@askexenow/exe-os 0.9.65 → 0.9.67

package/dist/lib/cloud-sync.js

@@ -181,6 +181,10 @@ var init_config = __esm({
         checkOnBoot: true,
         autoInstall: false,
         checkIntervalMs: 24 * 60 * 60 * 1e3
+      },
+      orchestration: {
+        phase: "phase_1_coo",
+        phaseSetBy: "default"
       }
     };
   }
@@ -1467,6 +1471,9 @@ function getClient() {
   if (_daemonClient && _daemonClient._isDaemonActive()) {
     return _daemonClient;
   }
+  if (!_resilientClient) {
+    return _adapterClient;
+  }
   return _resilientClient;
 }
 async function initDaemonClient() {
@@ -2499,6 +2506,127 @@ async function ensureSchema() {
       VALUES (new.rowid, new.content, new.subject, new.predicate, new.object);
     END;
   `);
+  await client.executeMultiple(`
+    CREATE TABLE IF NOT EXISTS agent_sessions (
+      id              TEXT PRIMARY KEY,
+      agent_id        TEXT NOT NULL,
+      project_name    TEXT,
+      started_at      TEXT NOT NULL,
+      last_event_at   TEXT NOT NULL,
+      event_count     INTEGER NOT NULL DEFAULT 0,
+      properties      TEXT DEFAULT '{}'
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_sessions_agent_time
+      ON agent_sessions(agent_id, started_at);
+
+    CREATE TABLE IF NOT EXISTS agent_goals (
+      id                TEXT PRIMARY KEY,
+      statement         TEXT NOT NULL,
+      owner_agent_id    TEXT,
+      project_name      TEXT,
+      status            TEXT NOT NULL DEFAULT 'open',
+      priority          INTEGER NOT NULL DEFAULT 5,
+      success_criteria  TEXT,
+      parent_goal_id    TEXT,
+      due_at            TEXT,
+      achieved_at       TEXT,
+      supersedes_id     TEXT,
+      created_at        TEXT NOT NULL,
+      updated_at        TEXT NOT NULL,
+      source_memory_id  TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_goals_project_status
+      ON agent_goals(project_name, status, priority);
+
+    CREATE TABLE IF NOT EXISTS agent_events (
+      id                  TEXT PRIMARY KEY,
+      event_type          TEXT NOT NULL,
+      occurred_at         TEXT NOT NULL,
+      sequence_index      INTEGER NOT NULL,
+      actor_agent_id      TEXT,
+      agent_role          TEXT,
+      project_name        TEXT,
+      session_id          TEXT,
+      task_id             TEXT,
+      goal_id             TEXT,
+      parent_event_id     TEXT,
+      intention           TEXT,
+      outcome             TEXT,
+      evidence_memory_id  TEXT,
+      impact              TEXT,
+      payload             TEXT DEFAULT '{}',
+      created_at          TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_time
+      ON agent_events(occurred_at, sequence_index);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_session_seq
+      ON agent_events(session_id, sequence_index);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_goal_time
+      ON agent_events(goal_id, occurred_at);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_events_memory
+      ON agent_events(evidence_memory_id);
+
+    CREATE TABLE IF NOT EXISTS agent_goal_links (
+      id           TEXT PRIMARY KEY,
+      goal_id      TEXT NOT NULL,
+      link_type    TEXT NOT NULL,
+      target_id    TEXT NOT NULL,
+      target_type  TEXT NOT NULL,
+      created_at   TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_goal_links_goal
+      ON agent_goal_links(goal_id, target_type);
+
+    CREATE TABLE IF NOT EXISTS agent_semantic_labels (
+      id                TEXT PRIMARY KEY,
+      source_memory_id  TEXT NOT NULL,
+      event_id          TEXT,
+      labeler           TEXT NOT NULL,
+      schema_version    INTEGER NOT NULL DEFAULT 1,
+      confidence        REAL NOT NULL DEFAULT 0,
+      labels            TEXT NOT NULL,
+      created_at        TEXT NOT NULL,
+      updated_at        TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_memory
+      ON agent_semantic_labels(source_memory_id, labeler);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_semantic_labels_event
+      ON agent_semantic_labels(event_id);
+
+    CREATE TABLE IF NOT EXISTS agent_reflection_checkpoints (
+      id                  TEXT PRIMARY KEY,
+      project_name        TEXT,
+      session_id          TEXT,
+      window_start_at     TEXT NOT NULL,
+      window_end_at       TEXT NOT NULL,
+      event_count         INTEGER NOT NULL DEFAULT 0,
+      goal_count          INTEGER NOT NULL DEFAULT 0,
+      success_count       INTEGER NOT NULL DEFAULT 0,
+      failure_count       INTEGER NOT NULL DEFAULT 0,
+      risk_count          INTEGER NOT NULL DEFAULT 0,
+      summary             TEXT NOT NULL,
+      learnings           TEXT NOT NULL DEFAULT '[]',
+      next_actions        TEXT NOT NULL DEFAULT '[]',
+      evidence_event_ids  TEXT NOT NULL DEFAULT '[]',
+      confidence          REAL NOT NULL DEFAULT 0,
+      created_at          TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agent_reflection_project_time
+      ON agent_reflection_checkpoints(project_name, window_end_at);
+
+    CREATE INDEX IF NOT EXISTS idx_agent_reflection_session_time
+      ON agent_reflection_checkpoints(session_id, window_end_at);
+  `);
   try {
     await client.execute({
       sql: `ALTER TABLE memories ADD COLUMN tier INTEGER DEFAULT 3`,
@@ -2877,12 +3005,13 @@ var keychain_exports = {};
 __export(keychain_exports, {
   deleteMasterKey: () => deleteMasterKey,
   exportMnemonic: () => exportMnemonic,
+  getKeyStorageInfo: () => getKeyStorageInfo,
   getMasterKey: () => getMasterKey,
   importMnemonic: () => importMnemonic,
   setMasterKey: () => setMasterKey
 });
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync8 } from "fs";
+import { existsSync as existsSync8, statSync as statSync2 } from "fs";
 import { execSync as execSync2 } from "child_process";
 import path8 from "path";
 import os6 from "os";
@@ -2892,29 +3021,65 @@ function getKeyDir() {
 function getKeyPath() {
   return path8.join(getKeyDir(), "master.key");
 }
-function macKeychainGet() {
+function nativeKeychainAllowed() {
+  return process.env.EXE_OS_DISABLE_NATIVE_KEYCHAIN !== "1";
+}
+function linuxSecretAvailable() {
+  if (!nativeKeychainAllowed()) return false;
+  if (process.platform !== "linux") return false;
+  if (linuxSecretAvailability !== null) return linuxSecretAvailability;
+  try {
+    execSync2("command -v secret-tool >/dev/null 2>&1", { timeout: 1e3 });
+  } catch {
+    linuxSecretAvailability = false;
+    return false;
+  }
+  try {
+    execSync2("secret-tool search --all exe-os probe >/dev/null 2>&1", { timeout: 1e3 });
+    linuxSecretAvailability = true;
+  } catch {
+    linuxSecretAvailability = false;
+  }
+  return linuxSecretAvailability;
+}
+function isRootOnlyTrustedServerKeyFile(keyPath) {
+  if (process.platform !== "linux") return false;
+  try {
+    const uid = typeof os6.userInfo().uid === "number" ? os6.userInfo().uid : -1;
+    const st = statSync2(keyPath);
+    if (!st.isFile() || (st.mode & 63) !== 0) return false;
+    if (uid === 0) return true;
+    const exeOsDir = process.env.EXE_OS_DIR;
+    return Boolean(exeOsDir && path8.resolve(keyPath).startsWith(path8.resolve(exeOsDir) + path8.sep));
+  } catch {
+    return false;
+  }
+}
+function macKeychainGet(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return null;
   if (process.platform !== "darwin") return null;
   try {
     return execSync2(
-      `security find-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w 2>/dev/null`,
+      `security find-generic-password -s "${service}" -a "${ACCOUNT}" -w 2>/dev/null`,
       { encoding: "utf-8", timeout: 5e3 }
     ).trim();
   } catch {
     return null;
   }
 }
-function macKeychainSet(value) {
+function macKeychainSet(value, service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "darwin") return false;
   try {
     try {
       execSync2(
-        `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+        `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
         { timeout: 5e3 }
       );
     } catch {
     }
     execSync2(
-      `security add-generic-password -s "${SERVICE}" -a "${ACCOUNT}" -w "${value}"`,
+      `security add-generic-password -s "${service}" -a "${ACCOUNT}" -w "${value}"`,
       { timeout: 5e3 }
     );
     return true;
@@ -2922,11 +3087,12 @@ function macKeychainSet(value) {
     return false;
   }
 }
-function macKeychainDelete() {
+function macKeychainDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "darwin") return false;
   try {
     execSync2(
-      `security delete-generic-password -s "${SERVICE}" -a "${ACCOUNT}" 2>/dev/null`,
+      `security delete-generic-password -s "${service}" -a "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -2934,22 +3100,22 @@ function macKeychainDelete() {
     return false;
   }
 }
-function linuxSecretGet() {
-  if (process.platform !== "linux") return null;
+function linuxSecretGet(service = SERVICE) {
+  if (!linuxSecretAvailable()) return null;
   try {
     return execSync2(
-      `secret-tool lookup service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      `secret-tool lookup service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { encoding: "utf-8", timeout: 5e3 }
     ).trim();
   } catch {
     return null;
   }
 }
-function linuxSecretSet(value) {
-  if (process.platform !== "linux") return false;
+function linuxSecretSet(value, service = SERVICE) {
+  if (!linuxSecretAvailable()) return false;
   try {
     execSync2(
-      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${SERVICE}" account "${ACCOUNT}"`,
+      `echo -n "${value}" | secret-tool store --label="exe-os master key" service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -2957,11 +3123,12 @@ function linuxSecretSet(value) {
     return false;
   }
 }
-function linuxSecretDelete() {
+function linuxSecretDelete(service = SERVICE) {
+  if (!nativeKeychainAllowed()) return false;
   if (process.platform !== "linux") return false;
   try {
     execSync2(
-      `secret-tool clear service "${SERVICE}" account "${ACCOUNT}" 2>/dev/null`,
+      `secret-tool clear service "${service}" account "${ACCOUNT}" 2>/dev/null`,
       { timeout: 5e3 }
     );
     return true;
@@ -2970,6 +3137,7 @@ function linuxSecretDelete() {
   }
 }
 async function tryKeytar() {
+  if (!nativeKeychainAllowed()) return null;
   try {
     return await import("keytar");
   } catch {
@@ -3043,7 +3211,19 @@ async function writeMachineBoundFileFallback(b64) {
   return "plaintext";
 }
 async function getMasterKey() {
-  const nativeValue = macKeychainGet() ?? linuxSecretGet();
+  let nativeValue = macKeychainGet() ?? linuxSecretGet();
+  if (!nativeValue) {
+    const legacyValue = macKeychainGet(LEGACY_SERVICE) ?? linuxSecretGet(LEGACY_SERVICE);
+    if (legacyValue) {
+      const migrated = macKeychainSet(legacyValue) || linuxSecretSet(legacyValue);
+      if (migrated) {
+        macKeychainDelete(LEGACY_SERVICE);
+        linuxSecretDelete(LEGACY_SERVICE);
+        process.stderr.write("[keychain] Migrated keychain service from exe-mem to exe-os.\n");
+      }
+      nativeValue = legacyValue;
+    }
+  }
   if (nativeValue) {
     return Buffer.from(nativeValue, "base64");
   }
@@ -3051,12 +3231,17 @@ async function getMasterKey() {
   if (keytar) {
     try {
       const keytarValue = await keytar.getPassword(SERVICE, ACCOUNT);
-      if (keytarValue) {
-        const migrated = macKeychainSet(keytarValue) || linuxSecretSet(keytarValue);
+      const legacyKeytarValue = keytarValue ?? await keytar.getPassword(LEGACY_SERVICE, ACCOUNT);
+      if (legacyKeytarValue) {
+        const migrated = macKeychainSet(legacyKeytarValue) || linuxSecretSet(legacyKeytarValue);
         if (migrated) {
           process.stderr.write("[keychain] Migrated key from keytar to native keychain.\n");
+          try {
+            await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
+          } catch {
+          }
         }
-        return Buffer.from(keytarValue, "base64");
+        return Buffer.from(legacyKeytarValue, "base64");
       }
     } catch {
     }
@@ -3081,7 +3266,7 @@ async function getMasterKey() {
       const decrypted = decryptWithMachineKey(content, machineKey);
       if (!decrypted) {
         process.stderr.write(
-          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase: exe-os link import\n"
+          "[keychain] Key decryption failed \u2014 machine may have changed.\n  Use your 24-word recovery phrase during setup: exe-os setup\n"
         );
         return null;
       }
@@ -3090,6 +3275,9 @@ async function getMasterKey() {
       b64Value = content;
     }
     const key = Buffer.from(b64Value, "base64");
+    if (!content.startsWith(ENCRYPTED_PREFIX) && isRootOnlyTrustedServerKeyFile(keyPath)) {
+      return key;
+    }
     const migrated = macKeychainSet(b64Value) || linuxSecretSet(b64Value);
     if (migrated) {
       process.stderr.write("[keychain] Migrated key from file to native keychain.\n");
@@ -3117,6 +3305,97 @@ async function getMasterKey() {
     return null;
   }
 }
+async function getKeyStorageInfo() {
+  if (macKeychainGet()) {
+    return {
+      kind: "macos-keychain",
+      secure: true,
+      note: "stored in macOS Keychain via built-in security CLI"
+    };
+  }
+  if (macKeychainGet(LEGACY_SERVICE)) {
+    return {
+      kind: "macos-keychain",
+      secure: true,
+      note: "stored in legacy macOS Keychain service exe-mem; next key read migrates it to exe-os"
+    };
+  }
+  if (linuxSecretGet()) {
+    return {
+      kind: "linux-secret-service",
+      secure: true,
+      note: "stored in Linux Secret Service via secret-tool"
+    };
+  }
+  if (linuxSecretGet(LEGACY_SERVICE)) {
+    return {
+      kind: "linux-secret-service",
+      secure: true,
+      note: "stored in legacy Linux Secret Service service exe-mem; next key read migrates it to exe-os"
+    };
+  }
+  const keytar = await tryKeytar();
+  if (keytar) {
+    try {
+      if (await keytar.getPassword(SERVICE, ACCOUNT)) {
+        return {
+          kind: "legacy-keytar",
+          secure: true,
+          note: "stored in legacy keytar backend; will migrate to native keychain when possible"
+        };
+      }
+      if (await keytar.getPassword(LEGACY_SERVICE, ACCOUNT)) {
+        return {
+          kind: "legacy-keytar",
+          secure: true,
+          note: "stored in legacy keytar service exe-mem; will migrate to native exe-os keychain when possible"
+        };
+      }
+    } catch {
+    }
+  }
+  const keyPath = getKeyPath();
+  if (!existsSync8(keyPath)) {
+    return {
+      kind: "missing",
+      secure: false,
+      path: keyPath,
+      note: "no key found in OS keychain, legacy keytar, or file fallback"
+    };
+  }
+  try {
+    const content = (await readFile3(keyPath, "utf-8")).trim();
+    if (content.startsWith(ENCRYPTED_PREFIX)) {
+      return {
+        kind: "encrypted-file",
+        secure: true,
+        path: keyPath,
+        note: "stored in machine-bound encrypted file fallback"
+      };
+    }
+    if (isRootOnlyTrustedServerKeyFile(keyPath)) {
+      return {
+        kind: "server-secret-file",
+        secure: true,
+        path: keyPath,
+        note: "stored as root-only trusted server secret file"
+      };
+    }
+    return {
+      kind: "plaintext-file",
+      secure: false,
+      path: keyPath,
+      note: "stored in legacy plaintext file; reading it will migrate or encrypt it"
+    };
+  } catch {
+    return {
+      kind: "missing",
+      secure: false,
+      path: keyPath,
+      note: "key file exists but could not be read"
+    };
+  }
+}
 async function setMasterKey(key) {
   const b64 = key.toString("base64");
   if (macKeychainSet(b64) || linuxSecretSet(b64)) {
@@ -3142,10 +3421,13 @@ async function setMasterKey(key) {
 async function deleteMasterKey() {
   macKeychainDelete();
   linuxSecretDelete();
+  macKeychainDelete(LEGACY_SERVICE);
+  linuxSecretDelete(LEGACY_SERVICE);
   const keytar = await tryKeytar();
   if (keytar) {
     try {
       await keytar.deletePassword(SERVICE, ACCOUNT);
+      await keytar.deletePassword(LEGACY_SERVICE, ACCOUNT);
     } catch {
     }
   }
@@ -3183,12 +3465,14 @@ async function importMnemonic(mnemonic) {
   const entropy = mnemonicToEntropy(trimmed);
   return Buffer.from(entropy, "hex");
 }
-var SERVICE, ACCOUNT, ENCRYPTED_PREFIX;
+var SERVICE, LEGACY_SERVICE, ACCOUNT, linuxSecretAvailability, ENCRYPTED_PREFIX;
 var init_keychain = __esm({
   "src/lib/keychain.ts"() {
     "use strict";
-    SERVICE = "exe-mem";
+    SERVICE = "exe-os";
+    LEGACY_SERVICE = "exe-mem";
     ACCOUNT = "master-key";
+    linuxSecretAvailability = null;
     ENCRYPTED_PREFIX = "enc:";
   }
 });
@@ -3204,7 +3488,7 @@ __export(db_backup_exports, {
   listBackups: () => listBackups,
   rotateBackups: () => rotateBackups
 });
-import { copyFileSync, existsSync as existsSync9, mkdirSync as mkdirSync4, readdirSync, unlinkSync as unlinkSync4, statSync as statSync2 } from "fs";
+import { copyFileSync, existsSync as existsSync9, mkdirSync as mkdirSync4, readdirSync, unlinkSync as unlinkSync4, statSync as statSync3 } from "fs";
 import path9 from "path";
 function findActiveDb() {
   for (const name of DB_NAMES) {
@@ -3248,7 +3532,7 @@ function rotateBackups(keepDays = DEFAULT_KEEP_DAYS) {
       if (!file.endsWith(".db") && !file.endsWith(".db-wal") && !file.endsWith(".db-shm")) continue;
       const filePath = path9.join(BACKUP_DIR, file);
       try {
-        const stat = statSync2(filePath);
+        const stat = statSync3(filePath);
         if (stat.mtimeMs < cutoff) {
           unlinkSync4(filePath);
           deleted++;
@@ -3266,7 +3550,7 @@ function listBackups() {
     const files = readdirSync(BACKUP_DIR).filter((f) => f.endsWith(".db") && !f.endsWith("-wal") && !f.endsWith("-shm"));
     return files.map((name) => {
       const p = path9.join(BACKUP_DIR, name);
-      const stat = statSync2(p);
+      const stat = statSync3(p);
       return { path: p, name, size: stat.size, date: stat.mtime };
     }).sort((a, b) => b.date.getTime() - a.date.getTime());
   } catch {
@@ -3298,7 +3582,7 @@ var init_db_backup = __esm({
 
 // src/lib/cloud-sync.ts
 init_database();
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, existsSync as existsSync10, readdirSync as readdirSync2, mkdirSync as mkdirSync5, appendFileSync, unlinkSync as unlinkSync5, openSync as openSync2, closeSync as closeSync2, statSync as statSync3 } from "fs";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, existsSync as existsSync10, readdirSync as readdirSync2, mkdirSync as mkdirSync5, appendFileSync, unlinkSync as unlinkSync5, openSync as openSync2, closeSync as closeSync2, statSync as statSync4 } from "fs";
 import crypto3 from "crypto";
 import path10 from "path";
 import { homedir as homedir2 } from "os";
@@ -3453,18 +3737,36 @@ function loadPgClient() {
       const { pathToFileURL: pathToFileURL3 } = await import("url");
       const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
       if (explicitPath) {
-        const mod2 = await import(pathToFileURL3(explicitPath).href);
-        const Ctor2 = mod2.PrismaClient ?? mod2.default?.PrismaClient;
-        if (!Ctor2) throw new Error(`No PrismaClient at ${explicitPath}`);
-        return new Ctor2();
+        const mod = await import(pathToFileURL3(explicitPath).href);
+        const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+        if (!Ctor) throw new Error(`No PrismaClient at ${explicitPath}`);
+        return new Ctor();
       }
       const exeDbRoot = process.env.EXE_DB_ROOT ?? path10.join(homedir2(), "exe-db");
-      const req = createRequire3(path10.join(exeDbRoot, "package.json"));
-      const entry = req.resolve("@prisma/client");
-      const mod = await import(pathToFileURL3(entry).href);
-      const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
-      if (!Ctor) throw new Error("No PrismaClient");
-      return new Ctor();
+      const packagePath = path10.join(exeDbRoot, "package.json");
+      if (existsSync10(packagePath)) {
+        const req = createRequire3(packagePath);
+        const entry = req.resolve("@prisma/client");
+        const mod = await import(pathToFileURL3(entry).href);
+        const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+        if (!Ctor) throw new Error("No PrismaClient");
+        return new Ctor();
+      }
+      const { Pool } = await import("pg");
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      return {
+        async $queryRawUnsafe(query, ...values) {
+          const result = await pool.query(query, values);
+          return result.rows;
+        },
+        async $executeRawUnsafe(query, ...values) {
+          const result = await pool.query(query, values);
+          return result.rowCount ?? 0;
+        },
+        async $disconnect() {
+          await pool.end();
+        }
+      };
     })().catch(() => {
       _pgFailed = true;
       _pgPromise = null;
@@ -3485,7 +3787,7 @@ async function pushToPostgres(records) {
   let inserted = 0;
   for (const rec of records) {
     try {
-      await prisma.$executeRawUnsafe(
+      const changed = await prisma.$executeRawUnsafe(
         `INSERT INTO raw.raw_events (id, source, source_id, event_type, payload, metadata, timestamp)
          VALUES (gen_random_uuid(), 'cloud_sync', $1, 'memory', $2::jsonb, $3::jsonb, $4)
          ON CONFLICT (source, source_id, event_type) DO NOTHING`,
@@ -3494,7 +3796,7 @@ async function pushToPostgres(records) {
         JSON.stringify({ agent_id: rec.agent_id, project_name: rec.project_name, tool_name: rec.tool_name }),
         rec.timestamp ? new Date(String(rec.timestamp)) : /* @__PURE__ */ new Date()
       );
-      inserted++;
+      inserted += Number(changed ?? 0);
     } catch {
     }
   }
@@ -3599,6 +3901,23 @@ async function cloudPush(records, maxVersion, config) {
     return false;
   }
 }
+async function cloudResetMemoryBlobs(config) {
+  assertSecureEndpoint(config.endpoint);
+  const resp = await fetchWithRetry(`${config.endpoint}/sync/reset-memory`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${config.apiKey}`,
+      "Content-Type": "application/json",
+      "X-Device-Id": loadDeviceId()
+    },
+    body: JSON.stringify({ confirm: "LOCAL DB IS SOURCE OF TRUTH" })
+  });
+  if (!resp.ok) {
+    throw new Error(`cloud reset failed: HTTP ${resp.status}`);
+  }
+  const data = await resp.json();
+  return { deleted: Number(data.deleted ?? 0), freedBytes: Number(data.freed_bytes ?? 0) };
+}
 async function cloudPull(sinceVersion, config) {
   assertSecureEndpoint(config.endpoint);
   try {
@@ -3618,22 +3937,62 @@ async function cloudPull(sinceVersion, config) {
     if (!response.ok) return { records: [], maxVersion: sinceVersion };
     const data = await response.json();
     const allRecords = [];
-    for (const { blob } of data.blobs ?? []) {
+    let maxReadableVersion = sinceVersion;
+    let skippedBlobs = 0;
+    for (const { version, blob } of data.blobs ?? []) {
       try {
         const compressed = decryptSyncBlob(blob);
         const json = decompress(compressed).toString("utf8");
         const records = JSON.parse(json);
         allRecords.push(...records);
+        const recordMax = records.reduce((max, rec) => {
+          const v = Number(rec.version ?? 0);
+          return Number.isFinite(v) ? Math.max(max, v) : max;
+        }, 0);
+        const blobVersion = Number(version ?? 0);
+        maxReadableVersion = Math.max(
+          maxReadableVersion,
+          Number.isFinite(blobVersion) ? blobVersion : 0,
+          recordMax
+        );
       } catch {
+        skippedBlobs++;
         continue;
       }
     }
-    return { records: allRecords, maxVersion: data.max_version ?? sinceVersion };
+    if (skippedBlobs > 0) {
+      logError(`[cloud-sync] PULL skipped ${skippedBlobs} undecryptable blob(s); pull cursor advanced only to last readable version ${maxReadableVersion}`);
+    }
+    return { records: allRecords, maxVersion: maxReadableVersion };
   } catch (err) {
     logError(`[cloud-sync] PULL FAILED: ${err instanceof Error ? err.message : String(err)}`);
     return { records: [], maxVersion: sinceVersion };
   }
 }
+var CLOUD_REUPLOAD_REQUIRED_MESSAGE = "Cloud sync is blocked because this device rotated its memory encryption key. Run `exe-os cloud reupload` first to re-upload the cloud backup with the new key.";
+async function getCloudReuploadRequired(client = getClient()) {
+  try {
+    await client.execute("CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+    const result = await client.execute("SELECT key, value FROM sync_meta WHERE key IN ('cloud_reupload_required', 'cloud_relink_required')");
+    return result.rows.some((row) => String(row.value ?? "") === "1");
+  } catch {
+    return false;
+  }
+}
+async function clearCloudReuploadRequired(client = getClient()) {
+  await client.execute("CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+  await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '0')");
+  await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_relink_required', '0')");
+  await client.execute({
+    sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reuploaded_at', ?)",
+    args: [(/* @__PURE__ */ new Date()).toISOString()]
+  });
+  await client.execute("DELETE FROM sync_meta WHERE key IN ('last_cloud_pull_version', 'last_cloud_push_version')");
+}
+async function markCloudReuploadRequired(client = getClient()) {
+  await client.execute("CREATE TABLE IF NOT EXISTS sync_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+  await client.execute("INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('cloud_reupload_required', '1')");
+}
 async function cloudSync(config) {
   if (!isSyncCryptoInitialized()) {
     try {
@@ -3655,13 +4014,10 @@ async function cloudSync(config) {
     throw new Error("[cloud-sync] Database not initialized. Call initStore() before cloudSync().");
   }
   try {
-    const relink = await client.execute("SELECT value FROM sync_meta WHERE key = 'cloud_relink_required' LIMIT 1");
-    if (String(relink.rows[0]?.value ?? "") === "1") {
-      throw new Error("[cloud-sync] Paused after key rotation. Re-link/reupload cloud sync with the new recovery phrase before syncing.");
-    }
+    if (await getCloudReuploadRequired(client)) throw new Error(CLOUD_REUPLOAD_REQUIRED_MESSAGE);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
-    if (msg.includes("Paused after key rotation")) throw err;
+    if (msg === CLOUD_REUPLOAD_REQUIRED_MESSAGE || msg.includes("key rotation")) throw err;
   }
   try {
     const { getRawClient: getRawClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
@@ -3919,7 +4275,7 @@ async function cloudSync(config) {
     const { getLatestBackup: getLatestBackup2 } = await Promise.resolve().then(() => (init_db_backup(), db_backup_exports));
     const latestBackup = getLatestBackup2();
     if (latestBackup) {
-      const backupSize = statSync3(latestBackup).size;
+      const backupSize = statSync4(latestBackup).size;
       const MAX_CLOUD_BACKUP_BYTES = 50 * 1024 * 1024;
       if (backupSize <= MAX_CLOUD_BACKUP_BYTES) {
         const backupData = readFileSync7(latestBackup);
@@ -4592,8 +4948,10 @@ async function cloudPullDocuments(config) {
   return { pulled };
 }
 export {
+  CLOUD_REUPLOAD_REQUIRED_MESSAGE,
   assertSecureEndpoint,
   buildRosterBlob,
+  clearCloudReuploadRequired,
   cloudPull,
   cloudPullBehaviors,
   cloudPullBlob,
@@ -4612,7 +4970,10 @@ export {
   cloudPushGraphRAG,
   cloudPushRoster,
   cloudPushTasks,
+  cloudResetMemoryBlobs,
   cloudSync,
+  getCloudReuploadRequired,
+  markCloudReuploadRequired,
   mergeConfig,
   mergeRosterFromRemote,
   pushToPostgres,