSync8(configPath, JSON.stringify(config, null, 2) + "\n");
   enforcePrivateFileSync(configPath);
 }
 var init_preferences = __esm({
@@ -5816,6 +6347,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Founder -> coordinator (the executive agent, internally routed as 'COO') -> CTO/CMO. CTO -> engineers. CMO -> content production. Never skip levels: the coordinator does not bypass managers for specialist work. Specialists report to their manager. If you need cross-team info, use ask_team_memory \u2014 don't read other agents' task folders. Each level owns dispatch downward and review upward."
       },
+      {
+        title: "Customer orchestration maturity \u2014 recommend, never trap",
+        domain: "workflow",
+        priority: "p1",
+        content: "New customers start best in Phase 1: founder \u2194 coordinator/Chief of Staff, building company context. Suggest Phase 2 executives when domain work repeats; suggest Phase 3 parallel execution only when review/permission gates are ready. This is guidance, not a blocker: users may jump phases anytime. Never overwrite their phase, role titles, identities, or custom org design."
+      },
       {
         title: "Single dispatch path \u2014 create_task only",
         domain: "workflow",
@@ -5874,6 +6411,12 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "exe-build-adv is MANDATORY for ALL work touching 3+ files. Run /exe-build-adv --auto BEFORE implementation. Pipeline: Spec \u2192 AC \u2192 Tests \u2192 Evaluate \u2192 Fix. No multi-file feature ships without pipeline artifacts. No exceptions \u2014 managers reject work without them."
       },
+      {
+        title: "Commit discipline \u2014 never leave verified work floating",
+        domain: "workflow",
+        priority: "p1",
+        content: "After any code-change batch passes typecheck/tests/build, run git status, summarize changed files, and commit with a clear message before ending the session. If work must remain uncommitted for review/dogfood, explicitly say so, list the files, and state the blocker. Never imply work is complete while verified changes are still floating locally."
+      },
       {
         title: "Desktop and TUI are the same product",
         domain: "architecture",
@@ -6641,17 +7184,17 @@ __export(identity_exports, {
   listIdentities: () => listIdentities,
   updateIdentity: () => updateIdentity
 });
-import { existsSync as existsSync14, mkdirSync as mkdirSync6, readFileSync as readFileSync10, writeFileSync as writeFileSync8 } from "fs";
+import { existsSync as existsSync15, mkdirSync as mkdirSync7, readFileSync as readFileSync11, writeFileSync as writeFileSync9 } from "fs";
 import { readdirSync as readdirSync3 } from "fs";
-import path14 from "path";
+import path15 from "path";
 import { createHash as createHash2 } from "crypto";
 function ensureDir() {
-  if (!existsSync14(IDENTITY_DIR2)) {
-    mkdirSync6(IDENTITY_DIR2, { recursive: true });
+  if (!existsSync15(IDENTITY_DIR2)) {
+    mkdirSync7(IDENTITY_DIR2, { recursive: true });
   }
 }
 function identityPath(agentId) {
-  return path14.join(IDENTITY_DIR2, `${agentId}.md`);
+  return path15.join(IDENTITY_DIR2, `${agentId}.md`);
 }
 function sanitizeIdentityBody(body) {
   return body.replace(/<!--[\s\S]*?-->/g, "").trim();
@@ -6695,8 +7238,8 @@ function contentHash(content) {
 }
 function getIdentity(agentId) {
   const filePath = identityPath(agentId);
-  if (!existsSync14(filePath)) return null;
-  const raw = readFileSync10(filePath, "utf-8");
+  if (!existsSync15(filePath)) return null;
+  const raw = readFileSync11(filePath, "utf-8");
   const { frontmatter, body } = parseFrontmatter(raw);
   return {
     agentId,
@@ -6710,7 +7253,7 @@ async function updateIdentity(agentId, content, updatedBy) {
   ensureDir();
   const filePath = identityPath(agentId);
   const hash = contentHash(content);
-  writeFileSync8(filePath, content, "utf-8");
+  writeFileSync9(filePath, content, "utf-8");
   try {
     const client = getClient();
     await client.execute({
@@ -6768,7 +7311,7 @@ var init_identity = __esm({
     "use strict";
     init_config();
     init_database();
-    IDENTITY_DIR2 = path14.join(EXE_AI_DIR, "identity");
+    IDENTITY_DIR2 = path15.join(EXE_AI_DIR, "identity");
   }
 });
 
@@ -7319,36 +7862,36 @@ __export(session_wrappers_exports, {
   generateSessionWrappers: () => generateSessionWrappers
 });
 import {
-  existsSync as existsSync15,
-  readFileSync as readFileSync11,
-  writeFileSync as writeFileSync9,
-  mkdirSync as mkdirSync7,
+  existsSync as existsSync16,
+  readFileSync as readFileSync12,
+  writeFileSync as writeFileSync10,
+  mkdirSync as mkdirSync8,
   chmodSync as chmodSync2,
   readdirSync as readdirSync4,
   unlinkSync as unlinkSync7
 } from "fs";
-import path15 from "path";
+import path16 from "path";
 import { homedir as homedir3 } from "os";
 function generateSessionWrappers(packageRoot, homeDir) {
   const home = homeDir ?? homedir3();
-  const binDir = path15.join(home, ".exe-os", "bin");
-  const rosterPath = path15.join(home, ".exe-os", "exe-employees.json");
-  mkdirSync7(binDir, { recursive: true });
-  const exeStartDst = path15.join(binDir, "exe-start");
+  const binDir = path16.join(home, ".exe-os", "bin");
+  const rosterPath = path16.join(home, ".exe-os", "exe-employees.json");
+  mkdirSync8(binDir, { recursive: true });
+  const exeStartDst = path16.join(binDir, "exe-start");
   const candidates = [
-    path15.join(packageRoot, "dist", "bin", "exe-start.sh"),
-    path15.join(packageRoot, "src", "bin", "exe-start.sh")
+    path16.join(packageRoot, "dist", "bin", "exe-start.sh"),
+    path16.join(packageRoot, "src", "bin", "exe-start.sh")
   ];
   for (const src of candidates) {
-    if (existsSync15(src)) {
-      writeFileSync9(exeStartDst, readFileSync11(src));
+    if (existsSync16(src)) {
+      writeFileSync10(exeStartDst, readFileSync12(src));
       chmodSync2(exeStartDst, 493);
       break;
     }
   }
   let employees = [];
   try {
-    employees = JSON.parse(readFileSync11(rosterPath, "utf8"));
+    employees = JSON.parse(readFileSync12(rosterPath, "utf8"));
   } catch {
     return { created: 0, pathConfigured: false };
   }
@@ -7358,9 +7901,9 @@ function generateSessionWrappers(packageRoot, homeDir) {
   try {
     for (const f of readdirSync4(binDir)) {
       if (f === "exe-start") continue;
-      const fPath = path15.join(binDir, f);
+      const fPath = path16.join(binDir, f);
       try {
-        const content = readFileSync11(fPath, "utf8");
+        const content = readFileSync12(fPath, "utf8");
         if (content.includes("exe-start")) {
           unlinkSync7(fPath);
         }
@@ -7375,34 +7918,34 @@ exec "${exeStartDst}" "$0" "$@"
 `;
   for (const emp of employees) {
     for (let n = 1; n <= MAX_N; n++) {
-      const wrapperPath = path15.join(binDir, `${emp.name}${n}`);
-      writeFileSync9(wrapperPath, wrapperContent);
+      const wrapperPath = path16.join(binDir, `${emp.name}${n}`);
+      writeFileSync10(wrapperPath, wrapperContent);
       chmodSync2(wrapperPath, 493);
       created++;
-      const codexPath = path15.join(binDir, `${emp.name}${n}-codex`);
-      writeFileSync9(codexPath, wrapperContent);
+      const codexPath = path16.join(binDir, `${emp.name}${n}-codex`);
+      writeFileSync10(codexPath, wrapperContent);
       chmodSync2(codexPath, 493);
       created++;
     }
   }
   const codexLauncherCandidates = [
-    path15.join(packageRoot, "dist", "bin", "exe-start-codex.js"),
-    path15.join(packageRoot, "src", "bin", "exe-start-codex.ts")
+    path16.join(packageRoot, "dist", "bin", "exe-start-codex.js"),
+    path16.join(packageRoot, "src", "bin", "exe-start-codex.ts")
   ];
   let codexLauncher = null;
   for (const c of codexLauncherCandidates) {
-    if (existsSync15(c)) {
+    if (existsSync16(c)) {
       codexLauncher = c;
       break;
     }
   }
   if (codexLauncher) {
     for (const emp of employees) {
-      const wrapperPath = path15.join(binDir, `${emp.name}-codex`);
+      const wrapperPath = path16.join(binDir, `${emp.name}-codex`);
       const content = `#!/bin/bash
 exec node "${codexLauncher}" --agent ${emp.name} "$@"
 `;
-      writeFileSync9(wrapperPath, content);
+      writeFileSync10(wrapperPath, content);
       chmodSync2(wrapperPath, 493);
       created++;
     }
@@ -7421,24 +7964,24 @@ export PATH="${binDir}:$PATH"
   const shell = process.env.SHELL ?? "/bin/bash";
   const profilePaths = [];
   if (shell.includes("zsh")) {
-    profilePaths.push(path15.join(home, ".zshrc"));
+    profilePaths.push(path16.join(home, ".zshrc"));
   } else if (shell.includes("bash")) {
-    profilePaths.push(path15.join(home, ".bashrc"));
-    profilePaths.push(path15.join(home, ".bash_profile"));
+    profilePaths.push(path16.join(home, ".bashrc"));
+    profilePaths.push(path16.join(home, ".bash_profile"));
   } else {
-    profilePaths.push(path15.join(home, ".profile"));
+    profilePaths.push(path16.join(home, ".profile"));
   }
   for (const profilePath of profilePaths) {
     try {
       let content = "";
       try {
-        content = readFileSync11(profilePath, "utf8");
+        content = readFileSync12(profilePath, "utf8");
       } catch {
       }
       if (content.includes(".exe-os/bin")) {
         return false;
       }
-      writeFileSync9(profilePath, content + exportLine);
+      writeFileSync10(profilePath, content + exportLine);
       return true;
     } catch {
       continue;
@@ -7458,9 +8001,9 @@ var init_session_wrappers = __esm({
 init_config();
 init_keychain();
 import crypto4 from "crypto";
-import { existsSync as existsSync16, mkdirSync as mkdirSync8, readFileSync as readFileSync12, writeFileSync as writeFileSync10, unlinkSync as unlinkSync8 } from "fs";
+import { existsSync as existsSync17, mkdirSync as mkdirSync9, readFileSync as readFileSync13, writeFileSync as writeFileSync11, unlinkSync as unlinkSync8 } from "fs";
 import os8 from "os";
-import path16 from "path";
+import path17 from "path";
 import { createInterface } from "readline";
 
 // src/lib/model-downloader.ts
@@ -7552,32 +8095,32 @@ async function fileHash(filePath) {
 
 // src/lib/setup-wizard.ts
 function findPackageRoot2() {
-  let dir = path16.dirname(new URL(import.meta.url).pathname);
-  const root = path16.parse(dir).root;
+  let dir = path17.dirname(new URL(import.meta.url).pathname);
+  const root = path17.parse(dir).root;
   while (dir !== root) {
-    const pkgPath = path16.join(dir, "package.json");
-    if (existsSync16(pkgPath)) {
+    const pkgPath = path17.join(dir, "package.json");
+    if (existsSync17(pkgPath)) {
       try {
-        const pkg = JSON.parse(readFileSync12(pkgPath, "utf-8"));
+        const pkg = JSON.parse(readFileSync13(pkgPath, "utf-8"));
         if (pkg.name === "@askexenow/exe-os" || pkg.name === "exe-os") return dir;
       } catch {
       }
     }
-    dir = path16.dirname(dir);
+    dir = path17.dirname(dir);
   }
   return null;
 }
-var SETUP_STATE_PATH = path16.join(os8.homedir(), ".exe-os", "setup-state.json");
+var SETUP_STATE_PATH = path17.join(os8.homedir(), ".exe-os", "setup-state.json");
 function loadSetupState() {
   try {
-    return JSON.parse(readFileSync12(SETUP_STATE_PATH, "utf8"));
+    return JSON.parse(readFileSync13(SETUP_STATE_PATH, "utf8"));
   } catch {
     return { completedSteps: [], startedAt: (/* @__PURE__ */ new Date()).toISOString() };
   }
 }
 function saveSetupState(state) {
-  mkdirSync8(path16.dirname(SETUP_STATE_PATH), { recursive: true });
-  writeFileSync10(SETUP_STATE_PATH, JSON.stringify(state, null, 2));
+  mkdirSync9(path17.dirname(SETUP_STATE_PATH), { recursive: true });
+  writeFileSync11(SETUP_STATE_PATH, JSON.stringify(state, null, 2));
 }
 function clearSetupState() {
   try {
@@ -7627,10 +8170,10 @@ async function validateModel(log) {
   if (totalGB <= 8 || isLowMemory()) {
     log(`System memory: ${totalGB.toFixed(0)}GB total, ${freeGB.toFixed(1)}GB free`);
     log("Skipping in-memory model validation (low memory \u2014 will validate on first use).");
-    const modelPath = path16.join(MODELS_DIR, LOCAL_FILENAME);
-    if (existsSync16(modelPath)) {
-      const { statSync: statSync4 } = await import("fs");
-      const size = statSync4(modelPath).size;
+    const modelPath = path17.join(MODELS_DIR, LOCAL_FILENAME);
+    if (existsSync17(modelPath)) {
+      const { statSync: statSync5 } = await import("fs");
+      const size = statSync5(modelPath).size;
       if (size > 300 * 1e6) {
         log(`Model file verified (${(size / 1e6).toFixed(0)} MB).`);
         return;
@@ -7659,10 +8202,10 @@ async function runSetupWizard(opts = {}) {
     log("");
     log("=== exe-os Setup ===");
     log("");
-    log("Is this a new installation or pairing with an existing device?");
+    log("What are you setting up?");
     log("");
-    log("  [1] New installation (first device)");
-    log("  [2] Pair with existing device (I have a 24-word phrase)");
+    log("  [1] First device / brand new Exe OS memory");
+    log("  [2] Another device / I already have a 24-word recovery phrase");
     log("");
     const installType = await ask(rl, "Choice (1/2): ");
     let isPairing = false;
@@ -7671,16 +8214,20 @@ async function runSetupWizard(opts = {}) {
       isPairing = true;
       log("");
       const { importMnemonic: importMnemonic2 } = await Promise.resolve().then(() => (init_keychain(), keychain_exports));
-      const mnemonic = await ask(rl, "Paste your 24-word recovery phrase: ");
+      log("On your existing device, open Terminal and run:");
+      log("  exe-os cloud link --show-full");
+      log("Then copy the 24-word phrase here.");
+      log("");
+      const mnemonic = await ask(rl, "Paste the 24-word recovery phrase: ");
       try {
         const key = await importMnemonic2(mnemonic);
         await setMasterKey(key);
         log("Master key imported and stored securely.");
         log("");
-        log("Enter the API key from your existing device.");
-        log("(Find it in ~/.exe-os/config.json under cloud.apiKey, or ask your team lead.)");
+        log("Now paste the Cloud API key from that same `exe-os cloud link --show-full` output.");
+        log("It starts with: exe_sk_");
         log("");
-        const apiKey = await ask(rl, "API key (exe_sk_...): ");
+        const apiKey = await ask(rl, "Cloud API key (starts with exe_sk_): ");
         if (apiKey && apiKey.startsWith("exe_sk_")) {
           const cloudEndpoint = "https://askexe.com/cloud";
           const cloudCfg = { apiKey, endpoint: cloudEndpoint };
@@ -7719,7 +8266,7 @@ async function runSetupWizard(opts = {}) {
     if (state.completedSteps.length > 0) {
       log(`Resuming setup from step ${Math.max(...state.completedSteps) + 1}...`);
     }
-    if (existsSync16(LEGACY_LANCE_PATH)) {
+    if (existsSync17(LEGACY_LANCE_PATH)) {
       log("\u26A0 Found v1.0 LanceDB at ~/.exe-os/local.lance");
       log("  v1.1 uses libSQL (SQLite). Your existing memories are not automatically migrated.");
       log("  The old directory will not be modified or deleted.");
@@ -7743,14 +8290,22 @@ async function runSetupWizard(opts = {}) {
         log("");
         log("  " + mnemonic);
         log("");
-        log("  SAVE THIS NOW. Write it down or store it in your password");
-        log("  manager. This phrase is the ONLY way to decrypt your memories");
-        log("  if you lose this computer. We cannot recover it for you.");
+        log("  SAVE THIS NOW before continuing.");
+        log("  Best: put it in your password manager, or write it down and keep it safe.");
+        log("  This phrase is the ONLY way to decrypt your memories if you lose this computer.");
+        log("  We cannot recover it for you.");
         log("");
         log("  Like a Bitcoin wallet \u2014 lose the phrase, lose everything.");
         log("=============================================================");
         log("");
-        await ask(rl, "Press Enter after you've saved your recovery phrase...");
+        const confirmation = await ask(rl, 'Type "I SAVED MY RECOVERY PHRASE" after you have saved it: ');
+        if (confirmation !== "I SAVED MY RECOVERY PHRASE") {
+          throw new Error(
+            "Setup cancelled: recovery phrase was not confirmed. Save the 24-word phrase before continuing \u2014 it is required to recover encrypted memories."
+          );
+        }
+        const { markKeyBackupConfirmed: markKeyBackupConfirmed2 } = await Promise.resolve().then(() => (init_key_backup_status(), key_backup_status_exports));
+        markKeyBackupConfirmed2("setup-wizard");
       }
       state.completedSteps.push(1);
       saveSetupState(state);
@@ -7897,13 +8452,15 @@ async function runSetupWizard(opts = {}) {
       if (cloudConfig) {
         config.cloud = cloudConfig;
       }
+      const { applyDefaultOrchestrationPhase: applyDefaultOrchestrationPhase2 } = await Promise.resolve().then(() => (init_orchestration_phase(), orchestration_phase_exports));
+      applyDefaultOrchestrationPhase2(config);
       await saveConfig(config);
       log("");
       try {
-        const claudeJsonPath = path16.join(os8.homedir(), ".claude.json");
+        const claudeJsonPath = path17.join(os8.homedir(), ".claude.json");
         let claudeJson = {};
         try {
-          claudeJson = JSON.parse(readFileSync12(claudeJsonPath, "utf8"));
+          claudeJson = JSON.parse(readFileSync13(claudeJsonPath, "utf8"));
         } catch {
         }
         if (!claudeJson.projects) claudeJson.projects = {};
@@ -7912,7 +8469,7 @@ async function runSetupWizard(opts = {}) {
           if (!projects[dir]) projects[dir] = {};
           projects[dir].hasTrustDialogAccepted = true;
         }
-        writeFileSync10(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
+        writeFileSync11(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
       } catch {
       }
       state.completedSteps.push(5);
@@ -7926,7 +8483,7 @@ async function runSetupWizard(opts = {}) {
       const prefs = { ...existingPrefs };
       log("=== Config Defaults ===");
       log("");
-      const ghosttyDetected = existsSync16(path16.join(os8.homedir(), ".config", "ghostty")) || existsSync16(path16.join(os8.homedir(), "Library", "Application Support", "com.mitchellh.ghostty"));
+      const ghosttyDetected = existsSync17(path17.join(os8.homedir(), ".config", "ghostty")) || existsSync17(path17.join(os8.homedir(), "Library", "Application Support", "com.mitchellh.ghostty"));
       if (ghosttyDetected) {
         const ghosttyAnswer = await ask(rl, "Detected Ghostty terminal. Use exe-os Ghostty defaults? (Y/n) ");
         prefs.ghostty = ghosttyAnswer.toLowerCase() !== "n";
@@ -7973,7 +8530,7 @@ async function runSetupWizard(opts = {}) {
       let missingIdentities = [];
       for (const emp of roster) {
         const idPath = identityPath2(emp.name);
-        if (!existsSync16(idPath)) {
+        if (!existsSync17(idPath)) {
           missingIdentities.push(emp.name);
         }
       }
@@ -8005,7 +8562,7 @@ async function runSetupWizard(opts = {}) {
           }
           missingIdentities = [];
           for (const emp of roster) {
-            if (!existsSync16(identityPath2(emp.name))) {
+            if (!existsSync17(identityPath2(emp.name))) {
               missingIdentities.push(emp.name);
             }
           }
@@ -8064,9 +8621,9 @@ async function runSetupWizard(opts = {}) {
       const cooIdentityContent = getIdentityTemplate("coo");
       if (cooIdentityContent) {
         const cooIdPath = identityPath2(cooName);
-        mkdirSync8(path16.dirname(cooIdPath), { recursive: true });
+        mkdirSync9(path17.dirname(cooIdPath), { recursive: true });
         const replaced = cooIdentityContent.replace(/agent_id:\s*exe/g, `agent_id: ${cooName}`).replace(/\$\{agent_id\}/g, cooName);
-        writeFileSync10(cooIdPath, replaced, "utf-8");
+        writeFileSync11(cooIdPath, replaced, "utf-8");
       }
       registerBinSymlinks2(cooName);
       createdEmployees.push({ name: cooName, role: "COO" });
@@ -8117,7 +8674,8 @@ async function runSetupWizard(opts = {}) {
       }
       if (!isLicensed) {
         log("");
-        log("You're all set. Your COO handles everything from here.");
+        log("You're all set. You're starting in Phase 1: COO / Chief of Staff mode.");
+        log("Your COO will learn your company context first. You can unlock executives later anytime.");
         log("When you're ready for specialists, add a license key at askexe.com.");
         log("");
         log(`Type your COO's name to start: /${cooName}`);
@@ -8132,67 +8690,89 @@ async function runSetupWizard(opts = {}) {
     }
     if (!state.completedSteps.includes(8)) {
       let employees = await loadEmployees2(EMPLOYEES_PATH2).catch(() => []);
-      log("=== Hire Your Team ===");
+      log("=== Orchestration Phase ===");
       log("");
-      log("Your COO coordinates specialists. Each one stays focused on");
-      log("their domain \u2014 no context switching, no competing priorities.");
+      log("Recommended default: Phase 1 \u2014 COO / Chief of Staff mode.");
+      log("Start with one-on-one conversations so your COO learns your company,");
+      log("vision, priorities, constraints, and operating style before delegating.");
       log("");
-      const ctoTemplate = getTemplateByRole2("CTO");
-      const ctoDefault = ctoTemplate?.name ?? "cto";
-      log(`  CTO \u2014 engineering, architecture, code reviews (default: ${ctoDefault})`);
-      const cmoTemplate = getTemplateByRole2("CMO");
-      const cmoDefault = cmoTemplate?.name ?? "cmo";
-      log(`  CMO \u2014 design, brand, content, marketing (default: ${cmoDefault})`);
+      log("You can jump ahead now if you want. This is a suggestion, not a blocker.");
       log("");
-      const ctoNameInput = await ask(rl, `Name your CTO (default: ${ctoDefault}): `);
-      const ctoName = (ctoNameInput || ctoDefault).toLowerCase();
-      if (!employees.some((e) => e.name === ctoName)) {
-        const ctoEmployee = {
-          name: ctoName,
-          role: "CTO",
-          createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-          templateName: ctoDefault,
-          templateVersion: 1
-        };
-        employees = addEmployee2(employees, ctoEmployee);
-        await saveEmployees2(employees, EMPLOYEES_PATH2);
-      }
-      const ctoIdentityContent = getIdentityTemplate("cto");
-      if (ctoIdentityContent) {
-        const ctoIdPath = identityPath2(ctoName);
-        mkdirSync8(path16.dirname(ctoIdPath), { recursive: true });
-        const replaced = ctoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${ctoName}`).replace(/\$\{agent_id\}/g, ctoName);
-        writeFileSync10(ctoIdPath, replaced, "utf-8");
-      }
-      registerBinSymlinks2(ctoName);
-      createdEmployees.push({ name: ctoName, role: "CTO" });
-      log(`Created ${ctoName} (CTO)`);
-      const cmoNameInput = await ask(rl, `Name your CMO (default: ${cmoDefault}): `);
-      const cmoName = (cmoNameInput || cmoDefault).toLowerCase();
-      if (!employees.some((e) => e.name === cmoName)) {
-        const cmoEmployee = {
-          name: cmoName,
-          role: "CMO",
-          createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-          templateName: cmoDefault,
-          templateVersion: 1
-        };
-        employees = addEmployee2(employees, cmoEmployee);
-        await saveEmployees2(employees, EMPLOYEES_PATH2);
-      }
-      const cmoIdentityContent = getIdentityTemplate("cmo");
-      if (cmoIdentityContent) {
-        const cmoIdPath = identityPath2(cmoName);
-        mkdirSync8(path16.dirname(cmoIdPath), { recursive: true });
-        const replaced = cmoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${cmoName}`).replace(/\$\{agent_id\}/g, cmoName);
-        writeFileSync10(cmoIdPath, replaced, "utf-8");
-      }
-      registerBinSymlinks2(cmoName);
-      createdEmployees.push({ name: cmoName, role: "CMO" });
-      log(`Created ${cmoName} (CMO)`);
+      log("  Phase 1: COO only \u2014 build company context first");
+      log("  Phase 2: Executive bench \u2014 add CTO/CMO for repeated domain work");
+      log("  Phase 3: Parallel org \u2014 specialists execute in parallel with reviews");
       log("");
-      state.completedSteps.push(8);
-      saveSetupState(state);
+      const unlockExecutives = (await ask(rl, "Unlock Phase 2 executives now? (y/N): ")).toLowerCase() === "y";
+      const { setOrchestrationPhase: setOrchestrationPhase2 } = await Promise.resolve().then(() => (init_orchestration_phase(), orchestration_phase_exports));
+      if (!unlockExecutives) {
+        await setOrchestrationPhase2("phase_1_coo", "setup-wizard");
+        log("");
+        log("Starting in Phase 1. Your executive templates are available when you're ready.");
+        log("Later: run `exe-os org unlock executives` to move to Phase 2.");
+        state.completedSteps.push(8);
+        saveSetupState(state);
+      } else {
+        await setOrchestrationPhase2("phase_2_executives", "setup-wizard");
+        log("");
+        log("Phase 2 enabled. Let's name your executive bench.");
+        log("");
+        const ctoTemplate = getTemplateByRole2("CTO");
+        const ctoDefault = ctoTemplate?.name ?? "cto";
+        log(`  CTO \u2014 engineering, architecture, code reviews (default: ${ctoDefault})`);
+        const cmoTemplate = getTemplateByRole2("CMO");
+        const cmoDefault = cmoTemplate?.name ?? "cmo";
+        log(`  CMO \u2014 design, brand, content, marketing (default: ${cmoDefault})`);
+        log("");
+        const ctoNameInput = await ask(rl, `Name your CTO (default: ${ctoDefault}): `);
+        const ctoName = (ctoNameInput || ctoDefault).toLowerCase();
+        if (!employees.some((e) => e.name === ctoName)) {
+          const ctoEmployee = {
+            name: ctoName,
+            role: "CTO",
+            createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+            templateName: ctoDefault,
+            templateVersion: 1
+          };
+          employees = addEmployee2(employees, ctoEmployee);
+          await saveEmployees2(employees, EMPLOYEES_PATH2);
+        }
+        const ctoIdentityContent = getIdentityTemplate("cto");
+        if (ctoIdentityContent) {
+          const ctoIdPath = identityPath2(ctoName);
+          mkdirSync9(path17.dirname(ctoIdPath), { recursive: true });
+          const replaced = ctoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${ctoName}`).replace(/\$\{agent_id\}/g, ctoName);
+          writeFileSync11(ctoIdPath, replaced, "utf-8");
+        }
+        registerBinSymlinks2(ctoName);
+        createdEmployees.push({ name: ctoName, role: "CTO" });
+        log(`Created ${ctoName} (CTO)`);
+        const cmoNameInput = await ask(rl, `Name your CMO (default: ${cmoDefault}): `);
+        const cmoName = (cmoNameInput || cmoDefault).toLowerCase();
+        if (!employees.some((e) => e.name === cmoName)) {
+          const cmoEmployee = {
+            name: cmoName,
+            role: "CMO",
+            createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+            templateName: cmoDefault,
+            templateVersion: 1
+          };
+          employees = addEmployee2(employees, cmoEmployee);
+          await saveEmployees2(employees, EMPLOYEES_PATH2);
+        }
+        const cmoIdentityContent = getIdentityTemplate("cmo");
+        if (cmoIdentityContent) {
+          const cmoIdPath = identityPath2(cmoName);
+          mkdirSync9(path17.dirname(cmoIdPath), { recursive: true });
+          const replaced = cmoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${cmoName}`).replace(/\$\{agent_id\}/g, cmoName);
+          writeFileSync11(cmoIdPath, replaced, "utf-8");
+        }
+        registerBinSymlinks2(cmoName);
+        createdEmployees.push({ name: cmoName, role: "CMO" });
+        log(`Created ${cmoName} (CMO)`);
+        log("");
+        state.completedSteps.push(8);
+        saveSetupState(state);
+      }
     } else {
       log("Step 8 already complete \u2014 skipping.");
     }
@@ -8207,7 +8787,7 @@ async function runSetupWizard(opts = {}) {
             log(`Session shortcuts generated (${cooName}1, ${cooName}2, ...)`);
           }
           if (wrapResult.pathConfigured) {
-            const binDir = path16.join(os8.homedir(), ".exe-os", "bin");
+            const binDir = path17.join(os8.homedir(), ".exe-os", "bin");
             process.env.PATH = `${binDir}:${process.env.PATH ?? ""}`;
             pathJustConfigured = true;
           }
@@ -8250,7 +8830,7 @@ async function runSetupWizard(opts = {}) {
     const pkgRoot2 = findPackageRoot2();
     if (pkgRoot2) {
       try {
-        version = JSON.parse(readFileSync12(path16.join(pkgRoot2, "package.json"), "utf-8")).version;
+        version = JSON.parse(readFileSync13(path17.join(pkgRoot2, "package.json"), "utf-8")).version;
       } catch {
       }
     }
@@ -8264,6 +8844,10 @@ async function runSetupWizard(opts = {}) {
     log("");
     log("=== Next Steps ===");
     log("");
+    log("  Recommended start:        Phase 1 \u2014 talk to your COO first");
+    log("  Check/change phase:       exe-os org phase");
+    log("  Unlock executives later:  exe-os org unlock executives");
+    log("");
     log(`  cd into a project folder:  cd ~/my-project`);
     log(`  Launch your COO:           ${cooName}1`);
     if (pathJustConfigured) {