@askexenow/exe-os 0.9.7 → 0.9.9

package/dist/index.js

@@ -25,6 +25,44 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
+// src/lib/secure-files.ts
+import { chmodSync, existsSync, mkdirSync } from "fs";
+import { chmod, mkdir } from "fs/promises";
+async function ensurePrivateDir(dirPath) {
+  await mkdir(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    await chmod(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+function ensurePrivateDirSync(dirPath) {
+  mkdirSync(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    chmodSync(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+async function enforcePrivateFile(filePath) {
+  try {
+    await chmod(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+function enforcePrivateFileSync(filePath) {
+  try {
+    if (existsSync(filePath)) chmodSync(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+var PRIVATE_DIR_MODE, PRIVATE_FILE_MODE;
+var init_secure_files = __esm({
+  "src/lib/secure-files.ts"() {
+    "use strict";
+    PRIVATE_DIR_MODE = 448;
+    PRIVATE_FILE_MODE = 384;
+  }
+});
+
 // src/lib/config.ts
 var config_exports = {};
 __export(config_exports, {
@@ -41,8 +79,8 @@ __export(config_exports, {
   migrateConfig: () => migrateConfig,
   saveConfig: () => saveConfig
 });
-import { readFile, writeFile, mkdir, chmod } from "fs/promises";
-import { readFileSync, existsSync, renameSync } from "fs";
+import { readFile, writeFile } from "fs/promises";
+import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
 import path2 from "path";
 import os2 from "os";
 function resolveDataDir() {
@@ -50,7 +88,7 @@ function resolveDataDir() {
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
   const newDir = path2.join(os2.homedir(), ".exe-os");
   const legacyDir = path2.join(os2.homedir(), ".exe-mem");
-  if (!existsSync(newDir) && existsSync(legacyDir)) {
+  if (!existsSync2(newDir) && existsSync2(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
       process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
@@ -113,9 +151,9 @@ function normalizeAutoUpdate(raw) {
 }
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await mkdir(dir, { recursive: true });
+  await ensurePrivateDir(dir);
   const configPath = path2.join(dir, "config.json");
-  if (!existsSync(configPath)) {
+  if (!existsSync2(configPath)) {
     return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
   }
   const raw = await readFile(configPath, "utf-8");
@@ -128,6 +166,7 @@ async function loadConfig() {
 `);
       try {
         await writeFile(configPath, JSON.stringify(migratedCfg, null, 2) + "\n");
+        await enforcePrivateFile(configPath);
       } catch {
       }
     }
@@ -146,7 +185,7 @@ async function loadConfig() {
 function loadConfigSync() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   const configPath = path2.join(dir, "config.json");
-  if (!existsSync(configPath)) {
+  if (!existsSync2(configPath)) {
     return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
   }
   try {
@@ -164,12 +203,10 @@ function loadConfigSync() {
 }
 async function saveConfig(config2) {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await mkdir(dir, { recursive: true });
+  await ensurePrivateDir(dir);
   const configPath = path2.join(dir, "config.json");
   await writeFile(configPath, JSON.stringify(config2, null, 2) + "\n");
-  if (config2.cloud?.apiKey) {
-    await chmod(configPath, 384);
-  }
+  await enforcePrivateFile(configPath);
 }
 async function loadConfigFrom(configPath) {
   const raw = await readFile(configPath, "utf-8");
@@ -189,6 +226,7 @@ var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CON
 var init_config = __esm({
   "src/lib/config.ts"() {
     "use strict";
+    init_secure_files();
     EXE_AI_DIR = resolveDataDir();
     DB_PATH = path2.join(EXE_AI_DIR, "memories.db");
     MODELS_DIR = path2.join(EXE_AI_DIR, "models");
@@ -265,6 +303,120 @@ var init_config = __esm({
   }
 });
 
+// src/lib/runtime-table.ts
+var RUNTIME_TABLE, DEFAULT_RUNTIME;
+var init_runtime_table = __esm({
+  "src/lib/runtime-table.ts"() {
+    "use strict";
+    RUNTIME_TABLE = {
+      codex: {
+        binary: "codex",
+        launchMode: "interactive",
+        autoApproveFlag: "--dangerously-bypass-approvals-and-sandbox",
+        inlineFlag: "--no-alt-screen",
+        apiKeyEnv: "OPENAI_API_KEY",
+        defaultModel: "gpt-5.4"
+      },
+      opencode: {
+        binary: "opencode",
+        launchMode: "exec",
+        autoApproveFlag: "--dangerously-skip-permissions",
+        inlineFlag: "",
+        apiKeyEnv: "ANTHROPIC_API_KEY",
+        defaultModel: "anthropic/claude-sonnet-4-6"
+      }
+    };
+    DEFAULT_RUNTIME = "claude";
+  }
+});
+
+// src/lib/agent-config.ts
+var agent_config_exports = {};
+__export(agent_config_exports, {
+  AGENT_CONFIG_PATH: () => AGENT_CONFIG_PATH,
+  DEFAULT_MODELS: () => DEFAULT_MODELS,
+  KNOWN_RUNTIMES: () => KNOWN_RUNTIMES,
+  RUNTIME_LABELS: () => RUNTIME_LABELS,
+  clearAgentRuntime: () => clearAgentRuntime,
+  getAgentRuntime: () => getAgentRuntime,
+  loadAgentConfig: () => loadAgentConfig,
+  saveAgentConfig: () => saveAgentConfig,
+  setAgentRuntime: () => setAgentRuntime
+});
+import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3 } from "fs";
+import path3 from "path";
+function loadAgentConfig() {
+  if (!existsSync3(AGENT_CONFIG_PATH)) return {};
+  try {
+    return JSON.parse(readFileSync2(AGENT_CONFIG_PATH, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveAgentConfig(config2) {
+  const dir = path3.dirname(AGENT_CONFIG_PATH);
+  ensurePrivateDirSync(dir);
+  writeFileSync(AGENT_CONFIG_PATH, JSON.stringify(config2, null, 2) + "\n", "utf-8");
+  enforcePrivateFileSync(AGENT_CONFIG_PATH);
+}
+function getAgentRuntime(agentId) {
+  const config2 = loadAgentConfig();
+  const entry = config2[agentId];
+  if (entry) return entry;
+  const orgDefault = config2["default"];
+  if (orgDefault) return orgDefault;
+  return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
+}
+function setAgentRuntime(agentId, runtime, model) {
+  const knownModels = KNOWN_RUNTIMES[runtime];
+  if (!knownModels) {
+    return {
+      ok: false,
+      error: `Unknown runtime "${runtime}". Valid: ${Object.keys(KNOWN_RUNTIMES).join(", ")}`
+    };
+  }
+  if (!knownModels.includes(model)) {
+    return {
+      ok: false,
+      error: `Unknown model "${model}" for runtime "${runtime}". Valid: ${knownModels.join(", ")}`
+    };
+  }
+  const config2 = loadAgentConfig();
+  config2[agentId] = { runtime, model };
+  saveAgentConfig(config2);
+  return { ok: true };
+}
+function clearAgentRuntime(agentId) {
+  const config2 = loadAgentConfig();
+  delete config2[agentId];
+  saveAgentConfig(config2);
+}
+var AGENT_CONFIG_PATH, KNOWN_RUNTIMES, RUNTIME_LABELS, DEFAULT_MODELS;
+var init_agent_config = __esm({
+  "src/lib/agent-config.ts"() {
+    "use strict";
+    init_config();
+    init_runtime_table();
+    init_secure_files();
+    AGENT_CONFIG_PATH = path3.join(EXE_AI_DIR, "agent-config.json");
+    KNOWN_RUNTIMES = {
+      claude: ["claude-opus-4", "claude-sonnet-4", "claude-haiku-4.5"],
+      codex: ["gpt-5.4", "gpt-5.5", "gpt-5.3-codex-spark", "o3", "o4-mini"],
+      opencode: ["anthropic/claude-sonnet-4-6", "openai/gpt-5.4", "google/gemini-2.5-pro", "deepseek/deepseek-r3", "minimax/minimax-m2.5"]
+    };
+    RUNTIME_LABELS = {
+      claude: "Claude Code (Anthropic)",
+      codex: "Codex (OpenAI)",
+      opencode: "OpenCode (open source)"
+    };
+    DEFAULT_MODELS = {
+      claude: "claude-opus-4",
+      codex: RUNTIME_TABLE.codex?.defaultModel ?? "gpt-5.4",
+      opencode: RUNTIME_TABLE.opencode?.defaultModel ?? "anthropic/claude-sonnet-4-6"
+    };
+  }
+});
+
 // src/lib/employees.ts
 var employees_exports = {};
 __export(employees_exports, {
@@ -280,6 +432,7 @@ __export(employees_exports, {
   getEmployeeByRole: () => getEmployeeByRole,
   getEmployeeNamesByRole: () => getEmployeeNamesByRole,
   hasRole: () => hasRole,
+  hireEmployee: () => hireEmployee,
   isCoordinatorName: () => isCoordinatorName,
   isCoordinatorRole: () => isCoordinatorRole,
   isMultiInstance: () => isMultiInstance,
@@ -292,9 +445,9 @@ __export(employees_exports, {
   validateEmployeeName: () => validateEmployeeName
 });
 import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync2, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
+import { existsSync as existsSync4, symlinkSync, readlinkSync, readFileSync as readFileSync3, renameSync as renameSync2, unlinkSync, writeFileSync as writeFileSync2 } from "fs";
 import { execSync } from "child_process";
-import path3 from "path";
+import path4 from "path";
 import os3 from "os";
 function normalizeRole(role) {
   return (role ?? "").trim().toLowerCase();
@@ -331,7 +484,7 @@ function validateEmployeeName(name) {
   return { valid: true };
 }
 async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync2(employeesPath)) {
+  if (!existsSync4(employeesPath)) {
     return [];
   }
   const raw = await readFile2(employeesPath, "utf-8");
@@ -342,13 +495,13 @@ async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
   }
 }
 async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
-  await mkdir2(path3.dirname(employeesPath), { recursive: true });
+  await mkdir2(path4.dirname(employeesPath), { recursive: true });
   await writeFile2(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
 }
 function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync2(employeesPath)) return [];
+  if (!existsSync4(employeesPath)) return [];
   try {
-    return JSON.parse(readFileSync2(employeesPath, "utf-8"));
+    return JSON.parse(readFileSync3(employeesPath, "utf-8"));
   } catch {
     return [];
   }
@@ -390,6 +543,52 @@ function addEmployee(employees, employee) {
   }
   return [...employees, normalized];
 }
+function appendToCoordinatorTeam(employee) {
+  const coordinator = getCoordinatorEmployee(loadEmployeesSync());
+  if (!coordinator) return;
+  const idPath = path4.join(IDENTITY_DIR, `${coordinator.name}.md`);
+  if (!existsSync4(idPath)) return;
+  const content = readFileSync3(idPath, "utf-8");
+  if (content.includes(`**${capitalize(employee.name)}`)) return;
+  const teamMatch = content.match(TEAM_SECTION_RE);
+  if (!teamMatch || teamMatch.index === void 0) return;
+  const afterTeam = content.slice(teamMatch.index + teamMatch[0].length);
+  const nextHeading = afterTeam.match(/\n## /);
+  const entry = `
+**${capitalize(employee.name)} (${employee.role}):** Newly hired. Update this description as the role develops.
+`;
+  let updated;
+  if (nextHeading && nextHeading.index !== void 0) {
+    const insertAt = teamMatch.index + teamMatch[0].length + nextHeading.index;
+    updated = content.slice(0, insertAt) + entry + content.slice(insertAt);
+  } else {
+    updated = content.trimEnd() + "\n" + entry;
+  }
+  writeFileSync2(idPath, updated, "utf-8");
+}
+function capitalize(s) {
+  return s.charAt(0).toUpperCase() + s.slice(1);
+}
+async function hireEmployee(employee) {
+  const employees = await loadEmployees();
+  const updated = addEmployee(employees, employee);
+  await saveEmployees(updated);
+  try {
+    appendToCoordinatorTeam(employee);
+  } catch {
+  }
+  try {
+    const { loadAgentConfig: loadAgentConfig2, saveAgentConfig: saveAgentConfig2 } = await Promise.resolve().then(() => (init_agent_config(), agent_config_exports));
+    const config2 = loadAgentConfig2();
+    const name = employee.name.toLowerCase();
+    if (!config2[name] && config2["default"]) {
+      config2[name] = { ...config2["default"] };
+      saveAgentConfig2(config2);
+    }
+  } catch {
+  }
+  return updated;
+}
 async function normalizeRosterCase(rosterPath) {
   const employees = await loadEmployees(rosterPath);
   let changed = false;
@@ -399,14 +598,14 @@ async function normalizeRosterCase(rosterPath) {
       emp.name = emp.name.toLowerCase();
       changed = true;
       try {
-        const identityDir = path3.join(os3.homedir(), ".exe-os", "identity");
-        const oldPath = path3.join(identityDir, `${oldName}.md`);
-        const newPath = path3.join(identityDir, `${emp.name}.md`);
-        if (existsSync2(oldPath) && !existsSync2(newPath)) {
+        const identityDir = path4.join(os3.homedir(), ".exe-os", "identity");
+        const oldPath = path4.join(identityDir, `${oldName}.md`);
+        const newPath = path4.join(identityDir, `${emp.name}.md`);
+        if (existsSync4(oldPath) && !existsSync4(newPath)) {
           renameSync2(oldPath, newPath);
-        } else if (existsSync2(oldPath) && oldPath !== newPath) {
-          const content = readFileSync2(oldPath, "utf-8");
-          writeFileSync(newPath, content, "utf-8");
+        } else if (existsSync4(oldPath) && oldPath !== newPath) {
+          const content = readFileSync3(oldPath, "utf-8");
+          writeFileSync2(newPath, content, "utf-8");
           if (oldPath.toLowerCase() !== newPath.toLowerCase()) {
             unlinkSync(oldPath);
           }
@@ -436,7 +635,7 @@ function registerBinSymlinks(name) {
     errors.push("Could not find 'exe-os' in PATH");
     return { created, skipped, errors };
   }
-  const binDir = path3.dirname(exeBinPath);
+  const binDir = path4.dirname(exeBinPath);
   let target;
   try {
     target = readlinkSync(exeBinPath);
@@ -446,8 +645,8 @@ function registerBinSymlinks(name) {
   }
   for (const suffix of ["", "-opencode"]) {
     const linkName = `${name}${suffix}`;
-    const linkPath = path3.join(binDir, linkName);
-    if (existsSync2(linkPath)) {
+    const linkPath = path4.join(binDir, linkName);
+    if (existsSync4(linkPath)) {
       skipped.push(linkName);
       continue;
     }
@@ -460,15 +659,17 @@ function registerBinSymlinks(name) {
   }
   return { created, skipped, errors };
 }
-var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, MULTI_INSTANCE_ROLES;
+var EMPLOYEES_PATH, DEFAULT_COORDINATOR_TEMPLATE_NAME, COORDINATOR_ROLE, MULTI_INSTANCE_ROLES, IDENTITY_DIR, TEAM_SECTION_RE;
 var init_employees = __esm({
   "src/lib/employees.ts"() {
     "use strict";
     init_config();
-    EMPLOYEES_PATH = path3.join(EXE_AI_DIR, "exe-employees.json");
+    EMPLOYEES_PATH = path4.join(EXE_AI_DIR, "exe-employees.json");
     DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
     COORDINATOR_ROLE = "COO";
     MULTI_INSTANCE_ROLES = /* @__PURE__ */ new Set(["principal engineer", "content production specialist", "staff code reviewer"]);
+    IDENTITY_DIR = path4.join(EXE_AI_DIR, "identity");
+    TEAM_SECTION_RE = /^## Team\b.*$/m;
   }
 });
 
@@ -479,14 +680,14 @@ __export(session_registry_exports, {
   pruneStaleSessions: () => pruneStaleSessions,
   registerSession: () => registerSession
 });
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, mkdirSync, existsSync as existsSync3 } from "fs";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync2, existsSync as existsSync5 } from "fs";
 import { execSync as execSync2 } from "child_process";
-import path4 from "path";
+import path5 from "path";
 import os4 from "os";
 function registerSession(entry) {
-  const dir = path4.dirname(REGISTRY_PATH);
-  if (!existsSync3(dir)) {
-    mkdirSync(dir, { recursive: true });
+  const dir = path5.dirname(REGISTRY_PATH);
+  if (!existsSync5(dir)) {
+    mkdirSync2(dir, { recursive: true });
   }
   const sessions = listSessions();
   const idx = sessions.findIndex((s) => s.windowName === entry.windowName);
@@ -495,11 +696,11 @@ function registerSession(entry) {
   } else {
     sessions.push(entry);
   }
-  writeFileSync2(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
+  writeFileSync3(REGISTRY_PATH, JSON.stringify(sessions, null, 2));
 }
 function listSessions() {
   try {
-    const raw = readFileSync3(REGISTRY_PATH, "utf8");
+    const raw = readFileSync4(REGISTRY_PATH, "utf8");
     return JSON.parse(raw);
   } catch {
     return [];
@@ -520,7 +721,7 @@ function pruneStaleSessions() {
   const alive = sessions.filter((s) => liveSet.has(s.windowName));
   const pruned = sessions.length - alive.length;
   if (pruned > 0) {
-    writeFileSync2(REGISTRY_PATH, JSON.stringify(alive, null, 2));
+    writeFileSync3(REGISTRY_PATH, JSON.stringify(alive, null, 2));
   }
   return pruned;
 }
@@ -528,7 +729,7 @@ var REGISTRY_PATH;
 var init_session_registry = __esm({
   "src/lib/session-registry.ts"() {
     "use strict";
-    REGISTRY_PATH = path4.join(os4.homedir(), ".exe-os", "session-registry.json");
+    REGISTRY_PATH = path5.join(os4.homedir(), ".exe-os", "session-registry.json");
   }
 });
 
@@ -790,67 +991,6 @@ var init_provider_table = __esm({
   }
 });
 
-// src/lib/runtime-table.ts
-var RUNTIME_TABLE, DEFAULT_RUNTIME;
-var init_runtime_table = __esm({
-  "src/lib/runtime-table.ts"() {
-    "use strict";
-    RUNTIME_TABLE = {
-      codex: {
-        binary: "codex",
-        launchMode: "interactive",
-        autoApproveFlag: "--dangerously-bypass-approvals-and-sandbox",
-        inlineFlag: "--no-alt-screen",
-        apiKeyEnv: "OPENAI_API_KEY",
-        defaultModel: "gpt-5.4"
-      },
-      opencode: {
-        binary: "opencode",
-        launchMode: "exec",
-        autoApproveFlag: "--dangerously-skip-permissions",
-        inlineFlag: "",
-        apiKeyEnv: "ANTHROPIC_API_KEY",
-        defaultModel: "anthropic/claude-sonnet-4-6"
-      }
-    };
-    DEFAULT_RUNTIME = "claude";
-  }
-});
-
-// src/lib/agent-config.ts
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs";
-import path5 from "path";
-function loadAgentConfig() {
-  if (!existsSync4(AGENT_CONFIG_PATH)) return {};
-  try {
-    return JSON.parse(readFileSync4(AGENT_CONFIG_PATH, "utf-8"));
-  } catch {
-    return {};
-  }
-}
-function getAgentRuntime(agentId) {
-  const config2 = loadAgentConfig();
-  const entry = config2[agentId];
-  if (entry) return entry;
-  const orgDefault = config2["default"];
-  if (orgDefault) return orgDefault;
-  return { runtime: DEFAULT_RUNTIME, model: DEFAULT_MODELS[DEFAULT_RUNTIME] };
-}
-var AGENT_CONFIG_PATH, DEFAULT_MODELS;
-var init_agent_config = __esm({
-  "src/lib/agent-config.ts"() {
-    "use strict";
-    init_config();
-    init_runtime_table();
-    AGENT_CONFIG_PATH = path5.join(EXE_AI_DIR, "agent-config.json");
-    DEFAULT_MODELS = {
-      claude: "claude-opus-4",
-      codex: RUNTIME_TABLE.codex?.defaultModel ?? "gpt-5.4",
-      opencode: RUNTIME_TABLE.opencode?.defaultModel ?? "anthropic/claude-sonnet-4-6"
-    };
-  }
-});
-
 // src/lib/intercom-queue.ts
 var intercom_queue_exports = {};
 __export(intercom_queue_exports, {
@@ -860,16 +1000,16 @@ __export(intercom_queue_exports, {
   queueIntercom: () => queueIntercom,
   readQueue: () => readQueue
 });
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, renameSync as renameSync3, existsSync as existsSync5, mkdirSync as mkdirSync3 } from "fs";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, renameSync as renameSync3, existsSync as existsSync6, mkdirSync as mkdirSync3 } from "fs";
 import path6 from "path";
 import os5 from "os";
 function ensureDir() {
   const dir = path6.dirname(QUEUE_PATH);
-  if (!existsSync5(dir)) mkdirSync3(dir, { recursive: true });
+  if (!existsSync6(dir)) mkdirSync3(dir, { recursive: true });
 }
 function readQueue() {
   try {
-    if (!existsSync5(QUEUE_PATH)) return [];
+    if (!existsSync6(QUEUE_PATH)) return [];
     return JSON.parse(readFileSync5(QUEUE_PATH, "utf8"));
   } catch {
     return [];
@@ -1032,13 +1172,634 @@ var init_db_retry = __esm({
   }
 });
 
+// src/lib/database-adapter.ts
+import os6 from "os";
+import path7 from "path";
+import { createRequire } from "module";
+import { pathToFileURL } from "url";
+function quotedIdentifier(identifier) {
+  return `"${identifier.replace(/"/g, '""')}"`;
+}
+function unqualifiedTableName(name) {
+  const raw = name.trim().replace(/^"|"$/g, "");
+  const parts = raw.split(".");
+  return parts[parts.length - 1].replace(/^"|"$/g, "").toLowerCase();
+}
+function stripTrailingSemicolon(sql) {
+  return sql.trim().replace(/;+\s*$/u, "");
+}
+function appendClause(sql, clause) {
+  const trimmed = stripTrailingSemicolon(sql);
+  const returningMatch = /\sRETURNING\b[\s\S]*$/iu.exec(trimmed);
+  if (!returningMatch) {
+    return `${trimmed}${clause}`;
+  }
+  const idx = returningMatch.index;
+  return `${trimmed.slice(0, idx)}${clause}${trimmed.slice(idx)}`;
+}
+function normalizeStatement(stmt) {
+  if (typeof stmt === "string") {
+    return { kind: "positional", sql: stmt, args: [] };
+  }
+  const sql = stmt.sql;
+  if (Array.isArray(stmt.args) || stmt.args === void 0) {
+    return { kind: "positional", sql, args: stmt.args ?? [] };
+  }
+  return { kind: "named", sql, args: stmt.args };
+}
+function rewriteBooleanLiterals(sql) {
+  let out = sql;
+  for (const column of BOOLEAN_COLUMN_NAMES) {
+    const scoped = `((?:\\b[a-z_][a-z0-9_]*\\.)?${column})`;
+    out = out.replace(new RegExp(`${scoped}\\s*=\\s*0\\b`, "giu"), "$1 = FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*=\\s*1\\b`, "giu"), "$1 = TRUE");
+    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*0\\b`, "giu"), "$1 != FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*!=\\s*1\\b`, "giu"), "$1 != TRUE");
+    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*0\\b`, "giu"), "$1 <> FALSE");
+    out = out.replace(new RegExp(`${scoped}\\s*<>\\s*1\\b`, "giu"), "$1 <> TRUE");
+  }
+  return out;
+}
+function rewriteInsertOrIgnore(sql) {
+  if (!/^\s*INSERT\s+OR\s+IGNORE\s+INTO\b/iu.test(sql)) {
+    return sql;
+  }
+  const replaced = sql.replace(/^\s*INSERT\s+OR\s+IGNORE\s+INTO\b/iu, "INSERT INTO");
+  return /\bON\s+CONFLICT\b/iu.test(replaced) ? replaced : appendClause(replaced, " ON CONFLICT DO NOTHING");
+}
+function rewriteInsertOrReplace(sql) {
+  const match = /^\s*INSERT\s+OR\s+REPLACE\s+INTO\s+([A-Za-z0-9_."]+)\s*\(([^)]+)\)([\s\S]*)$/iu.exec(sql);
+  if (!match) {
+    return sql;
+  }
+  const rawTable = match[1];
+  const rawColumns = match[2];
+  const remainder = match[3];
+  const tableName = unqualifiedTableName(rawTable);
+  const conflictKeys = UPSERT_KEYS[tableName];
+  if (!conflictKeys?.length) {
+    return sql;
+  }
+  const columns = rawColumns.split(",").map((col) => col.trim().replace(/^"|"$/g, ""));
+  const updateColumns = columns.filter((col) => !conflictKeys.includes(col));
+  const conflictTarget = conflictKeys.map(quotedIdentifier).join(", ");
+  const updateClause = updateColumns.length === 0 ? " DO NOTHING" : ` DO UPDATE SET ${updateColumns.map((col) => `${quotedIdentifier(col)} = EXCLUDED.${quotedIdentifier(col)}`).join(", ")}`;
+  return `INSERT INTO ${rawTable} (${rawColumns})${appendClause(remainder, ` ON CONFLICT (${conflictTarget})${updateClause}`)}`;
+}
+function rewriteSql(sql) {
+  let out = sql;
+  out = out.replace(/\bdatetime\(\s*['"]now['"]\s*\)/giu, "CURRENT_TIMESTAMP");
+  out = out.replace(/\bvector32\s*\(\s*\?\s*\)/giu, "?");
+  out = rewriteBooleanLiterals(out);
+  out = rewriteInsertOrReplace(out);
+  out = rewriteInsertOrIgnore(out);
+  return stripTrailingSemicolon(out);
+}
+function toBoolean(value) {
+  if (value === null || value === void 0) return value;
+  if (typeof value === "boolean") return value;
+  if (typeof value === "number") return value !== 0;
+  if (typeof value === "bigint") return value !== 0n;
+  if (typeof value === "string") {
+    const normalized = value.trim().toLowerCase();
+    if (normalized === "0" || normalized === "false") return false;
+    if (normalized === "1" || normalized === "true") return true;
+  }
+  return Boolean(value);
+}
+function countQuestionMarks(sql, end) {
+  let count = 0;
+  let inSingle = false;
+  let inDouble = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = 0; i < end; i++) {
+    const ch = sql[i];
+    const next = sql[i + 1];
+    if (inLineComment) {
+      if (ch === "\n") inLineComment = false;
+      continue;
+    }
+    if (inBlockComment) {
+      if (ch === "*" && next === "/") {
+        inBlockComment = false;
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "-" && next === "-") {
+      inLineComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "/" && next === "*") {
+      inBlockComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inDouble && ch === "'" && sql[i - 1] !== "\\") {
+      inSingle = !inSingle;
+      continue;
+    }
+    if (!inSingle && ch === '"' && sql[i - 1] !== "\\") {
+      inDouble = !inDouble;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "?") {
+      count += 1;
+    }
+  }
+  return count;
+}
+function findBooleanPlaceholderIndexes(sql) {
+  const indexes = /* @__PURE__ */ new Set();
+  for (const column of BOOLEAN_COLUMN_NAMES) {
+    const pattern = new RegExp(`(?:\\b[a-z_][a-z0-9_]*\\.)?${column}\\s*=\\s*\\?`, "giu");
+    for (const match of sql.matchAll(pattern)) {
+      const matchText = match[0];
+      const qIndex = match.index + matchText.lastIndexOf("?");
+      indexes.add(countQuestionMarks(sql, qIndex + 1));
+    }
+  }
+  return indexes;
+}
+function coerceInsertBooleanArgs(sql, args) {
+  const match = /^\s*INSERT(?:\s+OR\s+(?:IGNORE|REPLACE))?\s+INTO\s+([A-Za-z0-9_."]+)\s*\(([^)]+)\)/iu.exec(sql);
+  if (!match) return;
+  const rawTable = match[1];
+  const rawColumns = match[2];
+  const boolColumns = BOOLEAN_COLUMNS_BY_TABLE[unqualifiedTableName(rawTable)];
+  if (!boolColumns?.size) return;
+  const columns = rawColumns.split(",").map((col) => col.trim().replace(/^"|"$/g, ""));
+  for (const [index, column] of columns.entries()) {
+    if (boolColumns.has(column) && index < args.length) {
+      args[index] = toBoolean(args[index]);
+    }
+  }
+}
+function coerceUpdateBooleanArgs(sql, args) {
+  const match = /^\s*UPDATE\s+([A-Za-z0-9_."]+)\s+SET\s+([\s\S]+?)(?:\s+WHERE\b|$)/iu.exec(sql);
+  if (!match) return;
+  const rawTable = match[1];
+  const setClause = match[2];
+  const boolColumns = BOOLEAN_COLUMNS_BY_TABLE[unqualifiedTableName(rawTable)];
+  if (!boolColumns?.size) return;
+  const assignments = setClause.split(",");
+  let placeholderIndex = 0;
+  for (const assignment of assignments) {
+    if (!assignment.includes("?")) continue;
+    placeholderIndex += 1;
+    const colMatch = /^\s*(?:[A-Za-z_][A-Za-z0-9_]*\.)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*\?/iu.exec(assignment);
+    if (colMatch && boolColumns.has(colMatch[1])) {
+      args[placeholderIndex - 1] = toBoolean(args[placeholderIndex - 1]);
+    }
+  }
+}
+function coerceBooleanArgs(sql, args) {
+  const nextArgs = [...args];
+  coerceInsertBooleanArgs(sql, nextArgs);
+  coerceUpdateBooleanArgs(sql, nextArgs);
+  const placeholderIndexes = findBooleanPlaceholderIndexes(sql);
+  for (const index of placeholderIndexes) {
+    if (index > 0 && index <= nextArgs.length) {
+      nextArgs[index - 1] = toBoolean(nextArgs[index - 1]);
+    }
+  }
+  return nextArgs;
+}
+function convertQuestionMarksToDollarParams(sql) {
+  let out = "";
+  let placeholder = 0;
+  let inSingle = false;
+  let inDouble = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i];
+    const next = sql[i + 1];
+    if (inLineComment) {
+      out += ch;
+      if (ch === "\n") inLineComment = false;
+      continue;
+    }
+    if (inBlockComment) {
+      out += ch;
+      if (ch === "*" && next === "/") {
+        out += next;
+        inBlockComment = false;
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "-" && next === "-") {
+      out += ch + next;
+      inLineComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "/" && next === "*") {
+      out += ch + next;
+      inBlockComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inDouble && ch === "'" && sql[i - 1] !== "\\") {
+      inSingle = !inSingle;
+      out += ch;
+      continue;
+    }
+    if (!inSingle && ch === '"' && sql[i - 1] !== "\\") {
+      inDouble = !inDouble;
+      out += ch;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "?") {
+      placeholder += 1;
+      out += `$${placeholder}`;
+      continue;
+    }
+    out += ch;
+  }
+  return out;
+}
+function translateStatementForPostgres(stmt) {
+  const normalized = normalizeStatement(stmt);
+  if (normalized.kind === "named") {
+    throw new Error("Named SQL parameters are not supported by the Prisma adapter.");
+  }
+  const rewrittenSql = rewriteSql(normalized.sql);
+  const coercedArgs = coerceBooleanArgs(rewrittenSql, normalized.args);
+  return {
+    sql: convertQuestionMarksToDollarParams(rewrittenSql),
+    args: coercedArgs
+  };
+}
+function shouldBypassPostgres(stmt) {
+  const normalized = normalizeStatement(stmt);
+  if (normalized.kind === "named") {
+    return true;
+  }
+  return IMMEDIATE_FALLBACK_PATTERNS.some((pattern) => pattern.test(normalized.sql));
+}
+function shouldFallbackOnError(error) {
+  const message = error instanceof Error ? error.message : String(error);
+  return /42P01|42883|42601|does not exist|syntax error|not supported|Named SQL parameters are not supported/iu.test(message);
+}
+function isReadQuery(sql) {
+  const trimmed = sql.trimStart();
+  return /^(SELECT|WITH|SHOW|EXPLAIN|VALUES)\b/iu.test(trimmed) || /\bRETURNING\b/iu.test(trimmed);
+}
+function buildRow(row, columns) {
+  const values = columns.map((column) => row[column]);
+  return Object.assign(values, row);
+}
+function buildResultSet(rows, rowsAffected = 0) {
+  const columns = rows[0] ? Object.keys(rows[0]) : [];
+  const resultRows = rows.map((row) => buildRow(row, columns));
+  return {
+    columns,
+    columnTypes: columns.map(() => ""),
+    rows: resultRows,
+    rowsAffected,
+    lastInsertRowid: void 0,
+    toJSON() {
+      return {
+        columns,
+        columnTypes: columns.map(() => ""),
+        rows,
+        rowsAffected,
+        lastInsertRowid: void 0
+      };
+    }
+  };
+}
+async function loadPrismaClient() {
+  if (!prismaClientPromise) {
+    prismaClientPromise = (async () => {
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const module2 = await import(pathToFileURL(explicitPath).href);
+        const PrismaClient2 = module2.PrismaClient ?? module2.default?.PrismaClient;
+        if (!PrismaClient2) {
+          throw new Error(`No PrismaClient export found at ${explicitPath}`);
+        }
+        return new PrismaClient2();
+      }
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path7.join(os6.homedir(), "exe-db");
+      const requireFromExeDb = createRequire(path7.join(exeDbRoot, "package.json"));
+      const prismaEntry = requireFromExeDb.resolve("@prisma/client");
+      const module = await import(pathToFileURL(prismaEntry).href);
+      const PrismaClient = module.PrismaClient ?? module.default?.PrismaClient;
+      if (!PrismaClient) {
+        throw new Error(`No PrismaClient export found in ${prismaEntry}`);
+      }
+      return new PrismaClient();
+    })();
+  }
+  return prismaClientPromise;
+}
+async function ensureCompatibilityViews(prisma) {
+  if (!compatibilityBootstrapPromise) {
+    compatibilityBootstrapPromise = (async () => {
+      for (const mapping of VIEW_MAPPINGS) {
+        const relation = mapping.source.replace(/"/g, "");
+        const rows = await prisma.$queryRawUnsafe(
+          "SELECT to_regclass($1) AS regclass",
+          relation
+        );
+        if (!rows[0]?.regclass) {
+          continue;
+        }
+        await prisma.$executeRawUnsafe(
+          `CREATE OR REPLACE VIEW public.${quotedIdentifier(mapping.view)} AS SELECT * FROM ${mapping.source}`
+        );
+      }
+    })();
+  }
+  return compatibilityBootstrapPromise;
+}
+async function executeOnPrisma(executor, stmt) {
+  const translated = translateStatementForPostgres(stmt);
+  if (isReadQuery(translated.sql)) {
+    const rows = await executor.$queryRawUnsafe(
+      translated.sql,
+      ...translated.args
+    );
+    return buildResultSet(rows, /\bRETURNING\b/iu.test(translated.sql) ? rows.length : 0);
+  }
+  const rowsAffected = await executor.$executeRawUnsafe(translated.sql, ...translated.args);
+  return buildResultSet([], rowsAffected);
+}
+function splitSqlStatements(sql) {
+  const parts = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i];
+    const next = sql[i + 1];
+    if (inLineComment) {
+      current += ch;
+      if (ch === "\n") inLineComment = false;
+      continue;
+    }
+    if (inBlockComment) {
+      current += ch;
+      if (ch === "*" && next === "/") {
+        current += next;
+        inBlockComment = false;
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "-" && next === "-") {
+      current += ch + next;
+      inLineComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "/" && next === "*") {
+      current += ch + next;
+      inBlockComment = true;
+      i += 1;
+      continue;
+    }
+    if (!inDouble && ch === "'" && sql[i - 1] !== "\\") {
+      inSingle = !inSingle;
+      current += ch;
+      continue;
+    }
+    if (!inSingle && ch === '"' && sql[i - 1] !== "\\") {
+      inDouble = !inDouble;
+      current += ch;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === ";") {
+      if (current.trim()) {
+        parts.push(current.trim());
+      }
+      current = "";
+      continue;
+    }
+    current += ch;
+  }
+  if (current.trim()) {
+    parts.push(current.trim());
+  }
+  return parts;
+}
+async function createPrismaDbAdapter(fallbackClient) {
+  const prisma = await loadPrismaClient();
+  await ensureCompatibilityViews(prisma);
+  let closed = false;
+  let adapter;
+  const fallbackExecute = async (stmt, error) => {
+    if (!fallbackClient) {
+      if (error) throw error;
+      throw new Error("No fallback SQLite client is available for this Prisma-routed query.");
+    }
+    if (error) {
+      process.stderr.write(
+        `[database-adapter] Falling back to SQLite: ${error instanceof Error ? error.message : String(error)}
+`
+      );
+    }
+    return fallbackClient.execute(stmt);
+  };
+  adapter = {
+    async execute(stmt) {
+      if (shouldBypassPostgres(stmt)) {
+        return fallbackExecute(stmt);
+      }
+      try {
+        return await executeOnPrisma(prisma, stmt);
+      } catch (error) {
+        if (shouldFallbackOnError(error)) {
+          return fallbackExecute(stmt, error);
+        }
+        throw error;
+      }
+    },
+    async batch(stmts, mode) {
+      if (stmts.some((stmt) => shouldBypassPostgres(stmt))) {
+        if (!fallbackClient) {
+          throw new Error("Cannot batch unsupported SQLite-only statements without a fallback client.");
+        }
+        return fallbackClient.batch(stmts, mode);
+      }
+      try {
+        if (prisma.$transaction) {
+          return await prisma.$transaction(async (tx) => {
+            const results2 = [];
+            for (const stmt of stmts) {
+              results2.push(await executeOnPrisma(tx, stmt));
+            }
+            return results2;
+          });
+        }
+        const results = [];
+        for (const stmt of stmts) {
+          results.push(await executeOnPrisma(prisma, stmt));
+        }
+        return results;
+      } catch (error) {
+        if (fallbackClient && shouldFallbackOnError(error)) {
+          process.stderr.write(
+            `[database-adapter] Falling back batch to SQLite: ${error instanceof Error ? error.message : String(error)}
+`
+          );
+          return fallbackClient.batch(stmts, mode);
+        }
+        throw error;
+      }
+    },
+    async migrate(stmts) {
+      if (fallbackClient) {
+        return fallbackClient.migrate(stmts);
+      }
+      return adapter.batch(stmts, "deferred");
+    },
+    async transaction(mode) {
+      if (!fallbackClient) {
+        throw new Error("Interactive transactions are only supported on the SQLite fallback client.");
+      }
+      return fallbackClient.transaction(mode);
+    },
+    async executeMultiple(sql) {
+      if (fallbackClient && shouldBypassPostgres(sql)) {
+        return fallbackClient.executeMultiple(sql);
+      }
+      for (const statement of splitSqlStatements(sql)) {
+        await adapter.execute(statement);
+      }
+    },
+    async sync() {
+      if (fallbackClient) {
+        return fallbackClient.sync();
+      }
+      return { frame_no: 0, frames_synced: 0 };
+    },
+    close() {
+      closed = true;
+      prismaClientPromise = null;
+      compatibilityBootstrapPromise = null;
+      void prisma.$disconnect?.();
+    },
+    get closed() {
+      return closed;
+    },
+    get protocol() {
+      return "prisma-postgres";
+    }
+  };
+  return adapter;
+}
+var VIEW_MAPPINGS, UPSERT_KEYS, BOOLEAN_COLUMNS_BY_TABLE, BOOLEAN_COLUMN_NAMES, IMMEDIATE_FALLBACK_PATTERNS, prismaClientPromise, compatibilityBootstrapPromise;
+var init_database_adapter = __esm({
+  "src/lib/database-adapter.ts"() {
+    "use strict";
+    VIEW_MAPPINGS = [
+      { view: "memories", source: "memory.memory_records" },
+      { view: "tasks", source: "memory.tasks" },
+      { view: "behaviors", source: "memory.behaviors" },
+      { view: "entities", source: "memory.entities" },
+      { view: "relationships", source: "memory.relationships" },
+      { view: "entity_memories", source: "memory.entity_memories" },
+      { view: "entity_aliases", source: "memory.entity_aliases" },
+      { view: "notifications", source: "memory.notifications" },
+      { view: "messages", source: "memory.messages" },
+      { view: "users", source: "wiki.users" },
+      { view: "workspaces", source: "wiki.workspaces" },
+      { view: "workspace_users", source: "wiki.workspace_users" },
+      { view: "documents", source: "wiki.workspace_documents" },
+      { view: "chats", source: "wiki.workspace_chats" }
+    ];
+    UPSERT_KEYS = {
+      memories: ["id"],
+      tasks: ["id"],
+      behaviors: ["id"],
+      entities: ["id"],
+      relationships: ["id"],
+      entity_aliases: ["alias"],
+      notifications: ["id"],
+      messages: ["id"],
+      users: ["id"],
+      workspaces: ["id"],
+      workspace_users: ["id"],
+      documents: ["id"],
+      chats: ["id"]
+    };
+    BOOLEAN_COLUMNS_BY_TABLE = {
+      memories: /* @__PURE__ */ new Set(["has_error", "draft"]),
+      behaviors: /* @__PURE__ */ new Set(["active"]),
+      notifications: /* @__PURE__ */ new Set(["read"]),
+      users: /* @__PURE__ */ new Set(["has_personal_memory"])
+    };
+    BOOLEAN_COLUMN_NAMES = new Set(
+      Object.values(BOOLEAN_COLUMNS_BY_TABLE).flatMap((cols) => [...cols])
+    );
+    IMMEDIATE_FALLBACK_PATTERNS = [
+      /\bPRAGMA\b/i,
+      /\bsqlite_master\b/i,
+      /(?:^|[.\s])(?:memories|conversations|entities)_fts\b/i,
+      /\bMATCH\b/i,
+      /\bvector_distance_cos\s*\(/i,
+      /\bjson_extract\s*\(/i,
+      /\bjulianday\s*\(/i,
+      /\bstrftime\s*\(/i,
+      /\blast_insert_rowid\s*\(/i
+    ];
+    prismaClientPromise = null;
+    compatibilityBootstrapPromise = null;
+  }
+});
+
+// src/lib/daemon-auth.ts
+import crypto from "crypto";
+import path8 from "path";
+import { existsSync as existsSync7, readFileSync as readFileSync6, writeFileSync as writeFileSync5 } from "fs";
+function normalizeToken(token) {
+  if (!token) return null;
+  const trimmed = token.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function readDaemonToken() {
+  try {
+    if (!existsSync7(DAEMON_TOKEN_PATH)) return null;
+    return normalizeToken(readFileSync6(DAEMON_TOKEN_PATH, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function ensureDaemonToken(seed) {
+  const existing = readDaemonToken();
+  if (existing) return existing;
+  const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
+  ensurePrivateDirSync(EXE_AI_DIR);
+  writeFileSync5(DAEMON_TOKEN_PATH, `${token}
+`, "utf8");
+  enforcePrivateFileSync(DAEMON_TOKEN_PATH);
+  return token;
+}
+var DAEMON_TOKEN_PATH;
+var init_daemon_auth = __esm({
+  "src/lib/daemon-auth.ts"() {
+    "use strict";
+    init_config();
+    init_secure_files();
+    DAEMON_TOKEN_PATH = path8.join(EXE_AI_DIR, "exed.token");
+  }
+});
+
 // src/lib/exe-daemon-client.ts
 import net from "net";
-import os6 from "os";
+import os7 from "os";
 import { spawn } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
-import { existsSync as existsSync6, unlinkSync as unlinkSync2, readFileSync as readFileSync6, openSync, closeSync, statSync } from "fs";
-import path7 from "path";
+import { existsSync as existsSync8, unlinkSync as unlinkSync2, readFileSync as readFileSync7, openSync, closeSync, statSync } from "fs";
+import path9 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
@@ -1066,9 +1827,9 @@ function handleData(chunk) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync6(PID_PATH)) {
+  if (existsSync8(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync6(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync7(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, 0);
@@ -1089,17 +1850,17 @@ function cleanupStaleFiles() {
   }
 }
 function findPackageRoot() {
-  let dir = path7.dirname(fileURLToPath(import.meta.url));
-  const { root } = path7.parse(dir);
+  let dir = path9.dirname(fileURLToPath(import.meta.url));
+  const { root } = path9.parse(dir);
   while (dir !== root) {
-    if (existsSync6(path7.join(dir, "package.json"))) return dir;
-    dir = path7.dirname(dir);
+    if (existsSync8(path9.join(dir, "package.json"))) return dir;
+    dir = path9.dirname(dir);
   }
   return null;
 }
 function spawnDaemon() {
-  const freeGB = os6.freemem() / (1024 * 1024 * 1024);
-  const totalGB = os6.totalmem() / (1024 * 1024 * 1024);
+  const freeGB = os7.freemem() / (1024 * 1024 * 1024);
+  const totalGB = os7.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
@@ -1119,16 +1880,17 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path7.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync6(daemonPath)) {
+  const daemonPath = path9.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync8(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
   }
   const resolvedPath = daemonPath;
+  const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path7.join(path7.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path9.join(path9.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -1146,7 +1908,8 @@ function spawnDaemon() {
       TMUX_PANE: void 0,
       // Prevents resolveExeSession() from scoping to one session
       EXE_DAEMON_SOCK: SOCKET_PATH,
-      EXE_DAEMON_PID: PID_PATH
+      EXE_DAEMON_PID: PID_PATH,
+      [DAEMON_TOKEN_ENV]: daemonToken
     }
   });
   child.unref();
@@ -1256,13 +2019,14 @@ function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
       return;
     }
     const id = randomUUID2();
+    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
     const timer = setTimeout(() => {
       _pending.delete(id);
       resolve({ error: "Request timeout" });
     }, timeoutMs);
     _pending.set(id, { resolve, timer });
     try {
-      _socket.write(JSON.stringify({ id, ...payload }) + "\n");
+      _socket.write(JSON.stringify({ id, token, ...payload }) + "\n");
     } catch {
       clearTimeout(timer);
       _pending.delete(id);
@@ -1279,74 +2043,123 @@ async function pingDaemon() {
   return null;
 }
 function killAndRespawnDaemon() {
-  process.stderr.write("[exed-client] Killing daemon for restart...\n");
-  if (existsSync6(PID_PATH)) {
-    try {
-      const pid = parseInt(readFileSync6(PID_PATH, "utf8").trim(), 10);
-      if (pid > 0) {
-        try {
-          process.kill(pid, "SIGKILL");
-        } catch {
+  if (!acquireSpawnLock()) {
+    process.stderr.write("[exed-client] Another process is already restarting daemon \u2014 skipping\n");
+    if (_socket) {
+      _socket.destroy();
+      _socket = null;
+    }
+    _connected = false;
+    _buffer = "";
+    return;
+  }
+  try {
+    process.stderr.write("[exed-client] Killing daemon for restart...\n");
+    if (existsSync8(PID_PATH)) {
+      try {
+        const pid = parseInt(readFileSync7(PID_PATH, "utf8").trim(), 10);
+        if (pid > 0) {
+          try {
+            process.kill(pid, "SIGKILL");
+          } catch {
+          }
         }
+      } catch {
       }
+    }
+    if (_socket) {
+      _socket.destroy();
+      _socket = null;
+    }
+    _connected = false;
+    _buffer = "";
+    try {
+      unlinkSync2(PID_PATH);
     } catch {
     }
+    try {
+      unlinkSync2(SOCKET_PATH);
+    } catch {
+    }
+    spawnDaemon();
+  } finally {
+    releaseSpawnLock();
   }
-  if (_socket) {
-    _socket.destroy();
-    _socket = null;
-  }
-  _connected = false;
-  _buffer = "";
-  try {
-    unlinkSync2(PID_PATH);
-  } catch {
-  }
+}
+function isDaemonTooYoung() {
   try {
-    unlinkSync2(SOCKET_PATH);
+    const stat = statSync(PID_PATH);
+    return Date.now() - stat.mtimeMs < MIN_DAEMON_AGE_MS;
   } catch {
+    return false;
+  }
+}
+async function retryThenRestart(doRequest, label) {
+  const result = await doRequest();
+  if (!result.error) {
+    _consecutiveFailures = 0;
+    return result;
+  }
+  _consecutiveFailures++;
+  for (let i = 0; i < MAX_RETRIES_BEFORE_RESTART; i++) {
+    const delayMs = RETRY_DELAYS_MS[i] ?? 5e3;
+    process.stderr.write(`[exed-client] ${label} failed (${result.error}), retry ${i + 1}/${MAX_RETRIES_BEFORE_RESTART} in ${delayMs}ms
+`);
+    await new Promise((r) => setTimeout(r, delayMs));
+    if (!_connected) {
+      if (!await connectToSocket()) continue;
+    }
+    const retry = await doRequest();
+    if (!retry.error) {
+      _consecutiveFailures = 0;
+      return retry;
+    }
+    _consecutiveFailures++;
+  }
+  if (isDaemonTooYoung()) {
+    process.stderr.write(`[exed-client] ${label}: daemon too young (< ${MIN_DAEMON_AGE_MS / 1e3}s) \u2014 skipping restart
+`);
+    return { error: result.error };
+  }
+  process.stderr.write(`[exed-client] ${label}: ${_consecutiveFailures} consecutive failures \u2014 restarting daemon
+`);
+  killAndRespawnDaemon();
+  const start = Date.now();
+  let delay2 = 200;
+  while (Date.now() - start < CONNECT_TIMEOUT_MS) {
+    await new Promise((r) => setTimeout(r, delay2));
+    if (await connectToSocket()) break;
+    delay2 = Math.min(delay2 * 2, 3e3);
   }
-  spawnDaemon();
+  if (!_connected) return { error: "Daemon restart failed" };
+  const final = await doRequest();
+  if (!final.error) _consecutiveFailures = 0;
+  return final;
 }
 async function embedViaClient(text, priority = "high") {
   if (!_connected && !await connectEmbedDaemon()) return null;
   _requestCount++;
   if (_requestCount % HEALTH_CHECK_INTERVAL === 0) {
     const health = await pingDaemon();
-    if (!health) {
+    if (!health && !isDaemonTooYoung()) {
       process.stderr.write(`[exed-client] Periodic health check failed at request ${_requestCount} \u2014 restarting daemon
 `);
       killAndRespawnDaemon();
       const start = Date.now();
-      let delay2 = 200;
+      let d = 200;
       while (Date.now() - start < CONNECT_TIMEOUT_MS) {
-        await new Promise((r) => setTimeout(r, delay2));
+        await new Promise((r) => setTimeout(r, d));
         if (await connectToSocket()) break;
-        delay2 = Math.min(delay2 * 2, 3e3);
+        d = Math.min(d * 2, 3e3);
       }
       if (!_connected) return null;
     }
   }
-  const result = await sendRequest([text], priority);
-  if (!result.error && result.vectors?.[0]) return result.vectors[0];
-  if (result.error) {
-    process.stderr.write(`[exed-client] Embed failed (${result.error}) \u2014 attempting restart
-`);
-    killAndRespawnDaemon();
-    const start = Date.now();
-    let delay2 = 200;
-    while (Date.now() - start < CONNECT_TIMEOUT_MS) {
-      await new Promise((r) => setTimeout(r, delay2));
-      if (await connectToSocket()) break;
-      delay2 = Math.min(delay2 * 2, 3e3);
-    }
-    if (!_connected) return null;
-    const retry = await sendRequest([text], priority);
-    if (!retry.error && retry.vectors?.[0]) return retry.vectors[0];
-    process.stderr.write(`[exed-client] Embed retry also failed: ${retry.error ?? "no vector"}
-`);
-  }
-  return null;
+  const result = await retryThenRestart(
+    () => sendRequest([text], priority),
+    "Embed"
+  );
+  return !result.error && result.vectors?.[0] ? result.vectors[0] : null;
 }
 function disconnectClient() {
   if (_socket) {
@@ -1364,22 +2177,28 @@ function disconnectClient() {
 function isClientConnected() {
   return _connected;
 }
-var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, _socket, _connected, _buffer, _requestCount, HEALTH_CHECK_INTERVAL, _pending, MAX_BUFFER;
+var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _requestCount, _consecutiveFailures, HEALTH_CHECK_INTERVAL, MAX_RETRIES_BEFORE_RESTART, RETRY_DELAYS_MS, MIN_DAEMON_AGE_MS, _pending, MAX_BUFFER;
 var init_exe_daemon_client = __esm({
   "src/lib/exe-daemon-client.ts"() {
     "use strict";
     init_config();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path7.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path7.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path7.join(EXE_AI_DIR, "exed-spawn.lock");
+    init_daemon_auth();
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path9.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path9.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path9.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
+    DAEMON_TOKEN_ENV = "EXE_DAEMON_TOKEN";
     _socket = null;
     _connected = false;
     _buffer = "";
     _requestCount = 0;
+    _consecutiveFailures = 0;
     HEALTH_CHECK_INTERVAL = 100;
+    MAX_RETRIES_BEFORE_RESTART = 3;
+    RETRY_DELAYS_MS = [1e3, 3e3, 5e3];
+    MIN_DAEMON_AGE_MS = 3e4;
     _pending = /* @__PURE__ */ new Map();
     MAX_BUFFER = 1e7;
   }
@@ -1455,7 +2274,7 @@ __export(db_daemon_client_exports, {
   createDaemonDbClient: () => createDaemonDbClient,
   initDaemonDbClient: () => initDaemonDbClient
 });
-function normalizeStatement(stmt) {
+function normalizeStatement2(stmt) {
   if (typeof stmt === "string") {
     return { sql: stmt, args: [] };
   }
@@ -1479,7 +2298,7 @@ function createDaemonDbClient(fallbackClient) {
       if (!_useDaemon || !isClientConnected()) {
         return fallbackClient.execute(stmt);
       }
-      const { sql, args } = normalizeStatement(stmt);
+      const { sql, args } = normalizeStatement2(stmt);
       const response = await sendDaemonRequest({
         type: "db-execute",
         sql,
@@ -1504,7 +2323,7 @@ function createDaemonDbClient(fallbackClient) {
       if (!_useDaemon || !isClientConnected()) {
         return fallbackClient.batch(stmts, mode);
       }
-      const statements = stmts.map(normalizeStatement);
+      const statements = stmts.map(normalizeStatement2);
       const response = await sendDaemonRequest({
         type: "db-batch",
         statements,
@@ -1599,6 +2418,18 @@ __export(database_exports, {
 });
 import { createClient } from "@libsql/client";
 async function initDatabase(config2) {
+  if (_walCheckpointTimer) {
+    clearInterval(_walCheckpointTimer);
+    _walCheckpointTimer = null;
+  }
+  if (_daemonClient) {
+    _daemonClient.close();
+    _daemonClient = null;
+  }
+  if (_adapterClient && _adapterClient !== _resilientClient) {
+    _adapterClient.close();
+  }
+  _adapterClient = null;
   if (_client) {
     _client.close();
     _client = null;
@@ -1612,6 +2443,7 @@ async function initDatabase(config2) {
   }
   _client = createClient(opts);
   _resilientClient = wrapWithRetry(_client);
+  _adapterClient = _resilientClient;
   _client.execute("PRAGMA busy_timeout = 30000").catch(() => {
   });
   _client.execute("PRAGMA journal_mode = WAL").catch(() => {
@@ -1622,14 +2454,20 @@ async function initDatabase(config2) {
     });
   }, 3e4);
   _walCheckpointTimer.unref();
+  if (process.env.DATABASE_URL) {
+    _adapterClient = await createPrismaDbAdapter(_resilientClient);
+  }
 }
 function isInitialized() {
-  return _client !== null;
+  return _adapterClient !== null || _client !== null;
 }
 function getClient() {
-  if (!_resilientClient) {
+  if (!_adapterClient) {
     throw new Error("Database client not initialized. Call initDatabase() first.");
   }
+  if (process.env.DATABASE_URL) {
+    return _adapterClient;
+  }
   if (process.env.EXE_IS_DAEMON === "1") {
     return _resilientClient;
   }
@@ -1639,6 +2477,7 @@ function getClient() {
   return _resilientClient;
 }
 async function initDaemonClient() {
+  if (process.env.DATABASE_URL) return;
   if (process.env.EXE_IS_DAEMON === "1") return;
   if (!_resilientClient) return;
   try {
@@ -1935,6 +2774,7 @@ async function ensureSchema() {
       project     TEXT NOT NULL,
       summary     TEXT NOT NULL,
       task_file   TEXT,
+      session_scope TEXT,
       read        INTEGER NOT NULL DEFAULT 0,
       created_at  TEXT NOT NULL
     );
@@ -1943,7 +2783,7 @@ async function ensureSchema() {
       ON notifications(read);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_agent
-      ON notifications(agent_id);
+      ON notifications(agent_id, session_scope);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_task_file
       ON notifications(task_file);
@@ -1981,6 +2821,7 @@ async function ensureSchema() {
       target_agent    TEXT NOT NULL,
       target_project  TEXT,
       target_device   TEXT NOT NULL DEFAULT 'local',
+      session_scope   TEXT,
       content         TEXT NOT NULL,
       priority        TEXT DEFAULT 'normal',
       status          TEXT DEFAULT 'pending',
@@ -1994,10 +2835,31 @@ async function ensureSchema() {
     );
 
     CREATE INDEX IF NOT EXISTS idx_messages_target
-      ON messages(target_agent, status);
+      ON messages(target_agent, session_scope, status);
 
     CREATE INDEX IF NOT EXISTS idx_messages_conversation_order
-      ON messages(target_agent, from_agent, server_seq);
+      ON messages(target_agent, session_scope, from_agent, server_seq);
+  `);
+  try {
+    await client.execute({
+      sql: `ALTER TABLE notifications ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE messages ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE INDEX IF NOT EXISTS idx_notifications_agent_scope_read
+      ON notifications(agent_id, session_scope, read, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_messages_target_scope_status
+      ON messages(target_agent, session_scope, status, created_at);
   `);
   try {
     await client.execute({
@@ -2581,46 +3443,66 @@ async function ensureSchema() {
     } catch {
     }
   }
+  try {
+    await client.execute({
+      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
+      args: []
+    });
+  } catch {
+  }
 }
 async function disposeDatabase() {
+  if (_walCheckpointTimer) {
+    clearInterval(_walCheckpointTimer);
+    _walCheckpointTimer = null;
+  }
   if (_daemonClient) {
     _daemonClient.close();
     _daemonClient = null;
   }
+  if (_adapterClient && _adapterClient !== _resilientClient) {
+    _adapterClient.close();
+  }
+  _adapterClient = null;
   if (_client) {
     _client.close();
     _client = null;
     _resilientClient = null;
   }
 }
-var _client, _resilientClient, _walCheckpointTimer, _daemonClient, initTurso, disposeTurso;
+var _client, _resilientClient, _walCheckpointTimer, _daemonClient, _adapterClient, initTurso, disposeTurso;
 var init_database = __esm({
   "src/lib/database.ts"() {
     "use strict";
     init_db_retry();
     init_employees();
+    init_database_adapter();
     _client = null;
     _resilientClient = null;
     _walCheckpointTimer = null;
     _daemonClient = null;
+    _adapterClient = null;
     initTurso = initDatabase;
     disposeTurso = disposeDatabase;
   }
 });
 
 // src/lib/license.ts
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, existsSync as existsSync7, mkdirSync as mkdirSync4 } from "fs";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync6, existsSync as existsSync9, mkdirSync as mkdirSync4 } from "fs";
 import { randomUUID as randomUUID3 } from "crypto";
-import path8 from "path";
+import { createRequire as createRequire2 } from "module";
+import { pathToFileURL as pathToFileURL2 } from "url";
+import os8 from "os";
+import path10 from "path";
 import { jwtVerify, importSPKI } from "jose";
 var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, PLAN_LIMITS;
 var init_license = __esm({
   "src/lib/license.ts"() {
     "use strict";
     init_config();
-    LICENSE_PATH = path8.join(EXE_AI_DIR, "license.key");
-    CACHE_PATH = path8.join(EXE_AI_DIR, "license-cache.json");
-    DEVICE_ID_PATH = path8.join(EXE_AI_DIR, "device-id");
+    LICENSE_PATH = path10.join(EXE_AI_DIR, "license.key");
+    CACHE_PATH = path10.join(EXE_AI_DIR, "license-cache.json");
+    DEVICE_ID_PATH = path10.join(EXE_AI_DIR, "device-id");
     PLAN_LIMITS = {
       free: { devices: 1, employees: 1, memories: 5e3 },
       pro: { devices: 3, employees: 5, memories: 1e5 },
@@ -2632,12 +3514,12 @@ var init_license = __esm({
 });
 
 // src/lib/plan-limits.ts
-import { readFileSync as readFileSync8, existsSync as existsSync8 } from "fs";
-import path9 from "path";
+import { readFileSync as readFileSync9, existsSync as existsSync10 } from "fs";
+import path11 from "path";
 function getLicenseSync() {
   try {
-    if (!existsSync8(CACHE_PATH2)) return freeLicense();
-    const raw = JSON.parse(readFileSync8(CACHE_PATH2, "utf8"));
+    if (!existsSync10(CACHE_PATH2)) return freeLicense();
+    const raw = JSON.parse(readFileSync9(CACHE_PATH2, "utf8"));
     if (!raw.token || typeof raw.token !== "string") return freeLicense();
     const parts = raw.token.split(".");
     if (parts.length !== 3) return freeLicense();
@@ -2675,8 +3557,8 @@ function assertEmployeeLimitSync(rosterPath) {
   const filePath = rosterPath ?? EMPLOYEES_PATH;
   let count = 0;
   try {
-    if (existsSync8(filePath)) {
-      const raw = readFileSync8(filePath, "utf8");
+    if (existsSync10(filePath)) {
+      const raw = readFileSync9(filePath, "utf8");
       const employees = JSON.parse(raw);
       count = Array.isArray(employees) ? employees.length : 0;
     }
@@ -2705,29 +3587,69 @@ var init_plan_limits = __esm({
         this.name = "PlanLimitError";
       }
     };
-    CACHE_PATH2 = path9.join(EXE_AI_DIR, "license-cache.json");
+    CACHE_PATH2 = path11.join(EXE_AI_DIR, "license-cache.json");
+  }
+});
+
+// src/lib/task-scope.ts
+var task_scope_exports = {};
+__export(task_scope_exports, {
+  getCurrentSessionScope: () => getCurrentSessionScope,
+  sessionScopeFilter: () => sessionScopeFilter,
+  strictSessionScopeFilter: () => strictSessionScopeFilter
+});
+function getCurrentSessionScope() {
+  try {
+    return resolveExeSession();
+  } catch {
+    return null;
+  }
+}
+function sessionScopeFilter(sessionScope, tableAlias) {
+  const scope = sessionScope !== void 0 ? sessionScope : getCurrentSessionScope();
+  if (!scope) return { sql: "", args: [] };
+  const col = tableAlias ? `${tableAlias}.session_scope` : "session_scope";
+  return {
+    sql: ` AND (${col} IS NULL OR ${col} = ?)`,
+    args: [scope]
+  };
+}
+function strictSessionScopeFilter(sessionScope, tableAlias) {
+  const scope = sessionScope !== void 0 ? sessionScope : getCurrentSessionScope();
+  if (!scope) return { sql: "", args: [] };
+  const col = tableAlias ? `${tableAlias}.session_scope` : "session_scope";
+  return {
+    sql: ` AND ${col} = ?`,
+    args: [scope]
+  };
+}
+var init_task_scope = __esm({
+  "src/lib/task-scope.ts"() {
+    "use strict";
+    init_tmux_routing();
   }
 });
 
 // src/lib/notifications.ts
-import crypto from "crypto";
-import path10 from "path";
-import os7 from "os";
+import crypto2 from "crypto";
+import path12 from "path";
+import os9 from "os";
 import {
-  readFileSync as readFileSync9,
+  readFileSync as readFileSync10,
   readdirSync,
   unlinkSync as unlinkSync3,
-  existsSync as existsSync9,
+  existsSync as existsSync11,
   rmdirSync
 } from "fs";
 async function writeNotification(notification) {
   try {
     const client = getClient();
-    const id = crypto.randomUUID();
+    const id = crypto2.randomUUID();
     const now = (/* @__PURE__ */ new Date()).toISOString();
+    const sessionScope = notification.sessionScope === void 0 ? getCurrentSessionScope() : notification.sessionScope;
     await client.execute({
-      sql: `INSERT INTO notifications (id, agent_id, agent_role, event, project, summary, task_file, read, created_at)
-            VALUES (?, ?, ?, ?, ?, ?, ?, 0, ?)`,
+      sql: `INSERT INTO notifications (id, agent_id, agent_role, event, project, summary, task_file, session_scope, read, created_at)
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?, 0, ?)`,
       args: [
         id,
         notification.agentId,
@@ -2736,6 +3658,7 @@ async function writeNotification(notification) {
         notification.project,
         notification.summary,
         notification.taskFile ?? null,
+        sessionScope,
         now
       ]
     });
@@ -2744,12 +3667,14 @@ async function writeNotification(notification) {
 `);
   }
 }
-async function markAsReadByTaskFile(taskFile) {
+async function markAsReadByTaskFile(taskFile, sessionScope) {
   try {
     const client = getClient();
+    const scope = strictSessionScopeFilter(sessionScope);
     await client.execute({
-      sql: "UPDATE notifications SET read = 1 WHERE task_file = ? AND read = 0",
-      args: [taskFile]
+      sql: `UPDATE notifications SET read = 1
+            WHERE task_file = ? AND read = 0${scope.sql}`,
+      args: [taskFile, ...scope.args]
     });
   } catch {
   }
@@ -2758,11 +3683,12 @@ var init_notifications = __esm({
   "src/lib/notifications.ts"() {
     "use strict";
     init_database();
+    init_task_scope();
   }
 });
 
 // src/lib/session-kill-telemetry.ts
-import crypto2 from "crypto";
+import crypto3 from "crypto";
 async function recordSessionKill(input) {
   try {
     const client = getClient();
@@ -2772,7 +3698,7 @@ async function recordSessionKill(input) {
                ticks_idle, estimated_tokens_saved)
             VALUES (?, ?, ?, ?, ?, ?, ?)`,
       args: [
-        crypto2.randomUUID(),
+        crypto3.randomUUID(),
         input.sessionName,
         input.agentId,
         (/* @__PURE__ */ new Date()).toISOString(),
@@ -2795,35 +3721,6 @@ var init_session_kill_telemetry = __esm({
   }
 });
 
-// src/lib/task-scope.ts
-var task_scope_exports = {};
-__export(task_scope_exports, {
-  getCurrentSessionScope: () => getCurrentSessionScope,
-  sessionScopeFilter: () => sessionScopeFilter
-});
-function getCurrentSessionScope() {
-  try {
-    return resolveExeSession();
-  } catch {
-    return null;
-  }
-}
-function sessionScopeFilter(sessionScope, tableAlias) {
-  const scope = sessionScope !== void 0 ? sessionScope : getCurrentSessionScope();
-  if (!scope) return { sql: "", args: [] };
-  const col = tableAlias ? `${tableAlias}.session_scope` : "session_scope";
-  return {
-    sql: ` AND (${col} IS NULL OR ${col} = ?)`,
-    args: [scope]
-  };
-}
-var init_task_scope = __esm({
-  "src/lib/task-scope.ts"() {
-    "use strict";
-    init_tmux_routing();
-  }
-});
-
 // src/lib/state-bus.ts
 var StateBus, orgBus;
 var init_state_bus = __esm({
@@ -2880,12 +3777,12 @@ var init_state_bus = __esm({
 });
 
 // src/lib/tasks-crud.ts
-import crypto3 from "crypto";
-import path11 from "path";
-import os8 from "os";
+import crypto4 from "crypto";
+import path13 from "path";
+import os10 from "os";
 import { execSync as execSync5 } from "child_process";
 import { mkdir as mkdir3, writeFile as writeFile3, appendFile } from "fs/promises";
-import { existsSync as existsSync10, readFileSync as readFileSync10 } from "fs";
+import { existsSync as existsSync12, readFileSync as readFileSync11 } from "fs";
 async function writeCheckpoint(input) {
   const client = getClient();
   const row = await resolveTask(client, input.taskId);
@@ -3001,7 +3898,7 @@ async function resolveTask(client, identifier, scopeSession) {
 }
 async function createTaskCore(input) {
   const client = getClient();
-  const id = crypto3.randomUUID();
+  const id = crypto4.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const slug = slugify(input.title);
   let earlySessionScope = null;
@@ -3060,8 +3957,8 @@ ${laneWarning}` : laneWarning;
   }
   if (input.baseDir) {
     try {
-      await mkdir3(path11.join(input.baseDir, "exe", "output"), { recursive: true });
-      await mkdir3(path11.join(input.baseDir, "exe", "research"), { recursive: true });
+      await mkdir3(path13.join(input.baseDir, "exe", "output"), { recursive: true });
+      await mkdir3(path13.join(input.baseDir, "exe", "research"), { recursive: true });
       await ensureArchitectureDoc(input.baseDir, input.projectName);
       await ensureGitignoreExe(input.baseDir);
     } catch {
@@ -3097,13 +3994,19 @@ ${laneWarning}` : laneWarning;
   });
   if (input.baseDir) {
     try {
-      const EXE_OS_DIR = path11.join(os8.homedir(), ".exe-os");
-      const mdPath = path11.join(EXE_OS_DIR, taskFile);
-      const mdDir = path11.dirname(mdPath);
-      if (!existsSync10(mdDir)) await mkdir3(mdDir, { recursive: true });
+      const EXE_OS_DIR = path13.join(os10.homedir(), ".exe-os");
+      const mdPath = path13.join(EXE_OS_DIR, taskFile);
+      const mdDir = path13.dirname(mdPath);
+      if (!existsSync12(mdDir)) await mkdir3(mdDir, { recursive: true });
       const reviewer = input.reviewer ?? input.assignedBy;
       const mdContent = `# ${input.title}
 
+## MANDATORY: When done
+
+You MUST call update_task with status "done" and a result summary when finished.
+If you skip this, your reviewer will not know you're done and your work won't be reviewed.
+Do NOT let a failed commit or any error prevent you from calling update_task(done).
+
 **ID:** ${id}
 **Status:** ${initialStatus}
 **Priority:** ${input.priority}
@@ -3117,12 +4020,6 @@ ${laneWarning}` : laneWarning;
 ## Context
 
 ${input.context}
-
-## MANDATORY: When done
-
-You MUST call update_task with status "done" and a result summary when finished.
-If you skip this, your reviewer will not know you're done and your work won't be reviewed.
-Do NOT let a failed commit or any error prevent you from calling update_task(done).
 `;
       await writeFile3(mdPath, mdContent, "utf-8");
     } catch (err) {
@@ -3371,7 +4268,7 @@ ${input.result}` : `\u26A0\uFE0F ${warning}`;
     await client.execute("PRAGMA wal_checkpoint(PASSIVE)");
   } catch {
   }
-  if (input.status === "done" || input.status === "cancelled") {
+  if (input.status === "done" || input.status === "cancelled" || input.status === "closed") {
     try {
       const { clearQueueForAgent: clearQueueForAgent2 } = await Promise.resolve().then(() => (init_intercom_queue(), intercom_queue_exports));
       clearQueueForAgent2(String(row.assigned_to));
@@ -3400,9 +4297,9 @@ async function deleteTaskCore(taskId, _baseDir) {
   return { taskFile, assignedTo, assignedBy, taskSlug };
 }
 async function ensureArchitectureDoc(baseDir, projectName) {
-  const archPath = path11.join(baseDir, "exe", "ARCHITECTURE.md");
+  const archPath = path13.join(baseDir, "exe", "ARCHITECTURE.md");
   try {
-    if (existsSync10(archPath)) return;
+    if (existsSync12(archPath)) return;
     const template = [
       `# ${projectName} \u2014 System Architecture`,
       "",
@@ -3435,10 +4332,10 @@ async function ensureArchitectureDoc(baseDir, projectName) {
   }
 }
 async function ensureGitignoreExe(baseDir) {
-  const gitignorePath = path11.join(baseDir, ".gitignore");
+  const gitignorePath = path13.join(baseDir, ".gitignore");
   try {
-    if (existsSync10(gitignorePath)) {
-      const content = readFileSync10(gitignorePath, "utf-8");
+    if (existsSync12(gitignorePath)) {
+      const content = readFileSync11(gitignorePath, "utf-8");
       if (/^\/?exe\/?$/m.test(content)) return;
       await appendFile(gitignorePath, "\n# Employee task assignments (private)\n/exe/\n");
     } else {
@@ -3469,58 +4366,42 @@ var init_tasks_crud = __esm({
 });
 
 // src/lib/tasks-review.ts
-import path12 from "path";
-import { existsSync as existsSync11, readdirSync as readdirSync2, unlinkSync as unlinkSync4 } from "fs";
+import path14 from "path";
+import { existsSync as existsSync13, readdirSync as readdirSync2, unlinkSync as unlinkSync4 } from "fs";
 async function countPendingReviews(sessionScope) {
   const client = getClient();
-  if (sessionScope) {
-    const result2 = await client.execute({
-      sql: "SELECT COUNT(*) as cnt FROM tasks WHERE status = 'needs_review' AND (session_scope = ? OR session_scope IS NULL)",
-      args: [sessionScope]
-    });
-    return Number(result2.rows[0]?.cnt) || 0;
-  }
+  const scope = strictSessionScopeFilter(
+    sessionScope === void 0 ? getCurrentSessionScope() : sessionScope
+  );
   const result = await client.execute({
-    sql: "SELECT COUNT(*) as cnt FROM tasks WHERE status = 'needs_review'",
-    args: []
+    sql: `SELECT COUNT(*) as cnt FROM tasks
+          WHERE status = 'needs_review'${scope.sql}`,
+    args: [...scope.args]
   });
   return Number(result.rows[0]?.cnt) || 0;
 }
 async function countNewPendingReviewsSince(sinceIso, sessionScope) {
   const client = getClient();
-  if (sessionScope) {
-    const result2 = await client.execute({
-      sql: `SELECT COUNT(*) as cnt FROM tasks
-            WHERE status = 'needs_review' AND updated_at > ?
-              AND session_scope = ?`,
-      args: [sinceIso, sessionScope]
-    });
-    return Number(result2.rows[0]?.cnt) || 0;
-  }
+  const scope = strictSessionScopeFilter(
+    sessionScope === void 0 ? getCurrentSessionScope() : sessionScope
+  );
   const result = await client.execute({
     sql: `SELECT COUNT(*) as cnt FROM tasks
-          WHERE status = 'needs_review' AND updated_at > ?`,
-    args: [sinceIso]
+          WHERE status = 'needs_review' AND updated_at > ?${scope.sql}`,
+    args: [sinceIso, ...scope.args]
   });
   return Number(result.rows[0]?.cnt) || 0;
 }
 async function listPendingReviews(limit, sessionScope) {
   const client = getClient();
-  if (sessionScope) {
-    const result2 = await client.execute({
-      sql: `SELECT title, assigned_to, project_name, updated_at FROM tasks
-            WHERE status = 'needs_review'
-              AND session_scope = ?
-            ORDER BY updated_at ASC LIMIT ?`,
-      args: [sessionScope, limit]
-    });
-    return result2.rows;
-  }
+  const scope = strictSessionScopeFilter(
+    sessionScope === void 0 ? getCurrentSessionScope() : sessionScope
+  );
   const result = await client.execute({
     sql: `SELECT title, assigned_to, project_name, updated_at FROM tasks
-          WHERE status = 'needs_review'
+          WHERE status = 'needs_review'${scope.sql}
           ORDER BY updated_at ASC LIMIT ?`,
-    args: [limit]
+    args: [...scope.args, limit]
   });
   return result.rows;
 }
@@ -3532,7 +4413,7 @@ async function cleanupOrphanedReviews() {
           WHERE status IN ('open', 'needs_review', 'in_progress')
           AND assigned_by = 'system'
           AND title LIKE 'Review:%'
-          AND parent_task_id IN (SELECT id FROM tasks WHERE status IN ('done', 'cancelled'))`,
+          AND parent_task_id IN (SELECT id FROM tasks WHERE status IN ('done', 'cancelled', 'closed'))`,
     args: [now]
   });
   const r1b = await client.execute({
@@ -3651,11 +4532,11 @@ async function cleanupReviewFile(row, taskFile, _baseDir) {
     );
   }
   try {
-    const cacheDir = path12.join(EXE_AI_DIR, "session-cache");
-    if (existsSync11(cacheDir)) {
+    const cacheDir = path14.join(EXE_AI_DIR, "session-cache");
+    if (existsSync13(cacheDir)) {
       for (const f of readdirSync2(cacheDir)) {
         if (f.startsWith("review-notified-")) {
-          unlinkSync4(path12.join(cacheDir, f));
+          unlinkSync4(path14.join(cacheDir, f));
         }
       }
     }
@@ -3672,11 +4553,12 @@ var init_tasks_review = __esm({
     init_tmux_routing();
     init_session_key();
     init_state_bus();
+    init_task_scope();
   }
 });
 
 // src/lib/tasks-chain.ts
-import path13 from "path";
+import path15 from "path";
 import { readFile as readFile3, writeFile as writeFile4 } from "fs/promises";
 async function cascadeUnblock(taskId, baseDir, now) {
   const client = getClient();
@@ -3693,7 +4575,7 @@ async function cascadeUnblock(taskId, baseDir, now) {
     });
     for (const ur of unblockedRows.rows) {
       try {
-        const ubFile = path13.join(baseDir, String(ur.task_file));
+        const ubFile = path15.join(baseDir, String(ur.task_file));
         let ubContent = await readFile3(ubFile, "utf-8");
         ubContent = ubContent.replace(/\*\*Status:\*\* blocked/, "**Status:** open");
         ubContent = ubContent.replace(/\n\*\*Blocked by:\*\*.*\n/, "\n");
@@ -3728,7 +4610,7 @@ async function checkSubtaskCompletion(parentTaskId, projectName) {
   const scScope = sessionScopeFilter();
   const remaining = await client.execute({
     sql: `SELECT COUNT(*) as cnt FROM tasks
-          WHERE parent_task_id = ? AND status NOT IN ('done', 'cancelled')${scScope.sql}`,
+          WHERE parent_task_id = ? AND status NOT IN ('done', 'cancelled', 'closed')${scScope.sql}`,
     args: [parentTaskId, ...scScope.args]
   });
   const cnt = Number(remaining.rows[0]?.cnt ?? 1);
@@ -3762,7 +4644,7 @@ var init_tasks_chain = __esm({
 
 // src/lib/project-name.ts
 import { execSync as execSync6 } from "child_process";
-import path14 from "path";
+import path16 from "path";
 function getProjectName(cwd) {
   const dir = cwd ?? process.cwd();
   if (_cached2 && _cachedCwd === dir) return _cached2;
@@ -3775,7 +4657,7 @@ function getProjectName(cwd) {
         timeout: 2e3,
         stdio: ["pipe", "pipe", "pipe"]
       }).trim();
-      repoRoot = path14.dirname(gitCommonDir);
+      repoRoot = path16.dirname(gitCommonDir);
     } catch {
       repoRoot = execSync6("git rev-parse --show-toplevel", {
         cwd: dir,
@@ -3784,11 +4666,11 @@ function getProjectName(cwd) {
         stdio: ["pipe", "pipe", "pipe"]
       }).trim();
     }
-    _cached2 = path14.basename(repoRoot);
+    _cached2 = path16.basename(repoRoot);
     _cachedCwd = dir;
     return _cached2;
   } catch {
-    _cached2 = path14.basename(dir);
+    _cached2 = path16.basename(dir);
     _cachedCwd = dir;
     return _cached2;
   }
@@ -3938,10 +4820,10 @@ __export(behaviors_exports, {
   listBehaviorsByDomain: () => listBehaviorsByDomain,
   storeBehavior: () => storeBehavior
 });
-import crypto4 from "crypto";
+import crypto5 from "crypto";
 async function storeBehavior(opts) {
   const client = getClient();
-  const id = crypto4.randomUUID();
+  const id = crypto5.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   await client.execute({
     sql: `INSERT INTO behaviors (id, agent_id, project_name, domain, priority, content, active, created_at, updated_at)
@@ -4025,7 +4907,7 @@ __export(skill_learning_exports, {
   storeTrajectory: () => storeTrajectory,
   sweepTrajectories: () => sweepTrajectories
 });
-import crypto5 from "crypto";
+import crypto6 from "crypto";
 async function extractTrajectory(taskId, agentId) {
   const client = getClient();
   const result = await client.execute({
@@ -4054,11 +4936,11 @@ async function extractTrajectory(taskId, agentId) {
   return signature;
 }
 function hashSignature(signature) {
-  return crypto5.createHash("sha256").update(signature.join("|")).digest("hex").slice(0, 16);
+  return crypto6.createHash("sha256").update(signature.join("|")).digest("hex").slice(0, 16);
 }
 async function storeTrajectory(opts) {
   const client = getClient();
-  const id = crypto5.randomUUID();
+  const id = crypto6.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const signatureHash = hashSignature(opts.signature);
   await client.execute({
@@ -4323,8 +5205,8 @@ __export(tasks_exports, {
   updateTaskStatus: () => updateTaskStatus,
   writeCheckpoint: () => writeCheckpoint
 });
-import path15 from "path";
-import { writeFileSync as writeFileSync6, mkdirSync as mkdirSync5, unlinkSync as unlinkSync5 } from "fs";
+import path17 from "path";
+import { writeFileSync as writeFileSync7, mkdirSync as mkdirSync5, unlinkSync as unlinkSync5 } from "fs";
 async function createTask(input) {
   const result = await createTaskCore(input);
   if (!input.skipDispatch && result.status !== "blocked" && !process.env.VITEST) {
@@ -4343,12 +5225,12 @@ async function updateTask(input) {
   const { row, taskFile, now, taskId } = await updateTaskStatus(input);
   try {
     const agent = String(row.assigned_to);
-    const cacheDir = path15.join(EXE_AI_DIR, "session-cache");
-    const cachePath = path15.join(cacheDir, `current-task-${agent}.json`);
+    const cacheDir = path17.join(EXE_AI_DIR, "session-cache");
+    const cachePath = path17.join(cacheDir, `current-task-${agent}.json`);
     if (input.status === "in_progress") {
       mkdirSync5(cacheDir, { recursive: true });
-      writeFileSync6(cachePath, JSON.stringify({ taskId, title: String(row.title) }));
-    } else if (input.status === "done" || input.status === "blocked" || input.status === "cancelled") {
+      writeFileSync7(cachePath, JSON.stringify({ taskId, title: String(row.title) }));
+    } else if (input.status === "done" || input.status === "blocked" || input.status === "cancelled" || input.status === "closed") {
       try {
         unlinkSync5(cachePath);
       } catch {
@@ -4356,10 +5238,10 @@ async function updateTask(input) {
     }
   } catch {
   }
-  if (input.status === "done") {
+  if (input.status === "done" || input.status === "closed") {
     await cleanupReviewFile(row, taskFile, input.baseDir);
   }
-  if (input.status === "done" || input.status === "cancelled") {
+  if (input.status === "done" || input.status === "cancelled" || input.status === "closed") {
     try {
       const client = getClient();
       const taskTitle = String(row.title);
@@ -4375,7 +5257,7 @@ async function updateTask(input) {
     if (!isCoordinatorName(assignedAgent)) {
       try {
         const draftClient = getClient();
-        if (input.status === "done") {
+        if (input.status === "done" || input.status === "closed") {
           await draftClient.execute({
             sql: `UPDATE memories SET draft = 0 WHERE agent_id = ? AND draft = 1`,
             args: [assignedAgent]
@@ -4392,7 +5274,7 @@ async function updateTask(input) {
     try {
       const client = getClient();
       const cascaded = await client.execute({
-        sql: `UPDATE tasks SET status = 'done', updated_at = ?
+        sql: `UPDATE tasks SET status = 'closed', updated_at = ?
               WHERE parent_task_id = ? AND status = 'needs_review'`,
         args: [now, taskId]
       });
@@ -4405,14 +5287,14 @@ async function updateTask(input) {
     } catch {
     }
   }
-  const isTerminal = input.status === "done" || input.status === "needs_review";
+  const isTerminal = input.status === "done" || input.status === "needs_review" || input.status === "closed";
   if (isTerminal) {
     const isCoordinator = isCoordinatorName(String(row.assigned_to));
     if (!isCoordinator) {
       notifyTaskDone();
     }
     await markTaskNotificationsRead(taskFile);
-    if (input.status === "done") {
+    if (input.status === "done" || input.status === "closed") {
       try {
         await cascadeUnblock(taskId, input.baseDir, now);
       } catch {
@@ -4432,7 +5314,7 @@ async function updateTask(input) {
       }
     }
   }
-  if (input.status === "done" && !isCoordinatorName(String(row.assigned_to)) && !process.env.VITEST) {
+  if ((input.status === "done" || input.status === "closed") && !isCoordinatorName(String(row.assigned_to)) && !process.env.VITEST) {
     Promise.resolve().then(() => (init_skill_learning(), skill_learning_exports)).then(
       ({ captureAndLearn: captureAndLearn2 }) => captureAndLearn2({
         taskId,
@@ -4804,6 +5686,7 @@ __export(tmux_routing_exports, {
   isEmployeeAlive: () => isEmployeeAlive,
   isExeSession: () => isExeSession,
   isSessionBusy: () => isSessionBusy,
+  notifyCoordinatorTaskCompletion: () => notifyCoordinatorTaskCompletion,
   notifyParentExe: () => notifyParentExe,
   parseParentExe: () => parseParentExe,
   registerParentExe: () => registerParentExe,
@@ -4814,13 +5697,13 @@ __export(tmux_routing_exports, {
   verifyPaneAtCapacity: () => verifyPaneAtCapacity
 });
 import { execFileSync as execFileSync2, execSync as execSync7 } from "child_process";
-import { readFileSync as readFileSync11, writeFileSync as writeFileSync7, mkdirSync as mkdirSync6, existsSync as existsSync12, appendFileSync, readdirSync as readdirSync3 } from "fs";
-import path16 from "path";
-import os9 from "os";
+import { readFileSync as readFileSync12, writeFileSync as writeFileSync8, mkdirSync as mkdirSync6, existsSync as existsSync14, appendFileSync, readdirSync as readdirSync3 } from "fs";
+import path18 from "path";
+import os11 from "os";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { unlinkSync as unlinkSync6 } from "fs";
 function spawnLockPath(sessionName) {
-  return path16.join(SPAWN_LOCK_DIR, `${sessionName}.lock`);
+  return path18.join(SPAWN_LOCK_DIR, `${sessionName}.lock`);
 }
 function isProcessAlive(pid) {
   try {
@@ -4831,13 +5714,13 @@ function isProcessAlive(pid) {
   }
 }
 function acquireSpawnLock2(sessionName) {
-  if (!existsSync12(SPAWN_LOCK_DIR)) {
+  if (!existsSync14(SPAWN_LOCK_DIR)) {
     mkdirSync6(SPAWN_LOCK_DIR, { recursive: true });
   }
   const lockFile = spawnLockPath(sessionName);
-  if (existsSync12(lockFile)) {
+  if (existsSync14(lockFile)) {
     try {
-      const lock = JSON.parse(readFileSync11(lockFile, "utf8"));
+      const lock = JSON.parse(readFileSync12(lockFile, "utf8"));
       const age = Date.now() - lock.timestamp;
       if (isProcessAlive(lock.pid) && age < 6e4) {
         return false;
@@ -4845,7 +5728,7 @@ function acquireSpawnLock2(sessionName) {
     } catch {
     }
   }
-  writeFileSync7(lockFile, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
+  writeFileSync8(lockFile, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
   return true;
 }
 function releaseSpawnLock2(sessionName) {
@@ -4857,13 +5740,13 @@ function releaseSpawnLock2(sessionName) {
 function resolveBehaviorsExporterScript() {
   try {
     const thisFile = fileURLToPath2(import.meta.url);
-    const scriptPath = path16.join(
-      path16.dirname(thisFile),
+    const scriptPath = path18.join(
+      path18.dirname(thisFile),
       "..",
       "bin",
       "exe-export-behaviors.js"
     );
-    return existsSync12(scriptPath) ? scriptPath : null;
+    return existsSync14(scriptPath) ? scriptPath : null;
   } catch {
     return null;
   }
@@ -4929,12 +5812,12 @@ function extractRootExe(name) {
   return parts.length > 0 ? parts[parts.length - 1] : null;
 }
 function registerParentExe(sessionKey, parentExe, dispatchedBy) {
-  if (!existsSync12(SESSION_CACHE)) {
+  if (!existsSync14(SESSION_CACHE)) {
     mkdirSync6(SESSION_CACHE, { recursive: true });
   }
   const rootExe = extractRootExe(parentExe) ?? parentExe;
-  const filePath = path16.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`);
-  writeFileSync7(filePath, JSON.stringify({
+  const filePath = path18.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`);
+  writeFileSync8(filePath, JSON.stringify({
     parentExe: rootExe,
     dispatchedBy: dispatchedBy || rootExe,
     registeredAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -4942,7 +5825,7 @@ function registerParentExe(sessionKey, parentExe, dispatchedBy) {
 }
 function getParentExe(sessionKey) {
   try {
-    const data = JSON.parse(readFileSync11(path16.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
+    const data = JSON.parse(readFileSync12(path18.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
     return data.parentExe || null;
   } catch {
     return null;
@@ -4950,8 +5833,8 @@ function getParentExe(sessionKey) {
 }
 function getDispatchedBy(sessionKey) {
   try {
-    const data = JSON.parse(readFileSync11(
-      path16.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`),
+    const data = JSON.parse(readFileSync12(
+      path18.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`),
       "utf8"
     ));
     return data.dispatchedBy ?? data.parentExe ?? null;
@@ -5021,8 +5904,8 @@ async function verifyPaneAtCapacity(sessionName) {
 }
 function readDebounceState() {
   try {
-    if (!existsSync12(DEBOUNCE_FILE)) return {};
-    const raw = JSON.parse(readFileSync11(DEBOUNCE_FILE, "utf8"));
+    if (!existsSync14(DEBOUNCE_FILE)) return {};
+    const raw = JSON.parse(readFileSync12(DEBOUNCE_FILE, "utf8"));
     const state = {};
     for (const [key, val] of Object.entries(raw)) {
       if (typeof val === "number") {
@@ -5038,8 +5921,8 @@ function readDebounceState() {
 }
 function writeDebounceState(state) {
   try {
-    if (!existsSync12(SESSION_CACHE)) mkdirSync6(SESSION_CACHE, { recursive: true });
-    writeFileSync7(DEBOUNCE_FILE, JSON.stringify(state));
+    if (!existsSync14(SESSION_CACHE)) mkdirSync6(SESSION_CACHE, { recursive: true });
+    writeFileSync8(DEBOUNCE_FILE, JSON.stringify(state));
   } catch {
   }
 }
@@ -5137,8 +6020,8 @@ function sendIntercom(targetSession) {
     try {
       const rawAgent = targetSession.split("-")[0] ?? targetSession;
       const agent = baseAgentName(rawAgent);
-      const markerPath = path16.join(SESSION_CACHE, `current-task-${agent}.json`);
-      if (existsSync12(markerPath)) {
+      const markerPath = path18.join(SESSION_CACHE, `current-task-${agent}.json`);
+      if (existsSync14(markerPath)) {
         logIntercom(`SKIP \u2192 ${targetSession} (has in_progress task marker \u2014 will auto-chain)`);
         return "debounced";
       }
@@ -5147,8 +6030,8 @@ function sendIntercom(targetSession) {
     try {
       const rawAgent = targetSession.split("-")[0] ?? targetSession;
       const agent = baseAgentName(rawAgent);
-      const taskDir = path16.join(process.cwd(), "exe", agent);
-      if (existsSync12(taskDir)) {
+      const taskDir = path18.join(process.cwd(), "exe", agent);
+      if (existsSync14(taskDir)) {
         const files = readdirSync3(taskDir).filter(
           (f) => f.endsWith(".md") && f !== "DONE.txt"
         );
@@ -5208,6 +6091,21 @@ function notifyParentExe(sessionKey) {
   }
   return true;
 }
+function notifyCoordinatorTaskCompletion(coordinatorSession, agentName, taskTitle) {
+  const transport = getTransport();
+  try {
+    const sessions = transport.listSessions();
+    if (!sessions.includes(coordinatorSession)) return false;
+    execSync7(
+      `tmux send-keys -t ${JSON.stringify(coordinatorSession)} '/exe-intercom' Enter`,
+      { timeout: 3e3 }
+    );
+    logIntercom(`COMPLETION \u2192 ${coordinatorSession} (${agentName} completed "${taskTitle.slice(0, 50)}")`);
+    return true;
+  } catch {
+    return false;
+  }
+}
 function ensureEmployee(employeeName, exeSession, projectDir, opts) {
   if (isCoordinatorName(employeeName)) {
     return { status: "failed", sessionName: "", error: "The COO is not a dispatchable employee" };
@@ -5281,26 +6179,26 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   const transport = getTransport();
   const sessionName = employeeSessionName(employeeName, exeSession, opts?.instance);
   const instanceLabel = opts?.instance != null && opts.instance > 0 ? `${employeeName}${opts.instance}` : employeeName;
-  const logDir = path16.join(os9.homedir(), ".exe-os", "session-logs");
-  const logFile = path16.join(logDir, `${instanceLabel}-${Date.now()}.log`);
-  if (!existsSync12(logDir)) {
+  const logDir = path18.join(os11.homedir(), ".exe-os", "session-logs");
+  const logFile = path18.join(logDir, `${instanceLabel}-${Date.now()}.log`);
+  if (!existsSync14(logDir)) {
     mkdirSync6(logDir, { recursive: true });
   }
   transport.kill(sessionName);
   let cleanupSuffix = "";
   try {
     const thisFile = fileURLToPath2(import.meta.url);
-    const cleanupScript = path16.join(path16.dirname(thisFile), "..", "bin", "exe-session-cleanup.js");
-    if (existsSync12(cleanupScript)) {
+    const cleanupScript = path18.join(path18.dirname(thisFile), "..", "bin", "exe-session-cleanup.js");
+    if (existsSync14(cleanupScript)) {
       cleanupSuffix = `; ${process.execPath} "${cleanupScript}" "${employeeName}" "${exeSession}"`;
     }
   } catch {
   }
   try {
-    const claudeJsonPath = path16.join(os9.homedir(), ".claude.json");
+    const claudeJsonPath = path18.join(os11.homedir(), ".claude.json");
     let claudeJson = {};
     try {
-      claudeJson = JSON.parse(readFileSync11(claudeJsonPath, "utf8"));
+      claudeJson = JSON.parse(readFileSync12(claudeJsonPath, "utf8"));
     } catch {
     }
     if (!claudeJson.projects) claudeJson.projects = {};
@@ -5308,17 +6206,17 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     const trustDir = opts?.cwd ?? projectDir;
     if (!projects[trustDir]) projects[trustDir] = {};
     projects[trustDir].hasTrustDialogAccepted = true;
-    writeFileSync7(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
+    writeFileSync8(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
   } catch {
   }
   try {
-    const settingsDir = path16.join(os9.homedir(), ".claude", "projects");
+    const settingsDir = path18.join(os11.homedir(), ".claude", "projects");
     const normalizedKey = (opts?.cwd ?? projectDir).replace(/\//g, "-").replace(/^-/, "");
-    const projSettingsDir = path16.join(settingsDir, normalizedKey);
-    const settingsPath = path16.join(projSettingsDir, "settings.json");
+    const projSettingsDir = path18.join(settingsDir, normalizedKey);
+    const settingsPath = path18.join(projSettingsDir, "settings.json");
     let settings = {};
     try {
-      settings = JSON.parse(readFileSync11(settingsPath, "utf8"));
+      settings = JSON.parse(readFileSync12(settingsPath, "utf8"));
     } catch {
     }
     const perms = settings.permissions ?? {};
@@ -5347,7 +6245,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
       perms.allow = allow;
       settings.permissions = perms;
       mkdirSync6(projSettingsDir, { recursive: true });
-      writeFileSync7(settingsPath, JSON.stringify(settings, null, 2) + "\n");
+      writeFileSync8(settingsPath, JSON.stringify(settings, null, 2) + "\n");
     }
   } catch {
   }
@@ -5362,8 +6260,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   let behaviorsFlag = "";
   let legacyFallbackWarned = false;
   if (!useExeAgent && !useBinSymlink) {
-    const identityPath = path16.join(
-      os9.homedir(),
+    const identityPath = path18.join(
+      os11.homedir(),
       ".exe-os",
       "identity",
       `${employeeName}.md`
@@ -5372,13 +6270,13 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     const hasAgentFlag = claudeSupportsAgentFlag();
     if (hasAgentFlag) {
       identityFlag = ` --agent ${employeeName}`;
-    } else if (existsSync12(identityPath)) {
+    } else if (existsSync14(identityPath)) {
       identityFlag = ` --append-system-prompt-file ${identityPath}`;
       legacyFallbackWarned = true;
     }
     const behaviorsFile = exportBehaviorsSync(
       employeeName,
-      path16.basename(spawnCwd),
+      path18.basename(spawnCwd),
       sessionName
     );
     if (behaviorsFile) {
@@ -5393,16 +6291,16 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   let sessionContextFlag = "";
   try {
-    const ctxDir = path16.join(os9.homedir(), ".exe-os", "session-cache");
+    const ctxDir = path18.join(os11.homedir(), ".exe-os", "session-cache");
     mkdirSync6(ctxDir, { recursive: true });
-    const ctxFile = path16.join(ctxDir, `session-context-${sessionName}.md`);
+    const ctxFile = path18.join(ctxDir, `session-context-${sessionName}.md`);
     const ctxContent = [
       `## Session Context`,
       `You are running in tmux session: ${sessionName}.`,
       `Your parent coordinator session is ${exeSession}.`,
       `Your employees (if any) use the -${exeSession} suffix.`
     ].join("\n");
-    writeFileSync7(ctxFile, ctxContent);
+    writeFileSync8(ctxFile, ctxContent);
     sessionContextFlag = ` --append-system-prompt-file ${ctxFile}`;
   } catch {
   }
@@ -5479,8 +6377,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   transport.pipeLog(sessionName, logFile);
   try {
     const mySession = getMySession();
-    const dispatchInfo = path16.join(SESSION_CACHE, `dispatch-info-${sessionName}.json`);
-    writeFileSync7(dispatchInfo, JSON.stringify({
+    const dispatchInfo = path18.join(SESSION_CACHE, `dispatch-info-${sessionName}.json`);
+    writeFileSync8(dispatchInfo, JSON.stringify({
       dispatchedBy: mySession,
       rootExe: exeSession,
       provider: useBinSymlink ? ccProvider : useExeAgent ? opts.provider : useCodex ? "openai" : useOpencode ? "opencode" : "anthropic",
@@ -5554,15 +6452,15 @@ var init_tmux_routing = __esm({
     init_intercom_queue();
     init_plan_limits();
     init_employees();
-    SPAWN_LOCK_DIR = path16.join(os9.homedir(), ".exe-os", "spawn-locks");
-    SESSION_CACHE = path16.join(os9.homedir(), ".exe-os", "session-cache");
+    SPAWN_LOCK_DIR = path18.join(os11.homedir(), ".exe-os", "spawn-locks");
+    SESSION_CACHE = path18.join(os11.homedir(), ".exe-os", "session-cache");
     BEHAVIORS_EXPORT_TIMEOUT_MS = 1e4;
     VALID_SESSION_NAME = /^[a-z]+\d*-[a-zA-Z0-9_]+$/;
     VERIFY_PANE_LINES = 200;
     INTERCOM_DEBOUNCE_MS = 3e4;
     CODEX_DEBOUNCE_MS = 12e4;
-    INTERCOM_LOG2 = path16.join(os9.homedir(), ".exe-os", "intercom.log");
-    DEBOUNCE_FILE = path16.join(SESSION_CACHE, "intercom-debounce.json");
+    INTERCOM_LOG2 = path18.join(os11.homedir(), ".exe-os", "intercom.log");
+    DEBOUNCE_FILE = path18.join(SESSION_CACHE, "intercom-debounce.json");
     DEBOUNCE_CLEANUP_AGE_MS = 5 * 60 * 1e3;
     BUSY_PATTERN = /[✻✽✶✳·].*…|Running…|• Working|• Ran |• Explored|• Called|esc to interrupt/;
   }
@@ -5579,14 +6477,14 @@ var init_memory = __esm({
 
 // src/lib/keychain.ts
 import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync13 } from "fs";
-import path17 from "path";
-import os10 from "os";
+import { existsSync as existsSync15 } from "fs";
+import path19 from "path";
+import os12 from "os";
 function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path17.join(os10.homedir(), ".exe-os");
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path19.join(os12.homedir(), ".exe-os");
 }
 function getKeyPath() {
-  return path17.join(getKeyDir(), "master.key");
+  return path19.join(getKeyDir(), "master.key");
 }
 async function tryKeytar() {
   try {
@@ -5607,9 +6505,9 @@ async function getMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (!existsSync13(keyPath)) {
+  if (!existsSync15(keyPath)) {
     process.stderr.write(
-      `[keychain] Key not found at ${keyPath} (HOME=${os10.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
+      `[keychain] Key not found at ${keyPath} (HOME=${os12.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
 `
     );
     return null;
@@ -5639,6 +6537,7 @@ var shard_manager_exports = {};
 __export(shard_manager_exports, {
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
+  getOpenShardCount: () => getOpenShardCount,
   getReadyShardClient: () => getReadyShardClient,
   getShardClient: () => getShardClient,
   getShardsDir: () => getShardsDir,
@@ -5647,15 +6546,18 @@ __export(shard_manager_exports, {
   listShards: () => listShards,
   shardExists: () => shardExists
 });
-import path18 from "path";
-import { existsSync as existsSync14, mkdirSync as mkdirSync7, readdirSync as readdirSync4 } from "fs";
+import path20 from "path";
+import { existsSync as existsSync16, mkdirSync as mkdirSync7, readdirSync as readdirSync4 } from "fs";
 import { createClient as createClient2 } from "@libsql/client";
 function initShardManager(encryptionKey) {
   _encryptionKey = encryptionKey;
-  if (!existsSync14(SHARDS_DIR)) {
+  if (!existsSync16(SHARDS_DIR)) {
     mkdirSync7(SHARDS_DIR, { recursive: true });
   }
   _shardingEnabled = true;
+  if (_evictionTimer) clearInterval(_evictionTimer);
+  _evictionTimer = setInterval(evictIdleShards, EVICTION_INTERVAL_MS);
+  _evictionTimer.unref();
 }
 function isShardingEnabled() {
   return _shardingEnabled;
@@ -5672,21 +6574,28 @@ function getShardClient(projectName) {
     throw new Error(`Invalid project name for shard: "${projectName}"`);
   }
   const cached = _shards.get(safeName);
-  if (cached) return cached;
-  const dbPath = path18.join(SHARDS_DIR, `${safeName}.db`);
+  if (cached) {
+    _shardLastAccess.set(safeName, Date.now());
+    return cached;
+  }
+  while (_shards.size >= MAX_OPEN_SHARDS) {
+    evictLRU();
+  }
+  const dbPath = path20.join(SHARDS_DIR, `${safeName}.db`);
   const client = createClient2({
     url: `file:${dbPath}`,
     encryptionKey: _encryptionKey
   });
   _shards.set(safeName, client);
+  _shardLastAccess.set(safeName, Date.now());
   return client;
 }
 function shardExists(projectName) {
   const safeName = projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
-  return existsSync14(path18.join(SHARDS_DIR, `${safeName}.db`));
+  return existsSync16(path20.join(SHARDS_DIR, `${safeName}.db`));
 }
 function listShards() {
-  if (!existsSync14(SHARDS_DIR)) return [];
+  if (!existsSync16(SHARDS_DIR)) return [];
   return readdirSync4(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
 async function ensureShardSchema(client) {
@@ -5738,6 +6647,8 @@ async function ensureShardSchema(client) {
   for (const col of [
     "ALTER TABLE memories ADD COLUMN task_id TEXT",
     "ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN author_device_id TEXT",
+    "ALTER TABLE memories ADD COLUMN scope TEXT NOT NULL DEFAULT 'business'",
     "ALTER TABLE memories ADD COLUMN importance INTEGER DEFAULT 5",
     "ALTER TABLE memories ADD COLUMN status TEXT DEFAULT 'active'",
     "ALTER TABLE memories ADD COLUMN wiki_synced INTEGER DEFAULT 0",
@@ -5760,7 +6671,23 @@ async function ensureShardSchema(client) {
     // MS-11: draft staging, MS-6a: memory_type, MS-7: trajectory
     "ALTER TABLE memories ADD COLUMN draft INTEGER DEFAULT 0",
     "ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'",
-    "ALTER TABLE memories ADD COLUMN trajectory TEXT"
+    "ALTER TABLE memories ADD COLUMN trajectory TEXT",
+    // Metadata enrichment columns (must match database.ts)
+    "ALTER TABLE memories ADD COLUMN intent TEXT",
+    "ALTER TABLE memories ADD COLUMN outcome TEXT",
+    "ALTER TABLE memories ADD COLUMN domain TEXT",
+    "ALTER TABLE memories ADD COLUMN referenced_entities TEXT",
+    "ALTER TABLE memories ADD COLUMN retrieval_count INTEGER DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN chain_position TEXT",
+    "ALTER TABLE memories ADD COLUMN review_status TEXT",
+    "ALTER TABLE memories ADD COLUMN context_window_pct INTEGER",
+    "ALTER TABLE memories ADD COLUMN file_paths TEXT",
+    "ALTER TABLE memories ADD COLUMN commit_hash TEXT",
+    "ALTER TABLE memories ADD COLUMN duration_ms INTEGER",
+    "ALTER TABLE memories ADD COLUMN token_cost REAL",
+    "ALTER TABLE memories ADD COLUMN audience TEXT",
+    "ALTER TABLE memories ADD COLUMN language_type TEXT",
+    "ALTER TABLE memories ADD COLUMN parent_memory_id TEXT"
   ]) {
     try {
       await client.execute(col);
@@ -5859,21 +6786,69 @@ async function getReadyShardClient(projectName) {
   await ensureShardSchema(client);
   return client;
 }
+function evictLRU() {
+  let oldest = null;
+  let oldestTime = Infinity;
+  for (const [name, time] of _shardLastAccess) {
+    if (time < oldestTime) {
+      oldestTime = time;
+      oldest = name;
+    }
+  }
+  if (oldest) {
+    const client = _shards.get(oldest);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(oldest);
+    _shardLastAccess.delete(oldest);
+  }
+}
+function evictIdleShards() {
+  const now = Date.now();
+  const toEvict = [];
+  for (const [name, lastAccess] of _shardLastAccess) {
+    if (now - lastAccess > SHARD_IDLE_MS) {
+      toEvict.push(name);
+    }
+  }
+  for (const name of toEvict) {
+    const client = _shards.get(name);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(name);
+    _shardLastAccess.delete(name);
+  }
+}
+function getOpenShardCount() {
+  return _shards.size;
+}
 function disposeShards() {
+  if (_evictionTimer) {
+    clearInterval(_evictionTimer);
+    _evictionTimer = null;
+  }
   for (const [, client] of _shards) {
     client.close();
   }
   _shards.clear();
+  _shardLastAccess.clear();
   _shardingEnabled = false;
   _encryptionKey = null;
 }
-var SHARDS_DIR, _shards, _encryptionKey, _shardingEnabled;
+var SHARDS_DIR, SHARD_IDLE_MS, MAX_OPEN_SHARDS, EVICTION_INTERVAL_MS, _shards, _shardLastAccess, _evictionTimer, _encryptionKey, _shardingEnabled;
 var init_shard_manager = __esm({
   "src/lib/shard-manager.ts"() {
     "use strict";
     init_config();
-    SHARDS_DIR = path18.join(EXE_AI_DIR, "shards");
+    SHARDS_DIR = path20.join(EXE_AI_DIR, "shards");
+    SHARD_IDLE_MS = 5 * 60 * 1e3;
+    MAX_OPEN_SHARDS = 10;
+    EVICTION_INTERVAL_MS = 60 * 1e3;
     _shards = /* @__PURE__ */ new Map();
+    _shardLastAccess = /* @__PURE__ */ new Map();
+    _evictionTimer = null;
     _encryptionKey = null;
     _shardingEnabled = false;
   }
@@ -6669,8 +7644,8 @@ function findContainingChunk(filePath, snippet) {
   try {
     const ext = filePath.split(".").pop()?.toLowerCase();
     if (ext !== "ts" && ext !== "tsx" && ext !== "js" && ext !== "jsx") return "";
-    const { readFileSync: readFileSync14 } = __require("fs");
-    const source = readFileSync14(filePath, "utf8");
+    const { readFileSync: readFileSync15 } = __require("fs");
+    const source = readFileSync15(filePath, "utf8");
     const lines = source.split("\n");
     const lowerSnippet = snippet.toLowerCase().slice(0, 80);
     let matchLine = -1;
@@ -6736,9 +7711,9 @@ function extractBash(input, response) {
 }
 function extractGrep(input, response) {
   const pattern = String(input.pattern ?? "");
-  const path21 = input.path ? String(input.path) : "";
+  const path23 = input.path ? String(input.path) : "";
   const output = String(response.text ?? response.content ?? JSON.stringify(response).slice(0, MAX_OUTPUT));
-  return `Searched for "${pattern}"${path21 ? ` in ${path21}` : ""}
+  return `Searched for "${pattern}"${path23 ? ` in ${path23}` : ""}
 ${output.slice(0, MAX_OUTPUT)}`;
 }
 function extractGlob(input, response) {
@@ -6841,7 +7816,7 @@ __export(error_detector_exports, {
   errorFingerprint: () => errorFingerprint,
   isExeOsError: () => isExeOsError
 });
-import crypto6 from "crypto";
+import crypto7 from "crypto";
 function isRealStderr(stderr) {
   const lines = stderr.trim().split("\n");
   const meaningful = lines.filter(
@@ -6912,7 +7887,7 @@ function classifyError(errorText) {
 }
 function errorFingerprint(toolName, errorText) {
   const normalized = errorText.replace(/\d{4}-\d{2}-\d{2}T[\d:.]+Z/g, "TIMESTAMP").replace(/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/gi, "UUID").replace(/\/Users\/[^\s]+/g, "PATH").replace(/:\d+:\d+/g, ":LINE:COL").slice(0, 200);
-  return crypto6.createHash("sha256").update(`${toolName}:${normalized}`).digest("hex").slice(0, 16);
+  return crypto7.createHash("sha256").update(`${toolName}:${normalized}`).digest("hex").slice(0, 16);
 }
 var ERROR_PATTERNS, FILE_CONTENT_TOOLS, STDERR_IGNORE_PATTERNS, USER_ERROR_PATTERNS, SYSTEM_BUG_PATTERNS;
 var init_error_detector = __esm({
@@ -7276,10 +8251,10 @@ async function disposeEmbedder() {
 async function embedDirect(text) {
   const llamaCpp = await import("node-llama-cpp");
   const { MODELS_DIR: MODELS_DIR2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-  const { existsSync: existsSync16 } = await import("fs");
-  const path21 = await import("path");
-  const modelPath = path21.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
-  if (!existsSync16(modelPath)) {
+  const { existsSync: existsSync18 } = await import("fs");
+  const path23 = await import("path");
+  const modelPath = path23.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
+  if (!existsSync18(modelPath)) {
     throw new Error(`Embedding model not found at ${modelPath}. Run '/exe-setup' to download it.`);
   }
   const llama = await llamaCpp.getLlama();
@@ -7316,8 +8291,8 @@ __export(wiki_client_exports, {
   listDocuments: () => listDocuments,
   listWorkspaces: () => listWorkspaces
 });
-async function wikiFetch(config2, path21, method = "GET", body) {
-  const url = `${config2.baseUrl}/api/v1${path21}`;
+async function wikiFetch(config2, path23, method = "GET", body) {
+  const url = `${config2.baseUrl}/api/v1${path23}`;
   const headers = {
     Authorization: `Bearer ${config2.apiKey}`,
     "Content-Type": "application/json"
@@ -7350,7 +8325,7 @@ async function wikiFetch(config2, path21, method = "GET", body) {
       }
     }
     if (!response.ok) {
-      throw new Error(`Wiki API ${method} ${path21}: ${response.status} ${response.statusText}`);
+      throw new Error(`Wiki API ${method} ${path23}: ${response.status} ${response.statusText}`);
     }
     return response.json();
   } finally {
@@ -7643,13 +8618,13 @@ __export(graph_rag_exports, {
   resolveAlias: () => resolveAlias,
   storeExtraction: () => storeExtraction
 });
-import crypto7 from "crypto";
+import crypto8 from "crypto";
 function normalizeEntityName(name) {
   return name.replace(/\s*\([^)]*\)\s*/g, "").trim().toLowerCase();
 }
 function entityId(name, type) {
   const normalized = normalizeEntityName(name);
-  return crypto7.createHash("sha256").update(`${normalized}::${type.toLowerCase()}`).digest("hex").slice(0, 16);
+  return crypto8.createHash("sha256").update(`${normalized}::${type.toLowerCase()}`).digest("hex").slice(0, 16);
 }
 async function resolveAlias(client, name) {
   const normalized = normalizeEntityName(name);
@@ -7899,7 +8874,7 @@ async function storeExtraction(client, extraction, memoryId, timestamp) {
     const targetAlias = await resolveAlias(client, r.target);
     const sourceId = sourceAlias ?? entityId(r.source, r.sourceType);
     const targetId = targetAlias ?? entityId(r.target, r.targetType);
-    const relId = crypto7.randomUUID().slice(0, 16);
+    const relId = crypto8.randomUUID().slice(0, 16);
     try {
       await client.execute({
         sql: `INSERT OR IGNORE INTO entities (id, name, type, first_seen, last_seen)
@@ -7962,7 +8937,7 @@ async function storeExtraction(client, extraction, memoryId, timestamp) {
     }
   }
   for (const h of extraction.hyperedges) {
-    const hId = crypto7.randomUUID().slice(0, 16);
+    const hId = crypto8.randomUUID().slice(0, 16);
     try {
       await client.execute({
         sql: `INSERT OR IGNORE INTO hyperedges (id, label, relation, confidence, timestamp)
@@ -8026,7 +9001,7 @@ async function extractBatch(client, batchSize = 50, model = "claude-haiku-4-5-20
         totalEntities += stored.entitiesStored;
         totalRelationships += stored.relationshipsStored;
       }
-      const contentHash = crypto7.createHash("sha256").update(rawContent).digest("hex").slice(0, 32);
+      const contentHash = crypto8.createHash("sha256").update(rawContent).digest("hex").slice(0, 32);
       await client.execute({
         sql: "UPDATE memories SET graph_extracted = 1, content_hash = ?, graph_extracted_hash = ? WHERE id = ?",
         args: [contentHash, contentHash, memoryId]
@@ -8371,13 +9346,13 @@ __export(whatsapp_accounts_exports, {
   getDefaultAccount: () => getDefaultAccount,
   loadAccounts: () => loadAccounts
 });
-import { readFileSync as readFileSync12 } from "fs";
+import { readFileSync as readFileSync13 } from "fs";
 import { join as join2 } from "path";
 import { homedir as homedir2 } from "os";
 function loadAccounts() {
   if (cachedAccounts !== null) return cachedAccounts;
   try {
-    const raw = readFileSync12(CONFIG_PATH2, "utf8");
+    const raw = readFileSync13(CONFIG_PATH2, "utf8");
     const parsed = JSON.parse(raw);
     if (!Array.isArray(parsed)) {
       console.warn("[whatsapp] Config is not an array, ignoring");
@@ -8433,10 +9408,10 @@ __export(messaging_exports, {
   sendMessage: () => sendMessage,
   setWsClientSend: () => setWsClientSend
 });
-import crypto9 from "crypto";
+import crypto10 from "crypto";
 function generateUlid() {
   const timestamp = Date.now().toString(36).padStart(10, "0");
-  const random = crypto9.randomBytes(10).toString("hex").slice(0, 16);
+  const random = crypto10.randomBytes(10).toString("hex").slice(0, 16);
   return (timestamp + random).toUpperCase();
 }
 function rowToMessage(row) {
@@ -8447,6 +9422,7 @@ function rowToMessage(row) {
     targetAgent: row.target_agent,
     targetProject: row.target_project ?? null,
     targetDevice: row.target_device,
+    sessionScope: row.session_scope ?? null,
     content: row.content,
     priority: row.priority ?? "normal",
     status: row.status ?? "pending",
@@ -8464,15 +9440,17 @@ async function sendMessage(input) {
   const id = generateUlid();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const targetDevice = input.targetDevice ?? "local";
+  const sessionScope = input.sessionScope === void 0 ? resolveExeSession() : input.sessionScope;
   await client.execute({
-    sql: `INSERT INTO messages (id, from_agent, from_device, target_agent, target_project, target_device, content, priority, status, created_at)
-          VALUES (?, ?, 'local', ?, ?, ?, ?, ?, 'pending', ?)`,
+    sql: `INSERT INTO messages (id, from_agent, from_device, target_agent, target_project, target_device, session_scope, content, priority, status, created_at)
+          VALUES (?, ?, 'local', ?, ?, ?, ?, ?, ?, 'pending', ?)`,
     args: [
       id,
       input.fromAgent,
       input.targetAgent,
       input.targetProject ?? null,
       targetDevice,
+      sessionScope,
       input.content,
       input.priority ?? "normal",
       now
@@ -8486,9 +9464,10 @@ async function sendMessage(input) {
     }
   } catch {
   }
+  const sentScope = strictSessionScopeFilter(sessionScope);
   const result = await client.execute({
-    sql: "SELECT * FROM messages WHERE id = ?",
-    args: [id]
+    sql: `SELECT * FROM messages WHERE id = ?${sentScope.sql}`,
+    args: [id, ...sentScope.args]
   });
   return rowToMessage(result.rows[0]);
 }
@@ -8512,6 +9491,7 @@ async function deliverCrossMachineMessage(messageId, targetDevice) {
     fromAgent: msg.fromAgent,
     targetAgent: msg.targetAgent,
     targetProject: msg.targetProject,
+    sessionScope: msg.sessionScope,
     content: msg.content,
     priority: msg.priority,
     createdAt: msg.createdAt
@@ -8555,7 +9535,7 @@ async function deliverLocalMessage(messageId) {
   } catch {
     const newRetryCount = msg.retryCount + 1;
     if (newRetryCount >= MAX_RETRIES3) {
-      await markFailed(messageId, "session unavailable after 10 retries");
+      await markFailed(messageId, "session unavailable after 10 retries", msg.sessionScope);
     } else {
       await client.execute({
         sql: "UPDATE messages SET retry_count = ? WHERE id = ?",
@@ -8565,85 +9545,101 @@ async function deliverLocalMessage(messageId) {
     return false;
   }
 }
-async function getPendingMessages(targetAgent) {
+async function getPendingMessages(targetAgent, sessionScope) {
   const client = getClient();
+  const scope = strictSessionScopeFilter(sessionScope);
   const result = await client.execute({
     sql: `SELECT * FROM messages
-          WHERE target_agent = ? AND status IN ('pending', 'delivered')
+          WHERE target_agent = ? AND status IN ('pending', 'delivered')${scope.sql}
           ORDER BY id`,
-    args: [targetAgent]
+    args: [targetAgent, ...scope.args]
   });
   return result.rows.map((row) => rowToMessage(row));
 }
-async function markRead(messageId) {
+async function markRead(messageId, sessionScope) {
   const client = getClient();
+  const scope = strictSessionScopeFilter(sessionScope);
   await client.execute({
-    sql: "UPDATE messages SET status = 'read' WHERE id = ? AND status IN ('pending', 'delivered')",
-    args: [messageId]
+    sql: `UPDATE messages SET status = 'read'
+          WHERE id = ? AND status IN ('pending', 'delivered')${scope.sql}`,
+    args: [messageId, ...scope.args]
   });
 }
-async function markAcknowledged(messageId) {
+async function markAcknowledged(messageId, sessionScope) {
   const client = getClient();
+  const scope = strictSessionScopeFilter(sessionScope);
   await client.execute({
-    sql: "UPDATE messages SET status = 'acknowledged', processed_at = ? WHERE id = ? AND status = 'read'",
-    args: [(/* @__PURE__ */ new Date()).toISOString(), messageId]
+    sql: `UPDATE messages SET status = 'acknowledged', processed_at = ?
+          WHERE id = ? AND status = 'read'${scope.sql}`,
+    args: [(/* @__PURE__ */ new Date()).toISOString(), messageId, ...scope.args]
   });
 }
-async function markProcessed(messageId) {
+async function markProcessed(messageId, sessionScope) {
   const client = getClient();
+  const scope = strictSessionScopeFilter(sessionScope);
   await client.execute({
-    sql: "UPDATE messages SET status = 'processed', processed_at = ? WHERE id = ?",
-    args: [(/* @__PURE__ */ new Date()).toISOString(), messageId]
+    sql: `UPDATE messages SET status = 'processed', processed_at = ?
+          WHERE id = ?${scope.sql}`,
+    args: [(/* @__PURE__ */ new Date()).toISOString(), messageId, ...scope.args]
   });
 }
-async function getMessageStatus(messageId) {
+async function getMessageStatus(messageId, sessionScope) {
   const client = getClient();
+  const scope = strictSessionScopeFilter(sessionScope);
   const result = await client.execute({
-    sql: "SELECT status FROM messages WHERE id = ?",
-    args: [messageId]
+    sql: `SELECT status FROM messages WHERE id = ?${scope.sql}`,
+    args: [messageId, ...scope.args]
   });
   return result.rows[0]?.status ?? null;
 }
-async function getUnacknowledgedMessages(targetAgent) {
+async function getUnacknowledgedMessages(targetAgent, sessionScope) {
   const client = getClient();
+  const scope = strictSessionScopeFilter(sessionScope);
   const result = await client.execute({
     sql: `SELECT * FROM messages
-          WHERE target_agent = ? AND status IN ('pending', 'delivered', 'read')
+          WHERE target_agent = ? AND status IN ('pending', 'delivered', 'read')${scope.sql}
           ORDER BY id`,
-    args: [targetAgent]
+    args: [targetAgent, ...scope.args]
   });
   return result.rows.map((row) => rowToMessage(row));
 }
-async function getReadMessages(targetAgent) {
+async function getReadMessages(targetAgent, sessionScope) {
   const client = getClient();
+  const scope = strictSessionScopeFilter(sessionScope);
   const result = await client.execute({
-    sql: "SELECT * FROM messages WHERE target_agent = ? AND status = 'read' ORDER BY id",
-    args: [targetAgent]
+    sql: `SELECT * FROM messages
+          WHERE target_agent = ? AND status = 'read'${scope.sql}
+          ORDER BY id`,
+    args: [targetAgent, ...scope.args]
   });
   return result.rows.map((row) => rowToMessage(row));
 }
-async function markFailed(messageId, reason) {
+async function markFailed(messageId, reason, sessionScope) {
   const client = getClient();
+  const scope = strictSessionScopeFilter(sessionScope);
   await client.execute({
-    sql: "UPDATE messages SET status = 'failed', failed_at = ?, failure_reason = ? WHERE id = ?",
-    args: [(/* @__PURE__ */ new Date()).toISOString(), reason, messageId]
+    sql: `UPDATE messages SET status = 'failed', failed_at = ?, failure_reason = ?
+          WHERE id = ?${scope.sql}`,
+    args: [(/* @__PURE__ */ new Date()).toISOString(), reason, messageId, ...scope.args]
   });
 }
-async function getFailedMessages() {
+async function getFailedMessages(sessionScope) {
   const client = getClient();
+  const scope = strictSessionScopeFilter(sessionScope);
   const result = await client.execute({
-    sql: "SELECT * FROM messages WHERE status = 'failed' ORDER BY created_at DESC",
-    args: []
+    sql: `SELECT * FROM messages WHERE status = 'failed'${scope.sql} ORDER BY created_at DESC`,
+    args: [...scope.args]
   });
   return result.rows.map((row) => rowToMessage(row));
 }
-async function retryPendingMessages() {
+async function retryPendingMessages(sessionScope) {
   const client = getClient();
+  const scope = strictSessionScopeFilter(sessionScope);
   const result = await client.execute({
     sql: `SELECT * FROM messages
-          WHERE status = 'pending' AND retry_count < ?
+          WHERE status = 'pending' AND retry_count < ?${scope.sql}
           ORDER BY id`,
-    args: [MAX_RETRIES3]
+    args: [MAX_RETRIES3, ...scope.args]
   });
   let delivered = 0;
   for (const row of result.rows) {
@@ -8662,6 +9658,7 @@ var init_messaging = __esm({
     "use strict";
     init_database();
     init_tmux_routing();
+    init_task_scope();
     MAX_RETRIES3 = 10;
     _wsClientSend = null;
   }
@@ -11142,11 +12139,11 @@ init_crm_bridge();
 
 // src/lib/pipeline-router.ts
 init_database();
-import crypto8 from "crypto";
+import crypto9 from "crypto";
 async function sinkConversationStore(msg, agentResponse, agentName) {
   try {
     const client = getClient();
-    const id = crypto8.randomUUID();
+    const id = crypto9.randomUUID();
     const mediaJson = msg.media ? JSON.stringify(msg.media) : null;
     await client.execute({
       sql: `INSERT INTO conversations
@@ -11196,7 +12193,7 @@ async function sinkMemory(msg, agentResponse, agentName) {
     ].filter(Boolean).join("\n");
     const vector = await embed2(rawText);
     await writeMemory2({
-      id: crypto8.randomUUID(),
+      id: crypto9.randomUUID(),
       agent_id: agentName ?? "gateway",
       agent_role: "gateway",
       session_id: `gateway-${msg.platform}`,
@@ -13877,12 +14874,12 @@ var SlackAdapter = class {
 // src/gateway/adapters/imessage.ts
 import { execFile } from "child_process";
 import { promisify } from "util";
-import os11 from "os";
-import path19 from "path";
+import os13 from "os";
+import path21 from "path";
 var execFileAsync = promisify(execFile);
 var POLL_INTERVAL_MS = 5e3;
-var MESSAGES_DB_PATH = path19.join(
-  process.env.HOME ?? os11.homedir(),
+var MESSAGES_DB_PATH = path21.join(
+  process.env.HOME ?? os13.homedir(),
   "Library/Messages/chat.db"
 );
 var IMessageAdapter = class {
@@ -14725,11 +15722,11 @@ async function ensureCRMContact(info) {
 }
 
 // src/automation/trigger-engine.ts
-import { readFileSync as readFileSync13, writeFileSync as writeFileSync8, existsSync as existsSync15, mkdirSync as mkdirSync9 } from "fs";
+import { readFileSync as readFileSync14, writeFileSync as writeFileSync9, existsSync as existsSync17, mkdirSync as mkdirSync9 } from "fs";
 import { randomUUID as randomUUID15 } from "crypto";
-import path20 from "path";
-import os12 from "os";
-var TRIGGERS_PATH = path20.join(os12.homedir(), ".exe-os", "triggers.json");
+import path22 from "path";
+import os14 from "os";
+var TRIGGERS_PATH = path22.join(os14.homedir(), ".exe-os", "triggers.json");
 var GRAPH_API_VERSION = "v21.0";
 function substituteTemplate(template, record) {
   return template.replace(
@@ -14783,9 +15780,9 @@ function evaluateConditions(conditions, record) {
   return conditions.every((c) => evaluateCondition(c, record));
 }
 function loadTriggers(project) {
-  if (!existsSync15(TRIGGERS_PATH)) return [];
+  if (!existsSync17(TRIGGERS_PATH)) return [];
   try {
-    const raw = readFileSync13(TRIGGERS_PATH, "utf-8");
+    const raw = readFileSync14(TRIGGERS_PATH, "utf-8");
     const all = JSON.parse(raw);
     if (!Array.isArray(all)) return [];
     if (project) {