@askexenow/exe-os 0.9.7 → 0.9.9

package/dist/bin/exe-rename.js

@@ -9,9 +9,34 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/lib/secure-files.ts
+import { chmodSync, existsSync, mkdirSync } from "fs";
+import { chmod, mkdir } from "fs/promises";
+function ensurePrivateDirSync(dirPath) {
+  mkdirSync(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    chmodSync(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+function enforcePrivateFileSync(filePath) {
+  try {
+    if (existsSync(filePath)) chmodSync(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+var PRIVATE_DIR_MODE, PRIVATE_FILE_MODE;
+var init_secure_files = __esm({
+  "src/lib/secure-files.ts"() {
+    "use strict";
+    PRIVATE_DIR_MODE = 448;
+    PRIVATE_FILE_MODE = 384;
+  }
+});
+
 // src/lib/config.ts
-import { readFile, writeFile, mkdir, chmod } from "fs/promises";
-import { readFileSync, existsSync, renameSync } from "fs";
+import { readFile, writeFile } from "fs/promises";
+import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
 import path from "path";
 import os from "os";
 function resolveDataDir() {
@@ -19,7 +44,7 @@ function resolveDataDir() {
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
   const newDir = path.join(os.homedir(), ".exe-os");
   const legacyDir = path.join(os.homedir(), ".exe-mem");
-  if (!existsSync(newDir) && existsSync(legacyDir)) {
+  if (!existsSync2(newDir) && existsSync2(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
       process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
@@ -34,6 +59,7 @@ var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CON
 var init_config = __esm({
   "src/lib/config.ts"() {
     "use strict";
+    init_secure_files();
     EXE_AI_DIR = resolveDataDir();
     DB_PATH = path.join(EXE_AI_DIR, "memories.db");
     MODELS_DIR = path.join(EXE_AI_DIR, "models");
@@ -102,7 +128,7 @@ var init_config = __esm({
 
 // src/lib/employees.ts
 import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync2, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
+import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
 import { execSync } from "child_process";
 import path2 from "path";
 import os2 from "os";
@@ -134,7 +160,7 @@ function validateEmployeeName(name) {
   return { valid: true };
 }
 async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync2(employeesPath)) {
+  if (!existsSync3(employeesPath)) {
     return [];
   }
   const raw = await readFile2(employeesPath, "utf-8");
@@ -149,7 +175,7 @@ async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
   await writeFile2(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
 }
 function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync2(employeesPath)) return [];
+  if (!existsSync3(employeesPath)) return [];
   try {
     return JSON.parse(readFileSync2(employeesPath, "utf-8"));
   } catch {
@@ -183,7 +209,7 @@ function registerBinSymlinks(name) {
   for (const suffix of ["", "-opencode"]) {
     const linkName = `${name}${suffix}`;
     const linkPath = path2.join(binDir, linkName);
-    if (existsSync2(linkPath)) {
+    if (existsSync3(linkPath)) {
       skipped.push(linkName);
       continue;
     }
@@ -196,7 +222,7 @@ function registerBinSymlinks(name) {
   }
   return { created, skipped, errors };
 }
-var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE;
+var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, IDENTITY_DIR;
 var init_employees = __esm({
   "src/lib/employees.ts"() {
     "use strict";
@@ -204,6 +230,7 @@ var init_employees = __esm({
     EMPLOYEES_PATH = path2.join(EXE_AI_DIR, "exe-employees.json");
     DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
     COORDINATOR_ROLE = "COO";
+    IDENTITY_DIR = path2.join(EXE_AI_DIR, "identity");
   }
 });
 
@@ -262,13 +289,634 @@ var init_db_retry = __esm({
   }
 });
 
+// src/lib/database-adapter.ts
+import os3 from "os";
+import path3 from "path";
+import { createRequire } from "module";
+import { pathToFileURL } from "url";
+function quotedIdentifier(identifier) {
+  return `"${identifier.replace(/"/g, '""')}"`;
+}
+function unqualifiedTableName(name) {
+  const raw = name.trim().replace(/^"|"$/g, "");
+  const parts = raw.split(".");
+  return parts[parts.length - 1].replace(/^"|"$/g, "").toLowerCase();
+}
+function stripTrailingSemicolon(sql) {
+  return sql.trim().replace(/;+\s*$/u, "");
+}
+function appendClause(sql, clause) {
+  const trimmed = stripTrailingSemicolon(sql);
+  const returningMatch = /\sRETURNING\b[\s\S]*$/iu.exec(trimmed);
+  if (!returningMatch) {
+    return `${trimmed}${clause}`;
+  }
+  const idx = returningMatch.index;
+  return `${trimmed.slice(0, idx)}${clause}${trimmed.slice(idx)}`;
+}
+function normalizeStatement(stmt) {
+  if (typeof stmt === "string") {
+    return { kind: "positional", sql: stmt, args: [] };
+  }
+  const sql = stmt.sql;
+  if (Array.isArray(stmt.args) || stmt.args === void 0) {
+    return { kind: "positional", sql, args: stmt.args ?? [] };
+  }
+  return { kind: "named", sql, args: stmt.args };
+}
+function rewriteBooleanLiterals(sql) {
+  let out = sql;
+  for (const column of BOOLEAN_COLUMN_NAMES) {
+    const scoped = `((?:\\b[a-z_][a-z0-9_]*\\.)?${column})`;
+    out = out.replace(new RegExp(`${scoped}\\s*=\\s*0\\b`, "giu"), "$1 = FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*=\\s*1\\b`, "giu"), "$1 = TRUE");
+    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*0\\b`, "giu"), "$1 != FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*1\\b`, "giu"), "$1 != TRUE");
+    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*0\\b`, "giu"), "$1 <> FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*1\\b`, "giu"), "$1 <> TRUE");
+  }
+  return out;
+}
+function rewriteInsertOrIgnore(sql) {
+  if (!/^\s*INSERT\s+OR\s+IGNORE\s+INTO\b/iu.test(sql)) {
+    return sql;
+  }
+  const replaced = sql.replace(/^\s*INSERT\s+OR\s+IGNORE\s+INTO\b/iu, "INSERT INTO");
+  return /\bON\s+CONFLICT\b/iu.test(replaced) ? replaced : appendClause(replaced, " ON CONFLICT DO NOTHING");
+}
+function rewriteInsertOrReplace(sql) {
+  const match = /^\s*INSERT\s+OR\s+REPLACE\s+INTO\s+([A-Za-z0-9_."]+)\s*\(([^)]+)\)([\s\S]*)$/iu.exec(sql);
+  if (!match) {
+    return sql;
+  }
+  const rawTable = match[1];
+  const rawColumns = match[2];
+  const remainder = match[3];
+  const tableName = unqualifiedTableName(rawTable);
+  const conflictKeys = UPSERT_KEYS[tableName];
+  if (!conflictKeys?.length) {
+    return sql;
+  }
+  const columns = rawColumns.split(",").map((col) => col.trim().replace(/^"|"$/g, ""));
+  const updateColumns = columns.filter((col) => !conflictKeys.includes(col));
+  const conflictTarget = conflictKeys.map(quotedIdentifier).join(", ");
+  const updateClause = updateColumns.length === 0 ? " DO NOTHING" : ` DO UPDATE SET ${updateColumns.map((col) => `${quotedIdentifier(col)} = EXCLUDED.${quotedIdentifier(col)}`).join(", ")}`;
+  return `INSERT INTO ${rawTable} (${rawColumns})${appendClause(remainder, ` ON CONFLICT (${conflictTarget})${updateClause}`)}`;
+}
+function rewriteSql(sql) {
+  let out = sql;
+  out = out.replace(/\bdatetime\(\s*['"]now['"]\s*\)/giu, "CURRENT_TIMESTAMP");
+  out = out.replace(/\bvector32\s*\(\s*\?\s*\)/giu, "?");
+  out = rewriteBooleanLiterals(out);
+  out = rewriteInsertOrReplace(out);
+  out = rewriteInsertOrIgnore(out);
+  return stripTrailingSemicolon(out);
+}
+function toBoolean(value) {
+  if (value === null || value === void 0) return value;
+  if (typeof value === "boolean") return value;
+  if (typeof value === "number") return value !== 0;
+  if (typeof value === "bigint") return value !== 0n;
+  if (typeof value === "string") {
+    const normalized = value.trim().toLowerCase();
+    if (normalized === "0" || normalized === "false") return false;
+    if (normalized === "1" || normalized === "true") return true;
+  }
+  return Boolean(value);
+}
+function countQuestionMarks(sql, end) {
+  let count = 0;
+  let inSingle = false;
+  let inDouble = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = 0; i < end; i++) {
+    const ch = sql[i];
+    const next = sql[i + 1];
+    if (inLineComment) {
+      if (ch === "\n") inLineComment = false;
+      continue;
+    }
+    if (inBlockComment) {
+      if (ch === "*" && next === "/") {
+        inBlockComment = false;
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "-" && next === "-") {
+      inLineComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "/" && next === "*") {
+      inBlockComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inDouble && ch === "'" && sql[i - 1] !== "\\") {
+      inSingle = !inSingle;
+      continue;
+    }
+    if (!inSingle && ch === '"' && sql[i - 1] !== "\\") {
+      inDouble = !inDouble;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "?") {
+      count += 1;
+    }
+  }
+  return count;
+}
+function findBooleanPlaceholderIndexes(sql) {
+  const indexes = /* @__PURE__ */ new Set();
+  for (const column of BOOLEAN_COLUMN_NAMES) {
+    const pattern = new RegExp(`(?:\\b[a-z_][a-z0-9_]*\\.)?${column}\\s*=\\s*\\?`, "giu");
+    for (const match of sql.matchAll(pattern)) {
+      const matchText = match[0];
+      const qIndex = match.index + matchText.lastIndexOf("?");
+      indexes.add(countQuestionMarks(sql, qIndex + 1));
+    }
+  }
+  return indexes;
+}
+function coerceInsertBooleanArgs(sql, args) {
+  const match = /^\s*INSERT(?:\s+OR\s+(?:IGNORE|REPLACE))?\s+INTO\s+([A-Za-z0-9_."]+)\s*\(([^)]+)\)/iu.exec(sql);
+  if (!match) return;
+  const rawTable = match[1];
+  const rawColumns = match[2];
+  const boolColumns = BOOLEAN_COLUMNS_BY_TABLE[unqualifiedTableName(rawTable)];
+  if (!boolColumns?.size) return;
+  const columns = rawColumns.split(",").map((col) => col.trim().replace(/^"|"$/g, ""));
+  for (const [index, column] of columns.entries()) {
+    if (boolColumns.has(column) && index < args.length) {
+      args[index] = toBoolean(args[index]);
+    }
+  }
+}
+function coerceUpdateBooleanArgs(sql, args) {
+  const match = /^\s*UPDATE\s+([A-Za-z0-9_."]+)\s+SET\s+([\s\S]+?)(?:\s+WHERE\b|$)/iu.exec(sql);
+  if (!match) return;
+  const rawTable = match[1];
+  const setClause = match[2];
+  const boolColumns = BOOLEAN_COLUMNS_BY_TABLE[unqualifiedTableName(rawTable)];
+  if (!boolColumns?.size) return;
+  const assignments = setClause.split(",");
+  let placeholderIndex = 0;
+  for (const assignment of assignments) {
+    if (!assignment.includes("?")) continue;
+    placeholderIndex += 1;
+    const colMatch = /^\s*(?:[A-Za-z_][A-Za-z0-9_]*\.)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*\?/iu.exec(assignment);
+    if (colMatch && boolColumns.has(colMatch[1])) {
+      args[placeholderIndex - 1] = toBoolean(args[placeholderIndex - 1]);
+    }
+  }
+}
+function coerceBooleanArgs(sql, args) {
+  const nextArgs = [...args];
+  coerceInsertBooleanArgs(sql, nextArgs);
+  coerceUpdateBooleanArgs(sql, nextArgs);
+  const placeholderIndexes = findBooleanPlaceholderIndexes(sql);
+  for (const index of placeholderIndexes) {
+    if (index > 0 && index <= nextArgs.length) {
+      nextArgs[index - 1] = toBoolean(nextArgs[index - 1]);
+    }
+  }
+  return nextArgs;
+}
+function convertQuestionMarksToDollarParams(sql) {
+  let out = "";
+  let placeholder = 0;
+  let inSingle = false;
+  let inDouble = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i];
+    const next = sql[i + 1];
+    if (inLineComment) {
+      out += ch;
+      if (ch === "\n") inLineComment = false;
+      continue;
+    }
+    if (inBlockComment) {
+      out += ch;
+      if (ch === "*" && next === "/") {
+        out += next;
+        inBlockComment = false;
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "-" && next === "-") {
+      out += ch + next;
+      inLineComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "/" && next === "*") {
+      out += ch + next;
+      inBlockComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inDouble && ch === "'" && sql[i - 1] !== "\\") {
+      inSingle = !inSingle;
+      out += ch;
+      continue;
+    }
+    if (!inSingle && ch === '"' && sql[i - 1] !== "\\") {
+      inDouble = !inDouble;
+      out += ch;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "?") {
+      placeholder += 1;
+      out += `$${placeholder}`;
+      continue;
+    }
+    out += ch;
+  }
+  return out;
+}
+function translateStatementForPostgres(stmt) {
+  const normalized = normalizeStatement(stmt);
+  if (normalized.kind === "named") {
+    throw new Error("Named SQL parameters are not supported by the Prisma adapter.");
+  }
+  const rewrittenSql = rewriteSql(normalized.sql);
+  const coercedArgs = coerceBooleanArgs(rewrittenSql, normalized.args);
+  return {
+    sql: convertQuestionMarksToDollarParams(rewrittenSql),
+    args: coercedArgs
+  };
+}
+function shouldBypassPostgres(stmt) {
+  const normalized = normalizeStatement(stmt);
+  if (normalized.kind === "named") {
+    return true;
+  }
+  return IMMEDIATE_FALLBACK_PATTERNS.some((pattern) => pattern.test(normalized.sql));
+}
+function shouldFallbackOnError(error) {
+  const message = error instanceof Error ? error.message : String(error);
+  return /42P01|42883|42601|does not exist|syntax error|not supported|Named SQL parameters are not supported/iu.test(message);
+}
+function isReadQuery(sql) {
+  const trimmed = sql.trimStart();
+  return /^(SELECT|WITH|SHOW|EXPLAIN|VALUES)\b/iu.test(trimmed) || /\bRETURNING\b/iu.test(trimmed);
+}
+function buildRow(row, columns) {
+  const values = columns.map((column) => row[column]);
+  return Object.assign(values, row);
+}
+function buildResultSet(rows, rowsAffected = 0) {
+  const columns = rows[0] ? Object.keys(rows[0]) : [];
+  const resultRows = rows.map((row) => buildRow(row, columns));
+  return {
+    columns,
+    columnTypes: columns.map(() => ""),
+    rows: resultRows,
+    rowsAffected,
+    lastInsertRowid: void 0,
+    toJSON() {
+      return {
+        columns,
+        columnTypes: columns.map(() => ""),
+        rows,
+        rowsAffected,
+        lastInsertRowid: void 0
+      };
+    }
+  };
+}
+async function loadPrismaClient() {
+  if (!prismaClientPromise) {
+    prismaClientPromise = (async () => {
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const module2 = await import(pathToFileURL(explicitPath).href);
+        const PrismaClient2 = module2.PrismaClient ?? module2.default?.PrismaClient;
+        if (!PrismaClient2) {
+          throw new Error(`No PrismaClient export found at ${explicitPath}`);
+        }
+        return new PrismaClient2();
+      }
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path3.join(os3.homedir(), "exe-db");
+      const requireFromExeDb = createRequire(path3.join(exeDbRoot, "package.json"));
+      const prismaEntry = requireFromExeDb.resolve("@prisma/client");
+      const module = await import(pathToFileURL(prismaEntry).href);
+      const PrismaClient = module.PrismaClient ?? module.default?.PrismaClient;
+      if (!PrismaClient) {
+        throw new Error(`No PrismaClient export found in ${prismaEntry}`);
+      }
+      return new PrismaClient();
+    })();
+  }
+  return prismaClientPromise;
+}
+async function ensureCompatibilityViews(prisma) {
+  if (!compatibilityBootstrapPromise) {
+    compatibilityBootstrapPromise = (async () => {
+      for (const mapping of VIEW_MAPPINGS) {
+        const relation = mapping.source.replace(/"/g, "");
+        const rows = await prisma.$queryRawUnsafe(
+          "SELECT to_regclass($1) AS regclass",
+          relation
+        );
+        if (!rows[0]?.regclass) {
+          continue;
+        }
+        await prisma.$executeRawUnsafe(
+          `CREATE OR REPLACE VIEW public.${quotedIdentifier(mapping.view)} AS SELECT * FROM ${mapping.source}`
+        );
+      }
+    })();
+  }
+  return compatibilityBootstrapPromise;
+}
+async function executeOnPrisma(executor, stmt) {
+  const translated = translateStatementForPostgres(stmt);
+  if (isReadQuery(translated.sql)) {
+    const rows = await executor.$queryRawUnsafe(
+      translated.sql,
+      ...translated.args
+    );
+    return buildResultSet(rows, /\bRETURNING\b/iu.test(translated.sql) ? rows.length : 0);
+  }
+  const rowsAffected = await executor.$executeRawUnsafe(translated.sql, ...translated.args);
+  return buildResultSet([], rowsAffected);
+}
+function splitSqlStatements(sql) {
+  const parts = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i];
+    const next = sql[i + 1];
+    if (inLineComment) {
+      current += ch;
+      if (ch === "\n") inLineComment = false;
+      continue;
+    }
+    if (inBlockComment) {
+      current += ch;
+      if (ch === "*" && next === "/") {
+        current += next;
+        inBlockComment = false;
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "-" && next === "-") {
+      current += ch + next;
+      inLineComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "/" && next === "*") {
+      current += ch + next;
+      inBlockComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inDouble && ch === "'" && sql[i - 1] !== "\\") {
+      inSingle = !inSingle;
+      current += ch;
+      continue;
+    }
+    if (!inSingle && ch === '"' && sql[i - 1] !== "\\") {
+      inDouble = !inDouble;
+      current += ch;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === ";") {
+      if (current.trim()) {
+        parts.push(current.trim());
+      }
+      current = "";
+      continue;
+    }
+    current += ch;
+  }
+  if (current.trim()) {
+    parts.push(current.trim());
+  }
+  return parts;
+}
+async function createPrismaDbAdapter(fallbackClient) {
+  const prisma = await loadPrismaClient();
+  await ensureCompatibilityViews(prisma);
+  let closed = false;
+  let adapter;
+  const fallbackExecute = async (stmt, error) => {
+    if (!fallbackClient) {
+      if (error) throw error;
+      throw new Error("No fallback SQLite client is available for this Prisma-routed query.");
+    }
+    if (error) {
+      process.stderr.write(
+        `[database-adapter] Falling back to SQLite: ${error instanceof Error ? error.message : String(error)}
+`
+      );
+    }
+    return fallbackClient.execute(stmt);
+  };
+  adapter = {
+    async execute(stmt) {
+      if (shouldBypassPostgres(stmt)) {
+        return fallbackExecute(stmt);
+      }
+      try {
+        return await executeOnPrisma(prisma, stmt);
+      } catch (error) {
+        if (shouldFallbackOnError(error)) {
+          return fallbackExecute(stmt, error);
+        }
+        throw error;
+      }
+    },
+    async batch(stmts, mode) {
+      if (stmts.some((stmt) => shouldBypassPostgres(stmt))) {
+        if (!fallbackClient) {
+          throw new Error("Cannot batch unsupported SQLite-only statements without a fallback client.");
+        }
+        return fallbackClient.batch(stmts, mode);
+      }
+      try {
+        if (prisma.$transaction) {
+          return await prisma.$transaction(async (tx) => {
+            const results2 = [];
+            for (const stmt of stmts) {
+              results2.push(await executeOnPrisma(tx, stmt));
+            }
+            return results2;
+          });
+        }
+        const results = [];
+        for (const stmt of stmts) {
+          results.push(await executeOnPrisma(prisma, stmt));
+        }
+        return results;
+      } catch (error) {
+        if (fallbackClient && shouldFallbackOnError(error)) {
+          process.stderr.write(
+            `[database-adapter] Falling back batch to SQLite: ${error instanceof Error ? error.message : String(error)}
+`
+          );
+          return fallbackClient.batch(stmts, mode);
+        }
+        throw error;
+      }
+    },
+    async migrate(stmts) {
+      if (fallbackClient) {
+        return fallbackClient.migrate(stmts);
+      }
+      return adapter.batch(stmts, "deferred");
+    },
+    async transaction(mode) {
+      if (!fallbackClient) {
+        throw new Error("Interactive transactions are only supported on the SQLite fallback client.");
+      }
+      return fallbackClient.transaction(mode);
+    },
+    async executeMultiple(sql) {
+      if (fallbackClient && shouldBypassPostgres(sql)) {
+        return fallbackClient.executeMultiple(sql);
+      }
+      for (const statement of splitSqlStatements(sql)) {
+        await adapter.execute(statement);
+      }
+    },
+    async sync() {
+      if (fallbackClient) {
+        return fallbackClient.sync();
+      }
+      return { frame_no: 0, frames_synced: 0 };
+    },
+    close() {
+      closed = true;
+      prismaClientPromise = null;
+      compatibilityBootstrapPromise = null;
+      void prisma.$disconnect?.();
+    },
+    get closed() {
+      return closed;
+    },
+    get protocol() {
+      return "prisma-postgres";
+    }
+  };
+  return adapter;
+}
+var VIEW_MAPPINGS, UPSERT_KEYS, BOOLEAN_COLUMNS_BY_TABLE, BOOLEAN_COLUMN_NAMES, IMMEDIATE_FALLBACK_PATTERNS, prismaClientPromise, compatibilityBootstrapPromise;
+var init_database_adapter = __esm({
+  "src/lib/database-adapter.ts"() {
+    "use strict";
+    VIEW_MAPPINGS = [
+      { view: "memories", source: "memory.memory_records" },
+      { view: "tasks", source: "memory.tasks" },
+      { view: "behaviors", source: "memory.behaviors" },
+      { view: "entities", source: "memory.entities" },
+      { view: "relationships", source: "memory.relationships" },
+      { view: "entity_memories", source: "memory.entity_memories" },
+      { view: "entity_aliases", source: "memory.entity_aliases" },
+      { view: "notifications", source: "memory.notifications" },
+      { view: "messages", source: "memory.messages" },
+      { view: "users", source: "wiki.users" },
+      { view: "workspaces", source: "wiki.workspaces" },
+      { view: "workspace_users", source: "wiki.workspace_users" },
+      { view: "documents", source: "wiki.workspace_documents" },
+      { view: "chats", source: "wiki.workspace_chats" }
+    ];
+    UPSERT_KEYS = {
+      memories: ["id"],
+      tasks: ["id"],
+      behaviors: ["id"],
+      entities: ["id"],
+      relationships: ["id"],
+      entity_aliases: ["alias"],
+      notifications: ["id"],
+      messages: ["id"],
+      users: ["id"],
+      workspaces: ["id"],
+      workspace_users: ["id"],
+      documents: ["id"],
+      chats: ["id"]
+    };
+    BOOLEAN_COLUMNS_BY_TABLE = {
+      memories: /* @__PURE__ */ new Set(["has_error", "draft"]),
+      behaviors: /* @__PURE__ */ new Set(["active"]),
+      notifications: /* @__PURE__ */ new Set(["read"]),
+      users: /* @__PURE__ */ new Set(["has_personal_memory"])
+    };
+    BOOLEAN_COLUMN_NAMES = new Set(
+      Object.values(BOOLEAN_COLUMNS_BY_TABLE).flatMap((cols) => [...cols])
+    );
+    IMMEDIATE_FALLBACK_PATTERNS = [
+      /\bPRAGMA\b/i,
+      /\bsqlite_master\b/i,
+      /(?:^|[.\s])(?:memories|conversations|entities)_fts\b/i,
+      /\bMATCH\b/i,
+      /\bvector_distance_cos\s*\(/i,
+      /\bjson_extract\s*\(/i,
+      /\bjulianday\s*\(/i,
+      /\bstrftime\s*\(/i,
+      /\blast_insert_rowid\s*\(/i
+    ];
+    prismaClientPromise = null;
+    compatibilityBootstrapPromise = null;
+  }
+});
+
+// src/lib/daemon-auth.ts
+import crypto from "crypto";
+import path4 from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+function normalizeToken(token) {
+  if (!token) return null;
+  const trimmed = token.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function readDaemonToken() {
+  try {
+    if (!existsSync4(DAEMON_TOKEN_PATH)) return null;
+    return normalizeToken(readFileSync3(DAEMON_TOKEN_PATH, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function ensureDaemonToken(seed) {
+  const existing = readDaemonToken();
+  if (existing) return existing;
+  const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
+  ensurePrivateDirSync(EXE_AI_DIR);
+  writeFileSync2(DAEMON_TOKEN_PATH, `${token}
+`, "utf8");
+  enforcePrivateFileSync(DAEMON_TOKEN_PATH);
+  return token;
+}
+var DAEMON_TOKEN_PATH;
+var init_daemon_auth = __esm({
+  "src/lib/daemon-auth.ts"() {
+    "use strict";
+    init_config();
+    init_secure_files();
+    DAEMON_TOKEN_PATH = path4.join(EXE_AI_DIR, "exed.token");
+  }
+});
+
 // src/lib/exe-daemon-client.ts
 import net from "net";
-import os3 from "os";
+import os4 from "os";
 import { spawn } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync3, unlinkSync as unlinkSync2, readFileSync as readFileSync3, openSync, closeSync, statSync } from "fs";
-import path3 from "path";
+import { existsSync as existsSync5, unlinkSync as unlinkSync2, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
+import path5 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
@@ -296,9 +944,9 @@ function handleData(chunk) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync3(PID_PATH)) {
+  if (existsSync5(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync3(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, 0);
@@ -319,17 +967,17 @@ function cleanupStaleFiles() {
   }
 }
 function findPackageRoot() {
-  let dir = path3.dirname(fileURLToPath(import.meta.url));
-  const { root } = path3.parse(dir);
+  let dir = path5.dirname(fileURLToPath(import.meta.url));
+  const { root } = path5.parse(dir);
   while (dir !== root) {
-    if (existsSync3(path3.join(dir, "package.json"))) return dir;
-    dir = path3.dirname(dir);
+    if (existsSync5(path5.join(dir, "package.json"))) return dir;
+    dir = path5.dirname(dir);
   }
   return null;
 }
 function spawnDaemon() {
-  const freeGB = os3.freemem() / (1024 * 1024 * 1024);
-  const totalGB = os3.totalmem() / (1024 * 1024 * 1024);
+  const freeGB = os4.freemem() / (1024 * 1024 * 1024);
+  const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
@@ -349,16 +997,17 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path3.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync3(daemonPath)) {
+  const daemonPath = path5.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync5(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
   }
   const resolvedPath = daemonPath;
+  const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path3.join(path3.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path5.join(path5.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -376,7 +1025,8 @@ function spawnDaemon() {
       TMUX_PANE: void 0,
       // Prevents resolveExeSession() from scoping to one session
       EXE_DAEMON_SOCK: SOCKET_PATH,
-      EXE_DAEMON_PID: PID_PATH
+      EXE_DAEMON_PID: PID_PATH,
+      [DAEMON_TOKEN_ENV]: daemonToken
     }
   });
   child.unref();
@@ -483,13 +1133,14 @@ function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
       return;
     }
     const id = randomUUID();
+    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
     const timer = setTimeout(() => {
       _pending.delete(id);
       resolve({ error: "Request timeout" });
     }, timeoutMs);
     _pending.set(id, { resolve, timer });
     try {
-      _socket.write(JSON.stringify({ id, ...payload }) + "\n");
+      _socket.write(JSON.stringify({ id, token, ...payload }) + "\n");
     } catch {
       clearTimeout(timer);
       _pending.delete(id);
@@ -500,17 +1151,19 @@ function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
 function isClientConnected() {
   return _connected;
 }
-var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, _socket, _connected, _buffer, _pending, MAX_BUFFER;
+var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _pending, MAX_BUFFER;
 var init_exe_daemon_client = __esm({
   "src/lib/exe-daemon-client.ts"() {
     "use strict";
     init_config();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path3.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path3.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path3.join(EXE_AI_DIR, "exed-spawn.lock");
+    init_daemon_auth();
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path5.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path5.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path5.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
+    DAEMON_TOKEN_ENV = "EXE_DAEMON_TOKEN";
     _socket = null;
     _connected = false;
     _buffer = "";
@@ -589,7 +1242,7 @@ __export(db_daemon_client_exports, {
   createDaemonDbClient: () => createDaemonDbClient,
   initDaemonDbClient: () => initDaemonDbClient
 });
-function normalizeStatement(stmt) {
+function normalizeStatement2(stmt) {
   if (typeof stmt === "string") {
     return { sql: stmt, args: [] };
   }
@@ -613,7 +1266,7 @@ function createDaemonDbClient(fallbackClient) {
       if (!_useDaemon || !isClientConnected()) {
         return fallbackClient.execute(stmt);
       }
-      const { sql, args } = normalizeStatement(stmt);
+      const { sql, args } = normalizeStatement2(stmt);
       const response = await sendDaemonRequest({
         type: "db-execute",
         sql,
@@ -638,7 +1291,7 @@ function createDaemonDbClient(fallbackClient) {
       if (!_useDaemon || !isClientConnected()) {
         return fallbackClient.batch(stmts, mode);
       }
-      const statements = stmts.map(normalizeStatement);
+      const statements = stmts.map(normalizeStatement2);
       const response = await sendDaemonRequest({
         type: "db-batch",
         statements,
@@ -733,6 +1386,18 @@ __export(database_exports, {
 });
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
+  if (_walCheckpointTimer) {
+    clearInterval(_walCheckpointTimer);
+    _walCheckpointTimer = null;
+  }
+  if (_daemonClient) {
+    _daemonClient.close();
+    _daemonClient = null;
+  }
+  if (_adapterClient && _adapterClient !== _resilientClient) {
+    _adapterClient.close();
+  }
+  _adapterClient = null;
   if (_client) {
     _client.close();
     _client = null;
@@ -746,6 +1411,7 @@ async function initDatabase(config) {
   }
   _client = createClient(opts);
   _resilientClient = wrapWithRetry(_client);
+  _adapterClient = _resilientClient;
   _client.execute("PRAGMA busy_timeout = 30000").catch(() => {
   });
   _client.execute("PRAGMA journal_mode = WAL").catch(() => {
@@ -756,14 +1422,20 @@ async function initDatabase(config) {
     });
   }, 3e4);
   _walCheckpointTimer.unref();
+  if (process.env.DATABASE_URL) {
+    _adapterClient = await createPrismaDbAdapter(_resilientClient);
+  }
 }
 function isInitialized() {
-  return _client !== null;
+  return _adapterClient !== null || _client !== null;
 }
 function getClient() {
-  if (!_resilientClient) {
+  if (!_adapterClient) {
     throw new Error("Database client not initialized. Call initDatabase() first.");
   }
+  if (process.env.DATABASE_URL) {
+    return _adapterClient;
+  }
   if (process.env.EXE_IS_DAEMON === "1") {
     return _resilientClient;
   }
@@ -773,6 +1445,7 @@ function getClient() {
   return _resilientClient;
 }
 async function initDaemonClient() {
+  if (process.env.DATABASE_URL) return;
   if (process.env.EXE_IS_DAEMON === "1") return;
   if (!_resilientClient) return;
   try {
@@ -1069,6 +1742,7 @@ async function ensureSchema() {
       project     TEXT NOT NULL,
       summary     TEXT NOT NULL,
       task_file   TEXT,
+      session_scope TEXT,
       read        INTEGER NOT NULL DEFAULT 0,
       created_at  TEXT NOT NULL
     );
@@ -1077,7 +1751,7 @@ async function ensureSchema() {
       ON notifications(read);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_agent
-      ON notifications(agent_id);
+      ON notifications(agent_id, session_scope);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_task_file
       ON notifications(task_file);
@@ -1115,6 +1789,7 @@ async function ensureSchema() {
       target_agent    TEXT NOT NULL,
       target_project  TEXT,
       target_device   TEXT NOT NULL DEFAULT 'local',
+      session_scope   TEXT,
       content         TEXT NOT NULL,
       priority        TEXT DEFAULT 'normal',
       status          TEXT DEFAULT 'pending',
@@ -1128,10 +1803,31 @@ async function ensureSchema() {
     );
 
     CREATE INDEX IF NOT EXISTS idx_messages_target
-      ON messages(target_agent, status);
+      ON messages(target_agent, session_scope, status);
 
     CREATE INDEX IF NOT EXISTS idx_messages_conversation_order
-      ON messages(target_agent, from_agent, server_seq);
+      ON messages(target_agent, session_scope, from_agent, server_seq);
+  `);
+  try {
+    await client.execute({
+      sql: `ALTER TABLE notifications ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE messages ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE INDEX IF NOT EXISTS idx_notifications_agent_scope_read
+      ON notifications(agent_id, session_scope, read, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_messages_target_scope_status
+      ON messages(target_agent, session_scope, status, created_at);
   `);
   try {
     await client.execute({
@@ -1715,28 +2411,45 @@ async function ensureSchema() {
     } catch {
     }
   }
+  try {
+    await client.execute({
+      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
+      args: []
+    });
+  } catch {
+  }
 }
 async function disposeDatabase() {
+  if (_walCheckpointTimer) {
+    clearInterval(_walCheckpointTimer);
+    _walCheckpointTimer = null;
+  }
   if (_daemonClient) {
     _daemonClient.close();
     _daemonClient = null;
   }
+  if (_adapterClient && _adapterClient !== _resilientClient) {
+    _adapterClient.close();
+  }
+  _adapterClient = null;
   if (_client) {
     _client.close();
     _client = null;
     _resilientClient = null;
   }
 }
-var _client, _resilientClient, _walCheckpointTimer, _daemonClient, initTurso, disposeTurso;
+var _client, _resilientClient, _walCheckpointTimer, _daemonClient, _adapterClient, initTurso, disposeTurso;
 var init_database = __esm({
   "src/lib/database.ts"() {
     "use strict";
     init_db_retry();
     init_employees();
+    init_database_adapter();
     _client = null;
     _resilientClient = null;
     _walCheckpointTimer = null;
     _daemonClient = null;
+    _adapterClient = null;
     initTurso = initDatabase;
     disposeTurso = disposeDatabase;
   }
@@ -1744,9 +2457,9 @@ var init_database = __esm({
 
 // src/bin/exe-rename.ts
 init_employees();
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync2, renameSync as renameSync3, unlinkSync as unlinkSync3, existsSync as existsSync4 } from "fs";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, renameSync as renameSync3, unlinkSync as unlinkSync3, existsSync as existsSync6 } from "fs";
 import { execSync as execSync2 } from "child_process";
-import path4 from "path";
+import path6 from "path";
 import { homedir } from "os";
 
 // src/lib/global-procedures.ts
@@ -1891,9 +2604,9 @@ function isMainModule(importMetaUrl) {
 
 // src/bin/exe-rename.ts
 async function renameEmployee(oldName, newName, opts = {}) {
-  const rosterPath = opts.rosterPath ?? path4.join(homedir(), ".exe-os", "exe-employees.json");
-  const identityDir = opts.identityDir ?? path4.join(homedir(), ".exe-os", "identity");
-  const agentsDir = opts.agentsDir ?? path4.join(homedir(), ".claude", "agents");
+  const rosterPath = opts.rosterPath ?? path6.join(homedir(), ".exe-os", "exe-employees.json");
+  const identityDir = opts.identityDir ?? path6.join(homedir(), ".exe-os", "identity");
+  const agentsDir = opts.agentsDir ?? path6.join(homedir(), ".claude", "agents");
   const validation = validateEmployeeName(newName);
   if (!validation.valid) {
     return { success: false, error: validation.error };
@@ -1922,40 +2635,40 @@ async function renameEmployee(oldName, newName, opts = {}) {
       undo: () => {
         employee.name = originalName;
         employee.systemPrompt = originalPrompt;
-        writeFileSync2(rosterPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
+        writeFileSync3(rosterPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
       }
     });
-    const oldIdentityPath = path4.join(identityDir, `${rosterOldName}.md`);
-    const newIdentityPath = path4.join(identityDir, `${newName}.md`);
-    if (existsSync4(oldIdentityPath)) {
-      const content = readFileSync4(oldIdentityPath, "utf-8");
+    const oldIdentityPath = path6.join(identityDir, `${rosterOldName}.md`);
+    const newIdentityPath = path6.join(identityDir, `${newName}.md`);
+    if (existsSync6(oldIdentityPath)) {
+      const content = readFileSync5(oldIdentityPath, "utf-8");
       const updatedContent = content.replace(
         /^(agent_id:\s*)\S+/m,
         `$1${newName}`
       );
       renameSync3(oldIdentityPath, newIdentityPath);
-      writeFileSync2(newIdentityPath, updatedContent, "utf-8");
+      writeFileSync3(newIdentityPath, updatedContent, "utf-8");
       rollbackStack.push({
         description: "restore identity file",
         undo: () => {
-          if (existsSync4(newIdentityPath)) {
-            writeFileSync2(newIdentityPath, content, "utf-8");
+          if (existsSync6(newIdentityPath)) {
+            writeFileSync3(newIdentityPath, content, "utf-8");
             renameSync3(newIdentityPath, oldIdentityPath);
           }
         }
       });
     }
-    const oldAgentPath = path4.join(agentsDir, `${rosterOldName}.md`);
-    const newAgentPath = path4.join(agentsDir, `${newName}.md`);
-    if (existsSync4(oldAgentPath)) {
-      const agentContent = readFileSync4(oldAgentPath, "utf-8");
+    const oldAgentPath = path6.join(agentsDir, `${rosterOldName}.md`);
+    const newAgentPath = path6.join(agentsDir, `${newName}.md`);
+    if (existsSync6(oldAgentPath)) {
+      const agentContent = readFileSync5(oldAgentPath, "utf-8");
       renameSync3(oldAgentPath, newAgentPath);
       rollbackStack.push({
         description: "restore agent file",
         undo: () => {
-          if (existsSync4(newAgentPath)) {
+          if (existsSync6(newAgentPath)) {
             renameSync3(newAgentPath, oldAgentPath);
-            writeFileSync2(oldAgentPath, agentContent, "utf-8");
+            writeFileSync3(oldAgentPath, agentContent, "utf-8");
           }
         }
       });
@@ -2033,10 +2746,10 @@ function removeOldSymlinks(name) {
   try {
     const exeBinPath = findExeBin2();
     if (!exeBinPath) return;
-    const binDir = path4.dirname(exeBinPath);
+    const binDir = path6.dirname(exeBinPath);
     for (const suffix of ["", "-opencode"]) {
-      const linkPath = path4.join(binDir, `${name}${suffix}`);
-      if (existsSync4(linkPath)) {
+      const linkPath = path6.join(binDir, `${name}${suffix}`);
+      if (existsSync6(linkPath)) {
         try {
           unlinkSync3(linkPath);
         } catch {