@askexenow/exe-os 0.9.8 → 0.9.9

package/dist/bin/setup.js

@@ -15,6 +15,44 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/lib/secure-files.ts
+import { chmodSync, existsSync, mkdirSync } from "fs";
+import { chmod, mkdir } from "fs/promises";
+async function ensurePrivateDir(dirPath) {
+  await mkdir(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    await chmod(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+function ensurePrivateDirSync(dirPath) {
+  mkdirSync(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    chmodSync(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+async function enforcePrivateFile(filePath) {
+  try {
+    await chmod(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+function enforcePrivateFileSync(filePath) {
+  try {
+    if (existsSync(filePath)) chmodSync(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+var PRIVATE_DIR_MODE, PRIVATE_FILE_MODE;
+var init_secure_files = __esm({
+  "src/lib/secure-files.ts"() {
+    "use strict";
+    PRIVATE_DIR_MODE = 448;
+    PRIVATE_FILE_MODE = 384;
+  }
+});
+
 // src/lib/config.ts
 var config_exports = {};
 __export(config_exports, {
@@ -31,8 +69,8 @@ __export(config_exports, {
   migrateConfig: () => migrateConfig,
   saveConfig: () => saveConfig
 });
-import { readFile, writeFile, mkdir, chmod } from "fs/promises";
-import { readFileSync, existsSync, renameSync } from "fs";
+import { readFile, writeFile } from "fs/promises";
+import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
 import path from "path";
 import os from "os";
 function resolveDataDir() {
@@ -40,7 +78,7 @@ function resolveDataDir() {
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
   const newDir = path.join(os.homedir(), ".exe-os");
   const legacyDir = path.join(os.homedir(), ".exe-mem");
-  if (!existsSync(newDir) && existsSync(legacyDir)) {
+  if (!existsSync2(newDir) && existsSync2(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
       process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
@@ -103,9 +141,9 @@ function normalizeAutoUpdate(raw) {
 }
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await mkdir(dir, { recursive: true });
+  await ensurePrivateDir(dir);
   const configPath = path.join(dir, "config.json");
-  if (!existsSync(configPath)) {
+  if (!existsSync2(configPath)) {
     return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
   }
   const raw = await readFile(configPath, "utf-8");
@@ -118,6 +156,7 @@ async function loadConfig() {
 `);
       try {
         await writeFile(configPath, JSON.stringify(migratedCfg, null, 2) + "\n");
+        await enforcePrivateFile(configPath);
       } catch {
       }
     }
@@ -136,7 +175,7 @@ async function loadConfig() {
 function loadConfigSync() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   const configPath = path.join(dir, "config.json");
-  if (!existsSync(configPath)) {
+  if (!existsSync2(configPath)) {
     return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
   }
   try {
@@ -154,12 +193,10 @@ function loadConfigSync() {
 }
 async function saveConfig(config) {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await mkdir(dir, { recursive: true });
+  await ensurePrivateDir(dir);
   const configPath = path.join(dir, "config.json");
   await writeFile(configPath, JSON.stringify(config, null, 2) + "\n");
-  if (config.cloud?.apiKey) {
-    await chmod(configPath, 384);
-  }
+  await enforcePrivateFile(configPath);
 }
 async function loadConfigFrom(configPath) {
   const raw = await readFile(configPath, "utf-8");
@@ -179,6 +216,7 @@ var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CON
 var init_config = __esm({
   "src/lib/config.ts"() {
     "use strict";
+    init_secure_files();
     EXE_AI_DIR = resolveDataDir();
     DB_PATH = path.join(EXE_AI_DIR, "memories.db");
     MODELS_DIR = path.join(EXE_AI_DIR, "models");
@@ -265,7 +303,7 @@ __export(keychain_exports, {
   setMasterKey: () => setMasterKey
 });
 import { readFile as readFile2, writeFile as writeFile2, unlink, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync2 } from "fs";
+import { existsSync as existsSync3 } from "fs";
 import path2 from "path";
 import os2 from "os";
 function getKeyDir() {
@@ -293,7 +331,7 @@ async function getMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (!existsSync2(keyPath)) {
+  if (!existsSync3(keyPath)) {
     process.stderr.write(
       `[keychain] Key not found at ${keyPath} (HOME=${os2.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
 `
@@ -336,7 +374,7 @@ async function deleteMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (existsSync2(keyPath)) {
+  if (existsSync3(keyPath)) {
     await unlink(keyPath);
   }
 }
@@ -387,13 +425,50 @@ var init_memory = __esm({
   }
 });
 
+// src/lib/daemon-auth.ts
+import crypto from "crypto";
+import path4 from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync2, writeFileSync } from "fs";
+function normalizeToken(token) {
+  if (!token) return null;
+  const trimmed = token.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function readDaemonToken() {
+  try {
+    if (!existsSync5(DAEMON_TOKEN_PATH)) return null;
+    return normalizeToken(readFileSync2(DAEMON_TOKEN_PATH, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function ensureDaemonToken(seed) {
+  const existing = readDaemonToken();
+  if (existing) return existing;
+  const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
+  ensurePrivateDirSync(EXE_AI_DIR);
+  writeFileSync(DAEMON_TOKEN_PATH, `${token}
+`, "utf8");
+  enforcePrivateFileSync(DAEMON_TOKEN_PATH);
+  return token;
+}
+var DAEMON_TOKEN_PATH;
+var init_daemon_auth = __esm({
+  "src/lib/daemon-auth.ts"() {
+    "use strict";
+    init_config();
+    init_secure_files();
+    DAEMON_TOKEN_PATH = path4.join(EXE_AI_DIR, "exed.token");
+  }
+});
+
 // src/lib/exe-daemon-client.ts
 import net from "net";
 import os3 from "os";
 import { spawn } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync4, unlinkSync as unlinkSync2, readFileSync as readFileSync2, openSync, closeSync, statSync } from "fs";
-import path4 from "path";
+import { existsSync as existsSync6, unlinkSync as unlinkSync2, readFileSync as readFileSync3, openSync, closeSync, statSync } from "fs";
+import path5 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
@@ -421,9 +496,9 @@ function handleData(chunk) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync4(PID_PATH)) {
+  if (existsSync6(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync2(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync3(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, 0);
@@ -444,11 +519,11 @@ function cleanupStaleFiles() {
   }
 }
 function findPackageRoot() {
-  let dir = path4.dirname(fileURLToPath(import.meta.url));
-  const { root } = path4.parse(dir);
+  let dir = path5.dirname(fileURLToPath(import.meta.url));
+  const { root } = path5.parse(dir);
   while (dir !== root) {
-    if (existsSync4(path4.join(dir, "package.json"))) return dir;
-    dir = path4.dirname(dir);
+    if (existsSync6(path5.join(dir, "package.json"))) return dir;
+    dir = path5.dirname(dir);
   }
   return null;
 }
@@ -474,16 +549,17 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path4.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync4(daemonPath)) {
+  const daemonPath = path5.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync6(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
   }
   const resolvedPath = daemonPath;
+  const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path4.join(path4.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path5.join(path5.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -501,7 +577,8 @@ function spawnDaemon() {
       TMUX_PANE: void 0,
       // Prevents resolveExeSession() from scoping to one session
       EXE_DAEMON_SOCK: SOCKET_PATH,
-      EXE_DAEMON_PID: PID_PATH
+      EXE_DAEMON_PID: PID_PATH,
+      [DAEMON_TOKEN_ENV]: daemonToken
     }
   });
   child.unref();
@@ -611,13 +688,14 @@ function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
       return;
     }
     const id = randomUUID();
+    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
     const timer = setTimeout(() => {
       _pending.delete(id);
       resolve({ error: "Request timeout" });
     }, timeoutMs);
     _pending.set(id, { resolve, timer });
     try {
-      _socket.write(JSON.stringify({ id, ...payload }) + "\n");
+      _socket.write(JSON.stringify({ id, token, ...payload }) + "\n");
     } catch {
       clearTimeout(timer);
       _pending.delete(id);
@@ -646,9 +724,9 @@ function killAndRespawnDaemon() {
   }
   try {
     process.stderr.write("[exed-client] Killing daemon for restart...\n");
-    if (existsSync4(PID_PATH)) {
+    if (existsSync6(PID_PATH)) {
       try {
-        const pid = parseInt(readFileSync2(PID_PATH, "utf8").trim(), 10);
+        const pid = parseInt(readFileSync3(PID_PATH, "utf8").trim(), 10);
         if (pid > 0) {
           try {
             process.kill(pid, "SIGKILL");
@@ -768,17 +846,19 @@ function disconnectClient() {
 function isClientConnected() {
   return _connected;
 }
-var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, _socket, _connected, _buffer, _requestCount, _consecutiveFailures, HEALTH_CHECK_INTERVAL, MAX_RETRIES_BEFORE_RESTART, RETRY_DELAYS_MS, MIN_DAEMON_AGE_MS, _pending, MAX_BUFFER;
+var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _requestCount, _consecutiveFailures, HEALTH_CHECK_INTERVAL, MAX_RETRIES_BEFORE_RESTART, RETRY_DELAYS_MS, MIN_DAEMON_AGE_MS, _pending, MAX_BUFFER;
 var init_exe_daemon_client = __esm({
   "src/lib/exe-daemon-client.ts"() {
     "use strict";
     init_config();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path4.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path4.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path4.join(EXE_AI_DIR, "exed-spawn.lock");
+    init_daemon_auth();
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path5.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path5.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path5.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
+    DAEMON_TOKEN_ENV = "EXE_DAEMON_TOKEN";
     _socket = null;
     _connected = false;
     _buffer = "";
@@ -830,10 +910,10 @@ async function disposeEmbedder() {
 async function embedDirect(text) {
   const llamaCpp = await import("node-llama-cpp");
   const { MODELS_DIR: MODELS_DIR2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-  const { existsSync: existsSync14 } = await import("fs");
-  const path15 = await import("path");
-  const modelPath = path15.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
-  if (!existsSync14(modelPath)) {
+  const { existsSync: existsSync16 } = await import("fs");
+  const path16 = await import("path");
+  const modelPath = path16.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
+  if (!existsSync16(modelPath)) {
     throw new Error(`Embedding model not found at ${modelPath}. Run '/exe-setup' to download it.`);
   }
   const llama = await llamaCpp.getLlama();
@@ -878,9 +958,12 @@ __export(license_exports, {
   stopLicenseRevalidation: () => stopLicenseRevalidation,
   validateLicense: () => validateLicense
 });
-import { readFileSync as readFileSync3, writeFileSync, existsSync as existsSync5, mkdirSync } from "fs";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync2, existsSync as existsSync7, mkdirSync as mkdirSync2 } from "fs";
 import { randomUUID as randomUUID2 } from "crypto";
-import path5 from "path";
+import { createRequire } from "module";
+import { pathToFileURL } from "url";
+import os4 from "os";
+import path6 from "path";
 import { jwtVerify, importSPKI } from "jose";
 async function fetchRetry(url, init) {
   try {
@@ -891,37 +974,37 @@ async function fetchRetry(url, init) {
   }
 }
 function loadDeviceId() {
-  const deviceJsonPath = path5.join(EXE_AI_DIR, "device.json");
+  const deviceJsonPath = path6.join(EXE_AI_DIR, "device.json");
   try {
-    if (existsSync5(deviceJsonPath)) {
-      const data = JSON.parse(readFileSync3(deviceJsonPath, "utf8"));
+    if (existsSync7(deviceJsonPath)) {
+      const data = JSON.parse(readFileSync4(deviceJsonPath, "utf8"));
       if (data.deviceId) return data.deviceId;
     }
   } catch {
   }
   try {
-    if (existsSync5(DEVICE_ID_PATH)) {
-      const id2 = readFileSync3(DEVICE_ID_PATH, "utf8").trim();
+    if (existsSync7(DEVICE_ID_PATH)) {
+      const id2 = readFileSync4(DEVICE_ID_PATH, "utf8").trim();
       if (id2) return id2;
     }
   } catch {
   }
   const id = randomUUID2();
-  mkdirSync(EXE_AI_DIR, { recursive: true });
-  writeFileSync(DEVICE_ID_PATH, id, "utf8");
+  mkdirSync2(EXE_AI_DIR, { recursive: true });
+  writeFileSync2(DEVICE_ID_PATH, id, "utf8");
   return id;
 }
 function loadLicense() {
   try {
-    if (!existsSync5(LICENSE_PATH)) return null;
-    return readFileSync3(LICENSE_PATH, "utf8").trim();
+    if (!existsSync7(LICENSE_PATH)) return null;
+    return readFileSync4(LICENSE_PATH, "utf8").trim();
   } catch {
     return null;
   }
 }
 function saveLicense(apiKey) {
-  mkdirSync(EXE_AI_DIR, { recursive: true });
-  writeFileSync(LICENSE_PATH, apiKey.trim(), { encoding: "utf8", mode: 384 });
+  mkdirSync2(EXE_AI_DIR, { recursive: true });
+  writeFileSync2(LICENSE_PATH, apiKey.trim(), { encoding: "utf8", mode: 384 });
 }
 async function verifyLicenseJwt(token) {
   try {
@@ -947,8 +1030,8 @@ async function verifyLicenseJwt(token) {
 }
 async function getCachedLicense() {
   try {
-    if (!existsSync5(CACHE_PATH)) return null;
-    const raw = JSON.parse(readFileSync3(CACHE_PATH, "utf8"));
+    if (!existsSync7(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync4(CACHE_PATH, "utf8"));
     if (!raw.token || typeof raw.token !== "string") return null;
     return await verifyLicenseJwt(raw.token);
   } catch {
@@ -957,8 +1040,8 @@ async function getCachedLicense() {
 }
 function readCachedToken() {
   try {
-    if (!existsSync5(CACHE_PATH)) return null;
-    const raw = JSON.parse(readFileSync3(CACHE_PATH, "utf8"));
+    if (!existsSync7(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync4(CACHE_PATH, "utf8"));
     return typeof raw.token === "string" ? raw.token : null;
   } catch {
     return null;
@@ -992,56 +1075,130 @@ function getRawCachedPlan() {
 }
 function cacheResponse(token) {
   try {
-    writeFileSync(CACHE_PATH, JSON.stringify({ token }), "utf8");
+    writeFileSync2(CACHE_PATH, JSON.stringify({ token }), "utf8");
   } catch {
   }
 }
-async function validateLicense(apiKey, deviceId) {
-  const did = deviceId ?? loadDeviceId();
+function loadPrismaForLicense() {
+  if (_prismaFailed) return null;
+  const dbUrl = process.env.DATABASE_URL;
+  if (!dbUrl) {
+    const exeDbRoot = process.env.EXE_DB_ROOT ?? path6.join(os4.homedir(), "exe-db");
+    if (!existsSync7(path6.join(exeDbRoot, "package.json"))) {
+      _prismaFailed = true;
+      return null;
+    }
+  }
+  if (!_prismaPromise) {
+    _prismaPromise = (async () => {
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const mod2 = await import(pathToFileURL(explicitPath).href);
+        const Ctor2 = mod2.PrismaClient ?? mod2.default?.PrismaClient;
+        if (!Ctor2) throw new Error(`No PrismaClient at ${explicitPath}`);
+        return new Ctor2();
+      }
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path6.join(os4.homedir(), "exe-db");
+      const req = createRequire(path6.join(exeDbRoot, "package.json"));
+      const entry = req.resolve("@prisma/client");
+      const mod = await import(pathToFileURL(entry).href);
+      const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+      if (!Ctor) throw new Error(`No PrismaClient in ${entry}`);
+      return new Ctor();
+    })().catch((err) => {
+      _prismaFailed = true;
+      _prismaPromise = null;
+      throw err;
+    });
+  }
+  return _prismaPromise;
+}
+async function validateViaPostgres(apiKey) {
+  const loader = loadPrismaForLicense();
+  if (!loader) return null;
+  try {
+    const prisma = await loader;
+    const rows = await prisma.$queryRawUnsafe(
+      `SELECT plan, email, status, device_limit, employee_limit, memory_limit, expires_at
+       FROM billing.licenses WHERE key = $1 LIMIT 1`,
+      apiKey
+    );
+    if (!rows || rows.length === 0) return null;
+    const row = rows[0];
+    if (row.status !== "active") return null;
+    if (row.expires_at && new Date(row.expires_at) < /* @__PURE__ */ new Date()) return null;
+    const plan = row.plan;
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan,
+      email: row.email,
+      expiresAt: row.expires_at ? new Date(row.expires_at).toISOString() : null,
+      deviceLimit: row.device_limit ?? limits.devices,
+      employeeLimit: row.employee_limit ?? limits.employees,
+      memoryLimit: row.memory_limit ?? limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateViaCFWorker(apiKey, deviceId) {
   try {
     const res = await fetchRetry(`${API_BASE}/auth/activate`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ apiKey, deviceId: did }),
+      body: JSON.stringify({ apiKey, deviceId }),
       signal: AbortSignal.timeout(1e4)
     });
-    if (res.ok) {
-      const data = await res.json();
-      if (data.error === "device_limit_exceeded") {
-        const cached2 = await getCachedLicense();
-        if (cached2) return cached2;
-        const raw2 = getRawCachedPlan();
-        if (raw2) return { ...raw2, valid: false };
-        return { ...FREE_LICENSE, valid: false, plan: "free" };
-      }
-      if (data.token) {
-        cacheResponse(data.token);
-        const verified = await verifyLicenseJwt(data.token);
-        if (verified) return verified;
+    if (!res.ok) return null;
+    const data = await res.json();
+    if (data.error === "device_limit_exceeded") return null;
+    if (!data.valid) return null;
+    if (data.token) {
+      cacheResponse(data.token);
+      const verified = await verifyLicenseJwt(data.token);
+      if (verified) return verified;
+    }
+    const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: data.valid,
+      plan: data.plan,
+      email: data.email,
+      expiresAt: data.expiresAt,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateLicense(apiKey, deviceId) {
+  const did = deviceId ?? loadDeviceId();
+  const pgResult = await validateViaPostgres(apiKey);
+  if (pgResult) {
+    try {
+      writeFileSync2(CACHE_PATH, JSON.stringify({ pgLicense: pgResult, ts: Date.now() }), "utf8");
+    } catch {
+    }
+    return pgResult;
+  }
+  const cfResult = await validateViaCFWorker(apiKey, did);
+  if (cfResult) return cfResult;
+  const cached = await getCachedLicense();
+  if (cached) return cached;
+  try {
+    if (existsSync7(CACHE_PATH)) {
+      const raw = JSON.parse(readFileSync4(CACHE_PATH, "utf8"));
+      if (raw.pgLicense && raw.ts && Date.now() - raw.ts < 7 * 24 * 60 * 60 * 1e3) {
+        return raw.pgLicense;
       }
-      const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
-      return {
-        valid: data.valid,
-        plan: data.plan,
-        email: data.email,
-        expiresAt: data.expiresAt,
-        deviceLimit: limits.devices,
-        employeeLimit: limits.employees,
-        memoryLimit: limits.memories
-      };
     }
-    const cached = await getCachedLicense();
-    if (cached) return cached;
-    const raw = getRawCachedPlan();
-    if (raw) return raw;
-    return { ...FREE_LICENSE, valid: false, plan: "free" };
   } catch {
-    const cached = await getCachedLicense();
-    if (cached) return cached;
-    const rawFallback = getRawCachedPlan();
-    if (rawFallback) return rawFallback;
-    return { ...FREE_LICENSE, valid: false, error: "offline" };
   }
+  const rawFallback = getRawCachedPlan();
+  if (rawFallback) return rawFallback;
+  return { ...FREE_LICENSE, valid: false };
 }
 function getCacheAgeMs() {
   try {
@@ -1056,9 +1213,9 @@ async function checkLicense() {
   let key = loadLicense();
   if (!key) {
     try {
-      const configPath = path5.join(EXE_AI_DIR, "config.json");
-      if (existsSync5(configPath)) {
-        const raw = JSON.parse(readFileSync3(configPath, "utf8"));
+      const configPath = path6.join(EXE_AI_DIR, "config.json");
+      if (existsSync7(configPath)) {
+        const raw = JSON.parse(readFileSync4(configPath, "utf8"));
         const cloud = raw.cloud;
         if (cloud?.apiKey) {
           key = cloud.apiKey;
@@ -1212,14 +1369,14 @@ function stopLicenseRevalidation() {
     _revalTimer = null;
   }
 }
-var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, CACHE_MAX_AGE_MS, _revalTimer;
+var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, _prismaPromise, _prismaFailed, CACHE_MAX_AGE_MS, _revalTimer;
 var init_license = __esm({
   "src/lib/license.ts"() {
     "use strict";
     init_config();
-    LICENSE_PATH = path5.join(EXE_AI_DIR, "license.key");
-    CACHE_PATH = path5.join(EXE_AI_DIR, "license-cache.json");
-    DEVICE_ID_PATH = path5.join(EXE_AI_DIR, "device-id");
+    LICENSE_PATH = path6.join(EXE_AI_DIR, "license.key");
+    CACHE_PATH = path6.join(EXE_AI_DIR, "license-cache.json");
+    DEVICE_ID_PATH = path6.join(EXE_AI_DIR, "device-id");
     API_BASE = "https://askexe.com/cloud";
     RETRY_DELAY_MS = 500;
     LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
@@ -1243,6 +1400,8 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
       employeeLimit: 1,
       memoryLimit: 5e3
     };
+    _prismaPromise = null;
+    _prismaFailed = false;
     CACHE_MAX_AGE_MS = 36e5;
     _revalTimer = null;
   }
@@ -1256,13 +1415,13 @@ __export(crypto_exports, {
   initSyncCrypto: () => initSyncCrypto,
   isSyncCryptoInitialized: () => isSyncCryptoInitialized
 });
-import crypto from "crypto";
+import crypto2 from "crypto";
 function initSyncCrypto(masterKey) {
   if (masterKey.length !== 32) {
     throw new Error(`Master key must be 32 bytes, got ${masterKey.length}`);
   }
   _syncKey = Buffer.from(
-    crypto.hkdfSync("sha256", masterKey, "", SYNC_HKDF_INFO, 32)
+    crypto2.hkdfSync("sha256", masterKey, "", SYNC_HKDF_INFO, 32)
   );
 }
 function isSyncCryptoInitialized() {
@@ -1276,8 +1435,8 @@ function requireSyncKey() {
 }
 function encryptSyncBlob(data) {
   const key = requireSyncKey();
-  const iv = crypto.randomBytes(IV_LENGTH);
-  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const iv = crypto2.randomBytes(IV_LENGTH);
+  const cipher = crypto2.createCipheriv(ALGORITHM, key, iv);
   const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
   const tag = cipher.getAuthTag();
   return Buffer.concat([iv, encrypted, tag]).toString("base64");
@@ -1291,7 +1450,7 @@ function decryptSyncBlob(ciphertext) {
   const iv = combined.subarray(0, IV_LENGTH);
   const tag = combined.subarray(combined.length - TAG_LENGTH);
   const encrypted = combined.subarray(IV_LENGTH, combined.length - TAG_LENGTH);
-  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+  const decipher = crypto2.createDecipheriv(ALGORITHM, key, iv);
   decipher.setAuthTag(tag);
   return Buffer.concat([decipher.update(encrypted), decipher.final()]);
 }
@@ -1402,20 +1561,21 @@ __export(agent_config_exports, {
   saveAgentConfig: () => saveAgentConfig,
   setAgentRuntime: () => setAgentRuntime
 });
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync2, existsSync as existsSync6, mkdirSync as mkdirSync2 } from "fs";
-import path6 from "path";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, existsSync as existsSync8 } from "fs";
+import path7 from "path";
 function loadAgentConfig() {
-  if (!existsSync6(AGENT_CONFIG_PATH)) return {};
+  if (!existsSync8(AGENT_CONFIG_PATH)) return {};
   try {
-    return JSON.parse(readFileSync4(AGENT_CONFIG_PATH, "utf-8"));
+    return JSON.parse(readFileSync5(AGENT_CONFIG_PATH, "utf-8"));
   } catch {
     return {};
   }
 }
 function saveAgentConfig(config) {
-  const dir = path6.dirname(AGENT_CONFIG_PATH);
-  if (!existsSync6(dir)) mkdirSync2(dir, { recursive: true });
-  writeFileSync2(AGENT_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  const dir = path7.dirname(AGENT_CONFIG_PATH);
+  ensurePrivateDirSync(dir);
+  writeFileSync3(AGENT_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  enforcePrivateFileSync(AGENT_CONFIG_PATH);
 }
 function getAgentRuntime(agentId) {
   const config = loadAgentConfig();
@@ -1455,7 +1615,8 @@ var init_agent_config = __esm({
     "use strict";
     init_config();
     init_runtime_table();
-    AGENT_CONFIG_PATH = path6.join(EXE_AI_DIR, "agent-config.json");
+    init_secure_files();
+    AGENT_CONFIG_PATH = path7.join(EXE_AI_DIR, "agent-config.json");
     KNOWN_RUNTIMES = {
       claude: ["claude-opus-4", "claude-sonnet-4", "claude-haiku-4.5"],
       codex: ["gpt-5.4", "gpt-5.5", "gpt-5.3-codex-spark", "o3", "o4-mini"],
@@ -1502,10 +1663,10 @@ __export(employees_exports, {
   validateEmployeeName: () => validateEmployeeName
 });
 import { readFile as readFile3, writeFile as writeFile3, mkdir as mkdir4 } from "fs/promises";
-import { existsSync as existsSync7, symlinkSync, readlinkSync, readFileSync as readFileSync5, renameSync as renameSync3, unlinkSync as unlinkSync3, writeFileSync as writeFileSync3 } from "fs";
+import { existsSync as existsSync9, symlinkSync, readlinkSync, readFileSync as readFileSync6, renameSync as renameSync3, unlinkSync as unlinkSync3, writeFileSync as writeFileSync4 } from "fs";
 import { execSync } from "child_process";
-import path7 from "path";
-import os4 from "os";
+import path8 from "path";
+import os5 from "os";
 function normalizeRole(role) {
   return (role ?? "").trim().toLowerCase();
 }
@@ -1541,7 +1702,7 @@ function validateEmployeeName(name) {
   return { valid: true };
 }
 async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync7(employeesPath)) {
+  if (!existsSync9(employeesPath)) {
     return [];
   }
   const raw = await readFile3(employeesPath, "utf-8");
@@ -1552,13 +1713,13 @@ async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
   }
 }
 async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
-  await mkdir4(path7.dirname(employeesPath), { recursive: true });
+  await mkdir4(path8.dirname(employeesPath), { recursive: true });
   await writeFile3(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
 }
 function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync7(employeesPath)) return [];
+  if (!existsSync9(employeesPath)) return [];
   try {
-    return JSON.parse(readFileSync5(employeesPath, "utf-8"));
+    return JSON.parse(readFileSync6(employeesPath, "utf-8"));
   } catch {
     return [];
   }
@@ -1603,9 +1764,9 @@ function addEmployee(employees, employee) {
 function appendToCoordinatorTeam(employee) {
   const coordinator = getCoordinatorEmployee(loadEmployeesSync());
   if (!coordinator) return;
-  const idPath = path7.join(IDENTITY_DIR, `${coordinator.name}.md`);
-  if (!existsSync7(idPath)) return;
-  const content = readFileSync5(idPath, "utf-8");
+  const idPath = path8.join(IDENTITY_DIR, `${coordinator.name}.md`);
+  if (!existsSync9(idPath)) return;
+  const content = readFileSync6(idPath, "utf-8");
   if (content.includes(`**${capitalize(employee.name)}`)) return;
   const teamMatch = content.match(TEAM_SECTION_RE);
   if (!teamMatch || teamMatch.index === void 0) return;
@@ -1621,7 +1782,7 @@ function appendToCoordinatorTeam(employee) {
   } else {
     updated = content.trimEnd() + "\n" + entry;
   }
-  writeFileSync3(idPath, updated, "utf-8");
+  writeFileSync4(idPath, updated, "utf-8");
 }
 function capitalize(s) {
   return s.charAt(0).toUpperCase() + s.slice(1);
@@ -1655,14 +1816,14 @@ async function normalizeRosterCase(rosterPath) {
       emp.name = emp.name.toLowerCase();
       changed = true;
       try {
-        const identityDir = path7.join(os4.homedir(), ".exe-os", "identity");
-        const oldPath = path7.join(identityDir, `${oldName}.md`);
-        const newPath = path7.join(identityDir, `${emp.name}.md`);
-        if (existsSync7(oldPath) && !existsSync7(newPath)) {
+        const identityDir = path8.join(os5.homedir(), ".exe-os", "identity");
+        const oldPath = path8.join(identityDir, `${oldName}.md`);
+        const newPath = path8.join(identityDir, `${emp.name}.md`);
+        if (existsSync9(oldPath) && !existsSync9(newPath)) {
           renameSync3(oldPath, newPath);
-        } else if (existsSync7(oldPath) && oldPath !== newPath) {
-          const content = readFileSync5(oldPath, "utf-8");
-          writeFileSync3(newPath, content, "utf-8");
+        } else if (existsSync9(oldPath) && oldPath !== newPath) {
+          const content = readFileSync6(oldPath, "utf-8");
+          writeFileSync4(newPath, content, "utf-8");
           if (oldPath.toLowerCase() !== newPath.toLowerCase()) {
             unlinkSync3(oldPath);
           }
@@ -1692,7 +1853,7 @@ function registerBinSymlinks(name) {
     errors.push("Could not find 'exe-os' in PATH");
     return { created, skipped, errors };
   }
-  const binDir = path7.dirname(exeBinPath);
+  const binDir = path8.dirname(exeBinPath);
   let target;
   try {
     target = readlinkSync(exeBinPath);
@@ -1702,8 +1863,8 @@ function registerBinSymlinks(name) {
   }
   for (const suffix of ["", "-opencode"]) {
     const linkName = `${name}${suffix}`;
-    const linkPath = path7.join(binDir, linkName);
-    if (existsSync7(linkPath)) {
+    const linkPath = path8.join(binDir, linkName);
+    if (existsSync9(linkPath)) {
       skipped.push(linkName);
       continue;
     }
@@ -1721,20 +1882,20 @@ var init_employees = __esm({
   "src/lib/employees.ts"() {
     "use strict";
     init_config();
-    EMPLOYEES_PATH = path7.join(EXE_AI_DIR, "exe-employees.json");
+    EMPLOYEES_PATH = path8.join(EXE_AI_DIR, "exe-employees.json");
     DEFAULT_COORDINATOR_TEMPLATE_NAME = "exe";
     COORDINATOR_ROLE = "COO";
     MULTI_INSTANCE_ROLES = /* @__PURE__ */ new Set(["principal engineer", "content production specialist", "staff code reviewer"]);
-    IDENTITY_DIR = path7.join(EXE_AI_DIR, "identity");
+    IDENTITY_DIR = path8.join(EXE_AI_DIR, "identity");
     TEAM_SECTION_RE = /^## Team\b.*$/m;
   }
 });
 
 // src/lib/database-adapter.ts
-import os5 from "os";
-import path8 from "path";
-import { createRequire } from "module";
-import { pathToFileURL } from "url";
+import os6 from "os";
+import path9 from "path";
+import { createRequire as createRequire2 } from "module";
+import { pathToFileURL as pathToFileURL2 } from "url";
 function quotedIdentifier(identifier) {
   return `"${identifier.replace(/"/g, '""')}"`;
 }
@@ -2036,17 +2197,17 @@ async function loadPrismaClient() {
     prismaClientPromise = (async () => {
       const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
       if (explicitPath) {
-        const module2 = await import(pathToFileURL(explicitPath).href);
+        const module2 = await import(pathToFileURL2(explicitPath).href);
         const PrismaClient2 = module2.PrismaClient ?? module2.default?.PrismaClient;
         if (!PrismaClient2) {
           throw new Error(`No PrismaClient export found at ${explicitPath}`);
         }
         return new PrismaClient2();
       }
-      const exeDbRoot = process.env.EXE_DB_ROOT ?? path8.join(os5.homedir(), "exe-db");
-      const requireFromExeDb = createRequire(path8.join(exeDbRoot, "package.json"));
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path9.join(os6.homedir(), "exe-db");
+      const requireFromExeDb = createRequire2(path9.join(exeDbRoot, "package.json"));
       const prismaEntry = requireFromExeDb.resolve("@prisma/client");
-      const module = await import(pathToFileURL(prismaEntry).href);
+      const module = await import(pathToFileURL2(prismaEntry).href);
       const PrismaClient = module.PrismaClient ?? module.default?.PrismaClient;
       if (!PrismaClient) {
         throw new Error(`No PrismaClient export found in ${prismaEntry}`);
@@ -2884,6 +3045,7 @@ async function ensureSchema() {
       project     TEXT NOT NULL,
       summary     TEXT NOT NULL,
       task_file   TEXT,
+      session_scope TEXT,
       read        INTEGER NOT NULL DEFAULT 0,
       created_at  TEXT NOT NULL
     );
@@ -2892,7 +3054,7 @@ async function ensureSchema() {
       ON notifications(read);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_agent
-      ON notifications(agent_id);
+      ON notifications(agent_id, session_scope);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_task_file
       ON notifications(task_file);
@@ -2930,6 +3092,7 @@ async function ensureSchema() {
       target_agent    TEXT NOT NULL,
       target_project  TEXT,
       target_device   TEXT NOT NULL DEFAULT 'local',
+      session_scope   TEXT,
       content         TEXT NOT NULL,
       priority        TEXT DEFAULT 'normal',
       status          TEXT DEFAULT 'pending',
@@ -2943,10 +3106,31 @@ async function ensureSchema() {
     );
 
     CREATE INDEX IF NOT EXISTS idx_messages_target
-      ON messages(target_agent, status);
+      ON messages(target_agent, session_scope, status);
 
     CREATE INDEX IF NOT EXISTS idx_messages_conversation_order
-      ON messages(target_agent, from_agent, server_seq);
+      ON messages(target_agent, session_scope, from_agent, server_seq);
+  `);
+  try {
+    await client.execute({
+      sql: `ALTER TABLE notifications ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE messages ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE INDEX IF NOT EXISTS idx_notifications_agent_scope_read
+      ON notifications(agent_id, session_scope, read, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_messages_target_scope_status
+      ON messages(target_agent, session_scope, status, created_at);
   `);
   try {
     await client.execute({
@@ -3530,6 +3714,13 @@ async function ensureSchema() {
     } catch {
     }
   }
+  try {
+    await client.execute({
+      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
+      args: []
+    });
+  } catch {
+  }
 }
 async function disposeDatabase() {
   if (_walCheckpointTimer) {
@@ -3606,8 +3797,8 @@ __export(crdt_sync_exports, {
   rebuildFromDb: () => rebuildFromDb
 });
 import * as Y from "yjs";
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, existsSync as existsSync8, mkdirSync as mkdirSync3, unlinkSync as unlinkSync4 } from "fs";
-import path9 from "path";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, existsSync as existsSync10, mkdirSync as mkdirSync3, unlinkSync as unlinkSync4 } from "fs";
+import path10 from "path";
 import { homedir } from "os";
 function getStatePath() {
   return _statePathOverride ?? DEFAULT_STATE_PATH;
@@ -3619,9 +3810,9 @@ function initCrdtDoc() {
   if (doc) return doc;
   doc = new Y.Doc();
   const sp = getStatePath();
-  if (existsSync8(sp)) {
+  if (existsSync10(sp)) {
     try {
-      const state = readFileSync6(sp);
+      const state = readFileSync7(sp);
       Y.applyUpdate(doc, new Uint8Array(state));
     } catch {
       console.warn("[crdt-sync] WARN: corrupted state file, rebuilding from DB");
@@ -3763,10 +3954,10 @@ function persistState() {
   if (!doc) return;
   try {
     const sp = getStatePath();
-    const dir = path9.dirname(sp);
-    if (!existsSync8(dir)) mkdirSync3(dir, { recursive: true });
+    const dir = path10.dirname(sp);
+    if (!existsSync10(dir)) mkdirSync3(dir, { recursive: true });
     const state = Y.encodeStateAsUpdate(doc);
-    writeFileSync4(sp, Buffer.from(state));
+    writeFileSync5(sp, Buffer.from(state));
   } catch {
   }
 }
@@ -3807,7 +3998,7 @@ var DEFAULT_STATE_PATH, _statePathOverride, doc;
 var init_crdt_sync = __esm({
   "src/lib/crdt-sync.ts"() {
     "use strict";
-    DEFAULT_STATE_PATH = path9.join(homedir(), ".exe-os", "crdt-state.bin");
+    DEFAULT_STATE_PATH = path10.join(homedir(), ".exe-os", "crdt-state.bin");
     _statePathOverride = null;
     doc = null;
   }
@@ -3839,39 +4030,107 @@ __export(cloud_sync_exports, {
   cloudSync: () => cloudSync,
   mergeConfig: () => mergeConfig,
   mergeRosterFromRemote: () => mergeRosterFromRemote,
+  pushToPostgres: () => pushToPostgres,
   recordRosterDeletion: () => recordRosterDeletion
 });
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, existsSync as existsSync9, readdirSync, mkdirSync as mkdirSync4, appendFileSync, unlinkSync as unlinkSync5, openSync as openSync2, closeSync as closeSync2 } from "fs";
-import crypto2 from "crypto";
-import path10 from "path";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync6, existsSync as existsSync11, readdirSync, mkdirSync as mkdirSync4, appendFileSync, unlinkSync as unlinkSync5, openSync as openSync2, closeSync as closeSync2 } from "fs";
+import crypto3 from "crypto";
+import path11 from "path";
 import { homedir as homedir2 } from "os";
 function sqlSafe(v) {
   return v === void 0 ? null : v;
 }
 function logError(msg) {
   try {
-    const logPath = path10.join(homedir2(), ".exe-os", "workers.log");
+    const logPath = path11.join(homedir2(), ".exe-os", "workers.log");
     appendFileSync(logPath, `${(/* @__PURE__ */ new Date()).toISOString()} ${msg}
 `);
   } catch {
   }
 }
+function loadPgClient() {
+  if (_pgFailed) return null;
+  const postgresUrl = process.env.DATABASE_URL;
+  const configPath = path11.join(EXE_AI_DIR, "config.json");
+  let cloudPostgresUrl;
+  try {
+    if (existsSync11(configPath)) {
+      const cfg = JSON.parse(readFileSync8(configPath, "utf8"));
+      cloudPostgresUrl = cfg.cloud?.postgresUrl;
+      if (cfg.cloud?.syncToPostgres === false) {
+        _pgFailed = true;
+        return null;
+      }
+    }
+  } catch {
+  }
+  const url = postgresUrl || cloudPostgresUrl;
+  if (!url) {
+    _pgFailed = true;
+    return null;
+  }
+  if (!_pgPromise) {
+    _pgPromise = (async () => {
+      const { createRequire: createRequire3 } = await import("module");
+      const { pathToFileURL: pathToFileURL3 } = await import("url");
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path11.join(homedir2(), "exe-db");
+      const req = createRequire3(path11.join(exeDbRoot, "package.json"));
+      const entry = req.resolve("@prisma/client");
+      const mod = await import(pathToFileURL3(entry).href);
+      const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+      if (!Ctor) throw new Error("No PrismaClient");
+      return new Ctor();
+    })().catch(() => {
+      _pgFailed = true;
+      _pgPromise = null;
+      throw new Error("pg_unavailable");
+    });
+  }
+  return _pgPromise;
+}
+async function pushToPostgres(records) {
+  const loader = loadPgClient();
+  if (!loader) return 0;
+  let prisma;
+  try {
+    prisma = await loader;
+  } catch {
+    return 0;
+  }
+  let inserted = 0;
+  for (const rec of records) {
+    try {
+      await prisma.$executeRawUnsafe(
+        `INSERT INTO raw.raw_events (id, source, source_id, event_type, payload, metadata, timestamp)
+         VALUES (gen_random_uuid(), 'cloud_sync', $1, 'memory', $2::jsonb, $3::jsonb, $4)
+         ON CONFLICT (source, source_id, event_type) DO NOTHING`,
+        String(rec.id ?? ""),
+        JSON.stringify(rec),
+        JSON.stringify({ agent_id: rec.agent_id, project_name: rec.project_name, tool_name: rec.tool_name }),
+        rec.timestamp ? new Date(String(rec.timestamp)) : /* @__PURE__ */ new Date()
+      );
+      inserted++;
+    } catch {
+    }
+  }
+  return inserted;
+}
 async function withRosterLock(fn) {
   try {
     const fd = openSync2(ROSTER_LOCK_PATH, "wx");
     closeSync2(fd);
-    writeFileSync5(ROSTER_LOCK_PATH, String(Date.now()));
+    writeFileSync6(ROSTER_LOCK_PATH, String(Date.now()));
   } catch (err) {
     if (err.code === "EEXIST") {
       try {
-        const ts = parseInt(readFileSync7(ROSTER_LOCK_PATH, "utf-8"), 10);
+        const ts = parseInt(readFileSync8(ROSTER_LOCK_PATH, "utf-8"), 10);
         if (Date.now() - ts < LOCK_STALE_MS) {
           throw new Error("Roster merge already in progress \u2014 another sync is running");
         }
         unlinkSync5(ROSTER_LOCK_PATH);
         const fd = openSync2(ROSTER_LOCK_PATH, "wx");
         closeSync2(fd);
-        writeFileSync5(ROSTER_LOCK_PATH, String(Date.now()));
+        writeFileSync6(ROSTER_LOCK_PATH, String(Date.now()));
       } catch (retryErr) {
         if (retryErr instanceof Error && retryErr.message.includes("already in progress")) throw retryErr;
         throw new Error("Roster merge already in progress \u2014 another sync is running");
@@ -4141,6 +4400,10 @@ async function cloudSync(config) {
     const maxVersion = Number(records[records.length - 1].version);
     const pushOk = await cloudPush(records, maxVersion, config);
     if (!pushOk) break;
+    try {
+      await pushToPostgres(records);
+    } catch {
+    }
     await client.execute({
       sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('last_cloud_push_version', ?)",
       args: [String(maxVersion)]
@@ -4245,8 +4508,8 @@ async function cloudSync(config) {
   try {
     const employees = await loadEmployees();
     rosterResult.employees = employees.length;
-    const idDir = path10.join(EXE_AI_DIR, "identity");
-    if (existsSync9(idDir)) {
+    const idDir = path11.join(EXE_AI_DIR, "identity");
+    if (existsSync11(idDir)) {
       rosterResult.identities = readdirSync(idDir).filter((f) => f.endsWith(".md")).length;
     }
   } catch {
@@ -4267,62 +4530,62 @@ async function cloudSync(config) {
 function recordRosterDeletion(name) {
   let deletions = [];
   try {
-    if (existsSync9(ROSTER_DELETIONS_PATH)) {
-      deletions = JSON.parse(readFileSync7(ROSTER_DELETIONS_PATH, "utf-8"));
+    if (existsSync11(ROSTER_DELETIONS_PATH)) {
+      deletions = JSON.parse(readFileSync8(ROSTER_DELETIONS_PATH, "utf-8"));
     }
   } catch {
   }
   if (!deletions.includes(name)) deletions.push(name);
-  writeFileSync5(ROSTER_DELETIONS_PATH, JSON.stringify(deletions));
+  writeFileSync6(ROSTER_DELETIONS_PATH, JSON.stringify(deletions));
 }
 function consumeRosterDeletions() {
   try {
-    if (!existsSync9(ROSTER_DELETIONS_PATH)) return [];
-    const deletions = JSON.parse(readFileSync7(ROSTER_DELETIONS_PATH, "utf-8"));
-    writeFileSync5(ROSTER_DELETIONS_PATH, "[]");
+    if (!existsSync11(ROSTER_DELETIONS_PATH)) return [];
+    const deletions = JSON.parse(readFileSync8(ROSTER_DELETIONS_PATH, "utf-8"));
+    writeFileSync6(ROSTER_DELETIONS_PATH, "[]");
     return deletions;
   } catch {
     return [];
   }
 }
 function buildRosterBlob(paths) {
-  const rosterPath = paths?.rosterPath ?? path10.join(EXE_AI_DIR, "exe-employees.json");
-  const identityDir = paths?.identityDir ?? path10.join(EXE_AI_DIR, "identity");
-  const configPath = paths?.configPath ?? path10.join(EXE_AI_DIR, "config.json");
+  const rosterPath = paths?.rosterPath ?? path11.join(EXE_AI_DIR, "exe-employees.json");
+  const identityDir = paths?.identityDir ?? path11.join(EXE_AI_DIR, "identity");
+  const configPath = paths?.configPath ?? path11.join(EXE_AI_DIR, "config.json");
   let roster = [];
-  if (existsSync9(rosterPath)) {
+  if (existsSync11(rosterPath)) {
     try {
-      roster = JSON.parse(readFileSync7(rosterPath, "utf-8"));
+      roster = JSON.parse(readFileSync8(rosterPath, "utf-8"));
     } catch {
     }
   }
   const identities = {};
-  if (existsSync9(identityDir)) {
+  if (existsSync11(identityDir)) {
     for (const file of readdirSync(identityDir).filter((f) => f.endsWith(".md"))) {
       try {
-        identities[file] = readFileSync7(path10.join(identityDir, file), "utf-8");
+        identities[file] = readFileSync8(path11.join(identityDir, file), "utf-8");
       } catch {
       }
     }
   }
   let config;
-  if (existsSync9(configPath)) {
+  if (existsSync11(configPath)) {
     try {
-      config = JSON.parse(readFileSync7(configPath, "utf-8"));
+      config = JSON.parse(readFileSync8(configPath, "utf-8"));
     } catch {
     }
   }
   let agentConfig;
-  const agentConfigPath = path10.join(EXE_AI_DIR, "agent-config.json");
-  if (existsSync9(agentConfigPath)) {
+  const agentConfigPath = path11.join(EXE_AI_DIR, "agent-config.json");
+  if (existsSync11(agentConfigPath)) {
     try {
-      agentConfig = JSON.parse(readFileSync7(agentConfigPath, "utf-8"));
+      agentConfig = JSON.parse(readFileSync8(agentConfigPath, "utf-8"));
     } catch {
     }
   }
   const deletedNames = consumeRosterDeletions();
   const content = JSON.stringify({ roster, identities, config, agentConfig, deletedNames });
-  const hash = crypto2.createHash("sha256").update(content).digest("hex").slice(0, 16);
+  const hash = crypto3.createHash("sha256").update(content).digest("hex").slice(0, 16);
   return { roster, identities, config, agentConfig, deletedNames, version: hash };
 }
 async function cloudPushRoster(config) {
@@ -4392,23 +4655,24 @@ async function cloudPullRoster(config) {
   }
 }
 function mergeConfig(remoteConfig, configPath) {
-  const cfgPath = configPath ?? path10.join(EXE_AI_DIR, "config.json");
+  const cfgPath = configPath ?? path11.join(EXE_AI_DIR, "config.json");
   let local = {};
-  if (existsSync9(cfgPath)) {
+  if (existsSync11(cfgPath)) {
     try {
-      local = JSON.parse(readFileSync7(cfgPath, "utf-8"));
+      local = JSON.parse(readFileSync8(cfgPath, "utf-8"));
     } catch {
     }
   }
   const merged = { ...remoteConfig, ...local };
-  const dir = path10.dirname(cfgPath);
-  if (!existsSync9(dir)) mkdirSync4(dir, { recursive: true });
-  writeFileSync5(cfgPath, JSON.stringify(merged, null, 2), "utf-8");
+  const dir = path11.dirname(cfgPath);
+  ensurePrivateDirSync(dir);
+  writeFileSync6(cfgPath, JSON.stringify(merged, null, 2), "utf-8");
+  enforcePrivateFileSync(cfgPath);
 }
 async function mergeRosterFromRemote(remote, paths) {
   return withRosterLock(async () => {
     const rosterPath = paths?.rosterPath ?? void 0;
-    const identityDir = paths?.identityDir ?? path10.join(EXE_AI_DIR, "identity");
+    const identityDir = paths?.identityDir ?? path11.join(EXE_AI_DIR, "identity");
     const localEmployees = await loadEmployees(rosterPath);
     const localNames = new Set(localEmployees.map((e) => e.name));
     let added = 0;
@@ -4429,15 +4693,15 @@ async function mergeRosterFromRemote(remote, paths) {
       ) ?? lookupKey;
       const remoteIdentity = remote.identities[matchedKey];
       if (remoteIdentity) {
-        if (!existsSync9(identityDir)) mkdirSync4(identityDir, { recursive: true });
-        const idPath = path10.join(identityDir, `${remoteEmp.name}.md`);
+        if (!existsSync11(identityDir)) mkdirSync4(identityDir, { recursive: true });
+        const idPath = path11.join(identityDir, `${remoteEmp.name}.md`);
         let localIdentity = null;
         try {
-          localIdentity = existsSync9(idPath) ? readFileSync7(idPath, "utf-8") : null;
+          localIdentity = existsSync11(idPath) ? readFileSync8(idPath, "utf-8") : null;
         } catch {
         }
         if (localIdentity !== remoteIdentity) {
-          writeFileSync5(idPath, remoteIdentity, "utf-8");
+          writeFileSync6(idPath, remoteIdentity, "utf-8");
           identitiesUpdated++;
         }
       }
@@ -4463,16 +4727,18 @@ async function mergeRosterFromRemote(remote, paths) {
     }
     if (remote.agentConfig && Object.keys(remote.agentConfig).length > 0) {
       try {
-        const agentConfigPath = path10.join(EXE_AI_DIR, "agent-config.json");
+        const agentConfigPath = path11.join(EXE_AI_DIR, "agent-config.json");
         let local = {};
-        if (existsSync9(agentConfigPath)) {
+        if (existsSync11(agentConfigPath)) {
           try {
-            local = JSON.parse(readFileSync7(agentConfigPath, "utf-8"));
+            local = JSON.parse(readFileSync8(agentConfigPath, "utf-8"));
           } catch {
           }
         }
         const merged = { ...remote.agentConfig, ...local };
-        writeFileSync5(agentConfigPath, JSON.stringify(merged, null, 2) + "\n", "utf-8");
+        ensurePrivateDirSync(path11.dirname(agentConfigPath));
+        writeFileSync6(agentConfigPath, JSON.stringify(merged, null, 2) + "\n", "utf-8");
+        enforcePrivateFileSync(agentConfigPath);
       } catch {
       }
     }
@@ -4896,7 +5162,7 @@ async function cloudPullDocuments(config) {
   }
   return { pulled };
 }
-var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, ROSTER_DELETIONS_PATH;
+var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, _pgPromise, _pgFailed, ROSTER_DELETIONS_PATH;
 var init_cloud_sync = __esm({
   "src/lib/cloud-sync.ts"() {
     "use strict";
@@ -4907,12 +5173,15 @@ var init_cloud_sync = __esm({
     init_config();
     init_crdt_sync();
     init_employees();
+    init_secure_files();
     LOCALHOST_PATTERNS = /^(localhost|127\.0\.0\.1|\[::1\])$/i;
     FETCH_TIMEOUT_MS = 3e4;
     PUSH_BATCH_SIZE = 5e3;
-    ROSTER_LOCK_PATH = path10.join(EXE_AI_DIR, "roster-merge.lock");
+    ROSTER_LOCK_PATH = path11.join(EXE_AI_DIR, "roster-merge.lock");
     LOCK_STALE_MS = 3e4;
-    ROSTER_DELETIONS_PATH = path10.join(EXE_AI_DIR, "roster-deletions.json");
+    _pgPromise = null;
+    _pgFailed = false;
+    ROSTER_DELETIONS_PATH = path11.join(EXE_AI_DIR, "roster-deletions.json");
   }
 });
 
@@ -4922,37 +5191,39 @@ __export(preferences_exports, {
   loadPreferences: () => loadPreferences,
   savePreferences: () => savePreferences
 });
-import { existsSync as existsSync10, readFileSync as readFileSync8, writeFileSync as writeFileSync6, mkdirSync as mkdirSync5 } from "fs";
-import path11 from "path";
-import os6 from "os";
-function loadPreferences(homeDir = os6.homedir()) {
-  const configPath = path11.join(homeDir, ".exe-os", "config.json");
-  if (!existsSync10(configPath)) return {};
+import { existsSync as existsSync12, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "fs";
+import path12 from "path";
+import os7 from "os";
+function loadPreferences(homeDir = os7.homedir()) {
+  const configPath = path12.join(homeDir, ".exe-os", "config.json");
+  if (!existsSync12(configPath)) return {};
   try {
-    const config = JSON.parse(readFileSync8(configPath, "utf-8"));
+    const config = JSON.parse(readFileSync9(configPath, "utf-8"));
     return config.preferences ?? {};
   } catch {
     return {};
   }
 }
-function savePreferences(prefs, homeDir = os6.homedir()) {
-  const configDir = path11.join(homeDir, ".exe-os");
-  const configPath = path11.join(configDir, "config.json");
-  mkdirSync5(configDir, { recursive: true });
+function savePreferences(prefs, homeDir = os7.homedir()) {
+  const configDir = path12.join(homeDir, ".exe-os");
+  const configPath = path12.join(configDir, "config.json");
+  ensurePrivateDirSync(configDir);
   let config = {};
-  if (existsSync10(configPath)) {
+  if (existsSync12(configPath)) {
     try {
-      config = JSON.parse(readFileSync8(configPath, "utf-8"));
+      config = JSON.parse(readFileSync9(configPath, "utf-8"));
     } catch {
       config = {};
     }
   }
   config.preferences = prefs;
-  writeFileSync6(configPath, JSON.stringify(config, null, 2) + "\n");
+  writeFileSync7(configPath, JSON.stringify(config, null, 2) + "\n");
+  enforcePrivateFileSync(configPath);
 }
 var init_preferences = __esm({
   "src/lib/preferences.ts"() {
     "use strict";
+    init_secure_files();
   }
 });
 
@@ -5723,17 +5994,17 @@ __export(identity_exports, {
   listIdentities: () => listIdentities,
   updateIdentity: () => updateIdentity
 });
-import { existsSync as existsSync11, mkdirSync as mkdirSync6, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "fs";
+import { existsSync as existsSync13, mkdirSync as mkdirSync5, readFileSync as readFileSync10, writeFileSync as writeFileSync8 } from "fs";
 import { readdirSync as readdirSync2 } from "fs";
-import path12 from "path";
+import path13 from "path";
 import { createHash as createHash2 } from "crypto";
 function ensureDir() {
-  if (!existsSync11(IDENTITY_DIR2)) {
-    mkdirSync6(IDENTITY_DIR2, { recursive: true });
+  if (!existsSync13(IDENTITY_DIR2)) {
+    mkdirSync5(IDENTITY_DIR2, { recursive: true });
   }
 }
 function identityPath(agentId) {
-  return path12.join(IDENTITY_DIR2, `${agentId}.md`);
+  return path13.join(IDENTITY_DIR2, `${agentId}.md`);
 }
 function parseFrontmatter(raw) {
   const match = raw.match(/^---\n([\s\S]*?)\n---\n([\s\S]*)$/);
@@ -5774,8 +6045,8 @@ function contentHash(content) {
 }
 function getIdentity(agentId) {
   const filePath = identityPath(agentId);
-  if (!existsSync11(filePath)) return null;
-  const raw = readFileSync9(filePath, "utf-8");
+  if (!existsSync13(filePath)) return null;
+  const raw = readFileSync10(filePath, "utf-8");
   const { frontmatter, body } = parseFrontmatter(raw);
   return {
     agentId,
@@ -5789,7 +6060,7 @@ async function updateIdentity(agentId, content, updatedBy) {
   ensureDir();
   const filePath = identityPath(agentId);
   const hash = contentHash(content);
-  writeFileSync7(filePath, content, "utf-8");
+  writeFileSync8(filePath, content, "utf-8");
   try {
     const client = getClient();
     await client.execute({
@@ -5845,7 +6116,7 @@ var init_identity = __esm({
     "use strict";
     init_config();
     init_database();
-    IDENTITY_DIR2 = path12.join(EXE_AI_DIR, "identity");
+    IDENTITY_DIR2 = path13.join(EXE_AI_DIR, "identity");
   }
 });
 
@@ -6396,36 +6667,36 @@ __export(session_wrappers_exports, {
   generateSessionWrappers: () => generateSessionWrappers
 });
 import {
-  existsSync as existsSync12,
-  readFileSync as readFileSync10,
-  writeFileSync as writeFileSync8,
-  mkdirSync as mkdirSync7,
-  chmodSync,
+  existsSync as existsSync14,
+  readFileSync as readFileSync11,
+  writeFileSync as writeFileSync9,
+  mkdirSync as mkdirSync6,
+  chmodSync as chmodSync2,
   readdirSync as readdirSync3,
   unlinkSync as unlinkSync6
 } from "fs";
-import path13 from "path";
+import path14 from "path";
 import { homedir as homedir3 } from "os";
 function generateSessionWrappers(packageRoot, homeDir) {
   const home = homeDir ?? homedir3();
-  const binDir = path13.join(home, ".exe-os", "bin");
-  const rosterPath = path13.join(home, ".exe-os", "exe-employees.json");
-  mkdirSync7(binDir, { recursive: true });
-  const exeStartDst = path13.join(binDir, "exe-start");
+  const binDir = path14.join(home, ".exe-os", "bin");
+  const rosterPath = path14.join(home, ".exe-os", "exe-employees.json");
+  mkdirSync6(binDir, { recursive: true });
+  const exeStartDst = path14.join(binDir, "exe-start");
   const candidates = [
-    path13.join(packageRoot, "dist", "bin", "exe-start.sh"),
-    path13.join(packageRoot, "src", "bin", "exe-start.sh")
+    path14.join(packageRoot, "dist", "bin", "exe-start.sh"),
+    path14.join(packageRoot, "src", "bin", "exe-start.sh")
   ];
   for (const src of candidates) {
-    if (existsSync12(src)) {
-      writeFileSync8(exeStartDst, readFileSync10(src));
-      chmodSync(exeStartDst, 493);
+    if (existsSync14(src)) {
+      writeFileSync9(exeStartDst, readFileSync11(src));
+      chmodSync2(exeStartDst, 493);
       break;
     }
   }
   let employees = [];
   try {
-    employees = JSON.parse(readFileSync10(rosterPath, "utf8"));
+    employees = JSON.parse(readFileSync11(rosterPath, "utf8"));
   } catch {
     return { created: 0, pathConfigured: false };
   }
@@ -6435,9 +6706,9 @@ function generateSessionWrappers(packageRoot, homeDir) {
   try {
     for (const f of readdirSync3(binDir)) {
       if (f === "exe-start") continue;
-      const fPath = path13.join(binDir, f);
+      const fPath = path14.join(binDir, f);
       try {
-        const content = readFileSync10(fPath, "utf8");
+        const content = readFileSync11(fPath, "utf8");
         if (content.includes("exe-start")) {
           unlinkSync6(fPath);
         }
@@ -6452,31 +6723,31 @@ exec "${exeStartDst}" "$0" "$@"
 `;
   for (const emp of employees) {
     for (let n = 1; n <= MAX_N; n++) {
-      const wrapperPath = path13.join(binDir, `${emp.name}${n}`);
-      writeFileSync8(wrapperPath, wrapperContent);
-      chmodSync(wrapperPath, 493);
+      const wrapperPath = path14.join(binDir, `${emp.name}${n}`);
+      writeFileSync9(wrapperPath, wrapperContent);
+      chmodSync2(wrapperPath, 493);
       created++;
     }
   }
   const codexLauncherCandidates = [
-    path13.join(packageRoot, "dist", "bin", "exe-start-codex.js"),
-    path13.join(packageRoot, "src", "bin", "exe-start-codex.ts")
+    path14.join(packageRoot, "dist", "bin", "exe-start-codex.js"),
+    path14.join(packageRoot, "src", "bin", "exe-start-codex.ts")
   ];
   let codexLauncher = null;
   for (const c of codexLauncherCandidates) {
-    if (existsSync12(c)) {
+    if (existsSync14(c)) {
       codexLauncher = c;
       break;
     }
   }
   if (codexLauncher) {
     for (const emp of employees) {
-      const wrapperPath = path13.join(binDir, `${emp.name}-codex`);
+      const wrapperPath = path14.join(binDir, `${emp.name}-codex`);
       const content = `#!/bin/bash
 exec node "${codexLauncher}" --agent ${emp.name} "$@"
 `;
-      writeFileSync8(wrapperPath, content);
-      chmodSync(wrapperPath, 493);
+      writeFileSync9(wrapperPath, content);
+      chmodSync2(wrapperPath, 493);
       created++;
     }
   }
@@ -6494,24 +6765,24 @@ export PATH="${binDir}:$PATH"
   const shell = process.env.SHELL ?? "/bin/bash";
   const profilePaths = [];
   if (shell.includes("zsh")) {
-    profilePaths.push(path13.join(home, ".zshrc"));
+    profilePaths.push(path14.join(home, ".zshrc"));
   } else if (shell.includes("bash")) {
-    profilePaths.push(path13.join(home, ".bashrc"));
-    profilePaths.push(path13.join(home, ".bash_profile"));
+    profilePaths.push(path14.join(home, ".bashrc"));
+    profilePaths.push(path14.join(home, ".bash_profile"));
   } else {
-    profilePaths.push(path13.join(home, ".profile"));
+    profilePaths.push(path14.join(home, ".profile"));
   }
   for (const profilePath of profilePaths) {
     try {
       let content = "";
       try {
-        content = readFileSync10(profilePath, "utf8");
+        content = readFileSync11(profilePath, "utf8");
       } catch {
       }
       if (content.includes(".exe-os/bin")) {
         return false;
       }
-      writeFileSync8(profilePath, content + exportLine);
+      writeFileSync9(profilePath, content + exportLine);
       return true;
     } catch {
       continue;
@@ -6530,14 +6801,14 @@ var init_session_wrappers = __esm({
 // src/lib/setup-wizard.ts
 init_config();
 init_keychain();
-import crypto3 from "crypto";
-import { existsSync as existsSync13, mkdirSync as mkdirSync8, readFileSync as readFileSync11, writeFileSync as writeFileSync9, unlinkSync as unlinkSync7 } from "fs";
-import os7 from "os";
-import path14 from "path";
+import crypto4 from "crypto";
+import { existsSync as existsSync15, mkdirSync as mkdirSync7, readFileSync as readFileSync12, writeFileSync as writeFileSync10, unlinkSync as unlinkSync7 } from "fs";
+import os8 from "os";
+import path15 from "path";
 import { createInterface } from "readline";
 
 // src/lib/model-downloader.ts
-import { createWriteStream, createReadStream, existsSync as existsSync3, unlinkSync, renameSync as renameSync2 } from "fs";
+import { createWriteStream, createReadStream, existsSync as existsSync4, unlinkSync, renameSync as renameSync2 } from "fs";
 import { mkdir as mkdir3 } from "fs/promises";
 import { createHash } from "crypto";
 import path3 from "path";
@@ -6550,7 +6821,7 @@ async function downloadModel(opts) {
   const destPath = path3.join(destDir, LOCAL_FILENAME);
   const tmpPath = destPath + ".tmp";
   await mkdir3(destDir, { recursive: true });
-  if (existsSync3(destPath)) {
+  if (existsSync4(destPath)) {
     const hash = await fileHash(destPath);
     if (hash === EXPECTED_SHA256) {
       return destPath;
@@ -6562,7 +6833,7 @@ async function downloadModel(opts) {
   let downloaded = 0;
   for (let attempt = 1; attempt <= MAX_RETRIES2; attempt++) {
     try {
-      if (existsSync3(tmpPath)) unlinkSync(tmpPath);
+      if (existsSync4(tmpPath)) unlinkSync(tmpPath);
       const response = await fetchFn(GGUF_URL, {
         redirect: "follow",
         signal: AbortSignal.timeout(DOWNLOAD_TIMEOUT_MS)
@@ -6607,7 +6878,7 @@ async function downloadModel(opts) {
         process.stderr.write(`
 Download attempt ${attempt} failed, retrying...
 `);
-        if (existsSync3(tmpPath)) unlinkSync(tmpPath);
+        if (existsSync4(tmpPath)) unlinkSync(tmpPath);
       }
     }
   }
@@ -6625,32 +6896,32 @@ async function fileHash(filePath) {
 
 // src/lib/setup-wizard.ts
 function findPackageRoot2() {
-  let dir = path14.dirname(new URL(import.meta.url).pathname);
-  const root = path14.parse(dir).root;
+  let dir = path15.dirname(new URL(import.meta.url).pathname);
+  const root = path15.parse(dir).root;
   while (dir !== root) {
-    const pkgPath = path14.join(dir, "package.json");
-    if (existsSync13(pkgPath)) {
+    const pkgPath = path15.join(dir, "package.json");
+    if (existsSync15(pkgPath)) {
       try {
-        const pkg = JSON.parse(readFileSync11(pkgPath, "utf-8"));
+        const pkg = JSON.parse(readFileSync12(pkgPath, "utf-8"));
         if (pkg.name === "@askexenow/exe-os" || pkg.name === "exe-os") return dir;
       } catch {
       }
     }
-    dir = path14.dirname(dir);
+    dir = path15.dirname(dir);
   }
   return null;
 }
-var SETUP_STATE_PATH = path14.join(os7.homedir(), ".exe-os", "setup-state.json");
+var SETUP_STATE_PATH = path15.join(os8.homedir(), ".exe-os", "setup-state.json");
 function loadSetupState() {
   try {
-    return JSON.parse(readFileSync11(SETUP_STATE_PATH, "utf8"));
+    return JSON.parse(readFileSync12(SETUP_STATE_PATH, "utf8"));
   } catch {
     return { completedSteps: [], startedAt: (/* @__PURE__ */ new Date()).toISOString() };
   }
 }
 function saveSetupState(state) {
-  mkdirSync8(path14.dirname(SETUP_STATE_PATH), { recursive: true });
-  writeFileSync9(SETUP_STATE_PATH, JSON.stringify(state, null, 2));
+  mkdirSync7(path15.dirname(SETUP_STATE_PATH), { recursive: true });
+  writeFileSync10(SETUP_STATE_PATH, JSON.stringify(state, null, 2));
 }
 function clearSetupState() {
   try {
@@ -6669,10 +6940,10 @@ function ask(rl, prompt) {
   });
 }
 function getAvailableMemoryGB() {
-  return os7.freemem() / (1024 * 1024 * 1024);
+  return os8.freemem() / (1024 * 1024 * 1024);
 }
 function getTotalMemoryGB() {
-  return os7.totalmem() / (1024 * 1024 * 1024);
+  return os8.totalmem() / (1024 * 1024 * 1024);
 }
 function isLowMemory() {
   return getAvailableMemoryGB() < 2;
@@ -6683,8 +6954,8 @@ async function validateModel(log) {
   if (totalGB <= 8 || isLowMemory()) {
     log(`System memory: ${totalGB.toFixed(0)}GB total, ${freeGB.toFixed(1)}GB free`);
     log("Skipping in-memory model validation (low memory \u2014 will validate on first use).");
-    const modelPath = path14.join(MODELS_DIR, LOCAL_FILENAME);
-    if (existsSync13(modelPath)) {
+    const modelPath = path15.join(MODELS_DIR, LOCAL_FILENAME);
+    if (existsSync15(modelPath)) {
       const { statSync: statSync2 } = await import("fs");
       const size = statSync2(modelPath).size;
       if (size > 300 * 1e6) {
@@ -6775,7 +7046,7 @@ async function runSetupWizard(opts = {}) {
     if (state.completedSteps.length > 0) {
       log(`Resuming setup from step ${Math.max(...state.completedSteps) + 1}...`);
     }
-    if (existsSync13(LEGACY_LANCE_PATH)) {
+    if (existsSync15(LEGACY_LANCE_PATH)) {
       log("\u26A0 Found v1.0 LanceDB at ~/.exe-os/local.lance");
       log("  v1.1 uses libSQL (SQLite). Your existing memories are not automatically migrated.");
       log("  The old directory will not be modified or deleted.");
@@ -6787,7 +7058,7 @@ async function runSetupWizard(opts = {}) {
         log("Encryption key already exists \u2014 skipping generation.");
       } else {
         log("Generating 256-bit encryption key...");
-        const key = crypto3.randomBytes(32);
+        const key = crypto4.randomBytes(32);
         await setMasterKey(key);
         log("Encryption key generated and stored securely.");
       }
@@ -6939,19 +7210,19 @@ async function runSetupWizard(opts = {}) {
       await saveConfig(config);
       log("");
       try {
-        const claudeJsonPath = path14.join(os7.homedir(), ".claude.json");
+        const claudeJsonPath = path15.join(os8.homedir(), ".claude.json");
         let claudeJson = {};
         try {
-          claudeJson = JSON.parse(readFileSync11(claudeJsonPath, "utf8"));
+          claudeJson = JSON.parse(readFileSync12(claudeJsonPath, "utf8"));
         } catch {
         }
         if (!claudeJson.projects) claudeJson.projects = {};
         const projects = claudeJson.projects;
-        for (const dir of [process.cwd(), os7.homedir()]) {
+        for (const dir of [process.cwd(), os8.homedir()]) {
           if (!projects[dir]) projects[dir] = {};
           projects[dir].hasTrustDialogAccepted = true;
         }
-        writeFileSync9(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
+        writeFileSync10(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
       } catch {
       }
       state.completedSteps.push(5);
@@ -6965,7 +7236,7 @@ async function runSetupWizard(opts = {}) {
       const prefs = { ...existingPrefs };
       log("=== Config Defaults ===");
       log("");
-      const ghosttyDetected = existsSync13(path14.join(os7.homedir(), ".config", "ghostty")) || existsSync13(path14.join(os7.homedir(), "Library", "Application Support", "com.mitchellh.ghostty"));
+      const ghosttyDetected = existsSync15(path15.join(os8.homedir(), ".config", "ghostty")) || existsSync15(path15.join(os8.homedir(), "Library", "Application Support", "com.mitchellh.ghostty"));
       if (ghosttyDetected) {
         const ghosttyAnswer = await ask(rl, "Detected Ghostty terminal. Use exe-os Ghostty defaults? (Y/n) ");
         prefs.ghostty = ghosttyAnswer.toLowerCase() !== "n";
@@ -7012,7 +7283,7 @@ async function runSetupWizard(opts = {}) {
       let missingIdentities = [];
       for (const emp of roster) {
         const idPath = identityPath2(emp.name);
-        if (!existsSync13(idPath)) {
+        if (!existsSync15(idPath)) {
           missingIdentities.push(emp.name);
         }
       }
@@ -7044,7 +7315,7 @@ async function runSetupWizard(opts = {}) {
           }
           missingIdentities = [];
           for (const emp of roster) {
-            if (!existsSync13(identityPath2(emp.name))) {
+            if (!existsSync15(identityPath2(emp.name))) {
               missingIdentities.push(emp.name);
             }
           }
@@ -7109,9 +7380,9 @@ async function runSetupWizard(opts = {}) {
       const cooIdentityContent = getIdentityTemplate("coo");
       if (cooIdentityContent) {
         const cooIdPath = identityPath2(cooName);
-        mkdirSync8(path14.dirname(cooIdPath), { recursive: true });
+        mkdirSync7(path15.dirname(cooIdPath), { recursive: true });
         const replaced = cooIdentityContent.replace(/agent_id:\s*exe/g, `agent_id: ${cooName}`).replace(/\$\{agent_id\}/g, cooName);
-        writeFileSync9(cooIdPath, replaced, "utf-8");
+        writeFileSync10(cooIdPath, replaced, "utf-8");
       }
       registerBinSymlinks2(cooName);
       createdEmployees.push({ name: cooName, role: "COO" });
@@ -7205,9 +7476,9 @@ async function runSetupWizard(opts = {}) {
       const ctoIdentityContent = getIdentityTemplate("cto");
       if (ctoIdentityContent) {
         const ctoIdPath = identityPath2(ctoName);
-        mkdirSync8(path14.dirname(ctoIdPath), { recursive: true });
+        mkdirSync7(path15.dirname(ctoIdPath), { recursive: true });
         const replaced = ctoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${ctoName}`).replace(/\$\{agent_id\}/g, ctoName);
-        writeFileSync9(ctoIdPath, replaced, "utf-8");
+        writeFileSync10(ctoIdPath, replaced, "utf-8");
       }
       registerBinSymlinks2(ctoName);
       createdEmployees.push({ name: ctoName, role: "CTO" });
@@ -7228,9 +7499,9 @@ async function runSetupWizard(opts = {}) {
       const cmoIdentityContent = getIdentityTemplate("cmo");
       if (cmoIdentityContent) {
         const cmoIdPath = identityPath2(cmoName);
-        mkdirSync8(path14.dirname(cmoIdPath), { recursive: true });
+        mkdirSync7(path15.dirname(cmoIdPath), { recursive: true });
         const replaced = cmoIdentityContent.replace(/agent_id:\s*\w+/g, `agent_id: ${cmoName}`).replace(/\$\{agent_id\}/g, cmoName);
-        writeFileSync9(cmoIdPath, replaced, "utf-8");
+        writeFileSync10(cmoIdPath, replaced, "utf-8");
       }
       registerBinSymlinks2(cmoName);
       createdEmployees.push({ name: cmoName, role: "CMO" });
@@ -7252,7 +7523,7 @@ async function runSetupWizard(opts = {}) {
             log(`Session shortcuts generated (${cooName}1, ${cooName}2, ...)`);
           }
           if (wrapResult.pathConfigured) {
-            const binDir = path14.join(os7.homedir(), ".exe-os", "bin");
+            const binDir = path15.join(os8.homedir(), ".exe-os", "bin");
             process.env.PATH = `${binDir}:${process.env.PATH ?? ""}`;
             pathJustConfigured = true;
           }
@@ -7295,7 +7566,7 @@ async function runSetupWizard(opts = {}) {
     const pkgRoot2 = findPackageRoot2();
     if (pkgRoot2) {
       try {
-        version = JSON.parse(readFileSync11(path14.join(pkgRoot2, "package.json"), "utf-8")).version;
+        version = JSON.parse(readFileSync12(path15.join(pkgRoot2, "package.json"), "utf-8")).version;
       } catch {
       }
     }