@askexenow/exe-os 0.9.8 → 0.9.9

package/dist/hooks/error-recall.js

@@ -8,6 +8,44 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/lib/secure-files.ts
+import { chmodSync, existsSync, mkdirSync } from "fs";
+import { chmod, mkdir } from "fs/promises";
+async function ensurePrivateDir(dirPath) {
+  await mkdir(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    await chmod(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+function ensurePrivateDirSync(dirPath) {
+  mkdirSync(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    chmodSync(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+async function enforcePrivateFile(filePath) {
+  try {
+    await chmod(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+function enforcePrivateFileSync(filePath) {
+  try {
+    if (existsSync(filePath)) chmodSync(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+var PRIVATE_DIR_MODE, PRIVATE_FILE_MODE;
+var init_secure_files = __esm({
+  "src/lib/secure-files.ts"() {
+    "use strict";
+    PRIVATE_DIR_MODE = 448;
+    PRIVATE_FILE_MODE = 384;
+  }
+});
+
 // src/lib/config.ts
 var config_exports = {};
 __export(config_exports, {
@@ -24,8 +62,8 @@ __export(config_exports, {
   migrateConfig: () => migrateConfig,
   saveConfig: () => saveConfig
 });
-import { readFile, writeFile, mkdir, chmod } from "fs/promises";
-import { readFileSync, existsSync, renameSync } from "fs";
+import { readFile, writeFile } from "fs/promises";
+import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
 import path from "path";
 import os from "os";
 function resolveDataDir() {
@@ -33,7 +71,7 @@ function resolveDataDir() {
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
   const newDir = path.join(os.homedir(), ".exe-os");
   const legacyDir = path.join(os.homedir(), ".exe-mem");
-  if (!existsSync(newDir) && existsSync(legacyDir)) {
+  if (!existsSync2(newDir) && existsSync2(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
       process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
@@ -96,9 +134,9 @@ function normalizeAutoUpdate(raw) {
 }
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await mkdir(dir, { recursive: true });
+  await ensurePrivateDir(dir);
   const configPath = path.join(dir, "config.json");
-  if (!existsSync(configPath)) {
+  if (!existsSync2(configPath)) {
     return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
   }
   const raw = await readFile(configPath, "utf-8");
@@ -111,6 +149,7 @@ async function loadConfig() {
 `);
       try {
         await writeFile(configPath, JSON.stringify(migratedCfg, null, 2) + "\n");
+        await enforcePrivateFile(configPath);
       } catch {
       }
     }
@@ -129,7 +168,7 @@ async function loadConfig() {
 function loadConfigSync() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   const configPath = path.join(dir, "config.json");
-  if (!existsSync(configPath)) {
+  if (!existsSync2(configPath)) {
     return { ...DEFAULT_CONFIG, dbPath: path.join(dir, "memories.db") };
   }
   try {
@@ -147,12 +186,10 @@ function loadConfigSync() {
 }
 async function saveConfig(config) {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await mkdir(dir, { recursive: true });
+  await ensurePrivateDir(dir);
   const configPath = path.join(dir, "config.json");
   await writeFile(configPath, JSON.stringify(config, null, 2) + "\n");
-  if (config.cloud?.apiKey) {
-    await chmod(configPath, 384);
-  }
+  await enforcePrivateFile(configPath);
 }
 async function loadConfigFrom(configPath) {
   const raw = await readFile(configPath, "utf-8");
@@ -172,6 +209,7 @@ var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CON
 var init_config = __esm({
   "src/lib/config.ts"() {
     "use strict";
+    init_secure_files();
     EXE_AI_DIR = resolveDataDir();
     DB_PATH = path.join(EXE_AI_DIR, "memories.db");
     MODELS_DIR = path.join(EXE_AI_DIR, "models");
@@ -314,7 +352,7 @@ var init_db_retry = __esm({
 
 // src/lib/employees.ts
 import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync2, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
+import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
 import { execSync } from "child_process";
 import path2 from "path";
 import os2 from "os";
@@ -331,7 +369,7 @@ function getCoordinatorName(employees = loadEmployeesSync()) {
   return getCoordinatorEmployee(employees)?.name ?? DEFAULT_COORDINATOR_TEMPLATE_NAME;
 }
 function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync2(employeesPath)) return [];
+  if (!existsSync3(employeesPath)) return [];
   try {
     return JSON.parse(readFileSync2(employeesPath, "utf-8"));
   } catch {
@@ -1279,6 +1317,7 @@ async function ensureSchema() {
       project     TEXT NOT NULL,
       summary     TEXT NOT NULL,
       task_file   TEXT,
+      session_scope TEXT,
       read        INTEGER NOT NULL DEFAULT 0,
       created_at  TEXT NOT NULL
     );
@@ -1287,7 +1326,7 @@ async function ensureSchema() {
       ON notifications(read);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_agent
-      ON notifications(agent_id);
+      ON notifications(agent_id, session_scope);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_task_file
       ON notifications(task_file);
@@ -1325,6 +1364,7 @@ async function ensureSchema() {
       target_agent    TEXT NOT NULL,
       target_project  TEXT,
       target_device   TEXT NOT NULL DEFAULT 'local',
+      session_scope   TEXT,
       content         TEXT NOT NULL,
       priority        TEXT DEFAULT 'normal',
       status          TEXT DEFAULT 'pending',
@@ -1338,10 +1378,31 @@ async function ensureSchema() {
     );
 
     CREATE INDEX IF NOT EXISTS idx_messages_target
-      ON messages(target_agent, status);
+      ON messages(target_agent, session_scope, status);
 
     CREATE INDEX IF NOT EXISTS idx_messages_conversation_order
-      ON messages(target_agent, from_agent, server_seq);
+      ON messages(target_agent, session_scope, from_agent, server_seq);
+  `);
+  try {
+    await client.execute({
+      sql: `ALTER TABLE notifications ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE messages ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE INDEX IF NOT EXISTS idx_notifications_agent_scope_read
+      ON notifications(agent_id, session_scope, read, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_messages_target_scope_status
+      ON messages(target_agent, session_scope, status, created_at);
   `);
   try {
     await client.execute({
@@ -1925,6 +1986,13 @@ async function ensureSchema() {
     } catch {
     }
   }
+  try {
+    await client.execute({
+      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
+      args: []
+    });
+  } catch {
+  }
 }
 async function disposeDatabase() {
   if (_walCheckpointTimer) {
@@ -1964,7 +2032,7 @@ var init_database = __esm({
 
 // src/lib/keychain.ts
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync3 } from "fs";
+import { existsSync as existsSync4 } from "fs";
 import path4 from "path";
 import os4 from "os";
 function getKeyDir() {
@@ -1992,7 +2060,7 @@ async function getMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (!existsSync3(keyPath)) {
+  if (!existsSync4(keyPath)) {
     process.stderr.write(
       `[keychain] Key not found at ${keyPath} (HOME=${os4.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
 `
@@ -2079,6 +2147,7 @@ var shard_manager_exports = {};
 __export(shard_manager_exports, {
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
+  getOpenShardCount: () => getOpenShardCount,
   getReadyShardClient: () => getReadyShardClient,
   getShardClient: () => getShardClient,
   getShardsDir: () => getShardsDir,
@@ -2088,14 +2157,17 @@ __export(shard_manager_exports, {
   shardExists: () => shardExists
 });
 import path5 from "path";
-import { existsSync as existsSync4, mkdirSync, readdirSync } from "fs";
+import { existsSync as existsSync5, mkdirSync as mkdirSync2, readdirSync } from "fs";
 import { createClient as createClient2 } from "@libsql/client";
 function initShardManager(encryptionKey) {
   _encryptionKey = encryptionKey;
-  if (!existsSync4(SHARDS_DIR)) {
-    mkdirSync(SHARDS_DIR, { recursive: true });
+  if (!existsSync5(SHARDS_DIR)) {
+    mkdirSync2(SHARDS_DIR, { recursive: true });
   }
   _shardingEnabled = true;
+  if (_evictionTimer) clearInterval(_evictionTimer);
+  _evictionTimer = setInterval(evictIdleShards, EVICTION_INTERVAL_MS);
+  _evictionTimer.unref();
 }
 function isShardingEnabled() {
   return _shardingEnabled;
@@ -2112,21 +2184,28 @@ function getShardClient(projectName) {
     throw new Error(`Invalid project name for shard: "${projectName}"`);
   }
   const cached = _shards.get(safeName);
-  if (cached) return cached;
+  if (cached) {
+    _shardLastAccess.set(safeName, Date.now());
+    return cached;
+  }
+  while (_shards.size >= MAX_OPEN_SHARDS) {
+    evictLRU();
+  }
   const dbPath = path5.join(SHARDS_DIR, `${safeName}.db`);
   const client = createClient2({
     url: `file:${dbPath}`,
     encryptionKey: _encryptionKey
   });
   _shards.set(safeName, client);
+  _shardLastAccess.set(safeName, Date.now());
   return client;
 }
 function shardExists(projectName) {
   const safeName = projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
-  return existsSync4(path5.join(SHARDS_DIR, `${safeName}.db`));
+  return existsSync5(path5.join(SHARDS_DIR, `${safeName}.db`));
 }
 function listShards() {
-  if (!existsSync4(SHARDS_DIR)) return [];
+  if (!existsSync5(SHARDS_DIR)) return [];
   return readdirSync(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
 async function ensureShardSchema(client) {
@@ -2178,6 +2257,8 @@ async function ensureShardSchema(client) {
   for (const col of [
     "ALTER TABLE memories ADD COLUMN task_id TEXT",
     "ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN author_device_id TEXT",
+    "ALTER TABLE memories ADD COLUMN scope TEXT NOT NULL DEFAULT 'business'",
     "ALTER TABLE memories ADD COLUMN importance INTEGER DEFAULT 5",
     "ALTER TABLE memories ADD COLUMN status TEXT DEFAULT 'active'",
     "ALTER TABLE memories ADD COLUMN wiki_synced INTEGER DEFAULT 0",
@@ -2315,21 +2396,69 @@ async function getReadyShardClient(projectName) {
   await ensureShardSchema(client);
   return client;
 }
+function evictLRU() {
+  let oldest = null;
+  let oldestTime = Infinity;
+  for (const [name, time] of _shardLastAccess) {
+    if (time < oldestTime) {
+      oldestTime = time;
+      oldest = name;
+    }
+  }
+  if (oldest) {
+    const client = _shards.get(oldest);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(oldest);
+    _shardLastAccess.delete(oldest);
+  }
+}
+function evictIdleShards() {
+  const now = Date.now();
+  const toEvict = [];
+  for (const [name, lastAccess] of _shardLastAccess) {
+    if (now - lastAccess > SHARD_IDLE_MS) {
+      toEvict.push(name);
+    }
+  }
+  for (const name of toEvict) {
+    const client = _shards.get(name);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(name);
+    _shardLastAccess.delete(name);
+  }
+}
+function getOpenShardCount() {
+  return _shards.size;
+}
 function disposeShards() {
+  if (_evictionTimer) {
+    clearInterval(_evictionTimer);
+    _evictionTimer = null;
+  }
   for (const [, client] of _shards) {
     client.close();
   }
   _shards.clear();
+  _shardLastAccess.clear();
   _shardingEnabled = false;
   _encryptionKey = null;
 }
-var SHARDS_DIR, _shards, _encryptionKey, _shardingEnabled;
+var SHARDS_DIR, SHARD_IDLE_MS, MAX_OPEN_SHARDS, EVICTION_INTERVAL_MS, _shards, _shardLastAccess, _evictionTimer, _encryptionKey, _shardingEnabled;
 var init_shard_manager = __esm({
   "src/lib/shard-manager.ts"() {
     "use strict";
     init_config();
     SHARDS_DIR = path5.join(EXE_AI_DIR, "shards");
+    SHARD_IDLE_MS = 5 * 60 * 1e3;
+    MAX_OPEN_SHARDS = 10;
+    EVICTION_INTERVAL_MS = 60 * 1e3;
     _shards = /* @__PURE__ */ new Map();
+    _shardLastAccess = /* @__PURE__ */ new Map();
+    _evictionTimer = null;
     _encryptionKey = null;
     _shardingEnabled = false;
   }
@@ -3192,7 +3321,7 @@ __export(reranker_exports, {
   rerankWithScores: () => rerankWithScores
 });
 import path6 from "path";
-import { existsSync as existsSync5 } from "fs";
+import { existsSync as existsSync6 } from "fs";
 function resetIdleTimer() {
   if (_idleTimer) clearTimeout(_idleTimer);
   _idleTimer = setTimeout(() => {
@@ -3203,7 +3332,7 @@ function resetIdleTimer() {
   }
 }
 function isRerankerAvailable() {
-  return existsSync5(path6.join(MODELS_DIR, RERANKER_MODEL_FILE));
+  return existsSync6(path6.join(MODELS_DIR, RERANKER_MODEL_FILE));
 }
 function getRerankerModelPath() {
   return path6.join(MODELS_DIR, RERANKER_MODEL_FILE);
@@ -3214,7 +3343,7 @@ async function ensureLoaded() {
     return;
   }
   const modelPath = path6.join(MODELS_DIR, RERANKER_MODEL_FILE);
-  if (!existsSync5(modelPath)) {
+  if (!existsSync6(modelPath)) {
     throw new Error(
       `Reranker model not found at ${modelPath}. Run /exe-setup to download it.`
     );
@@ -3310,13 +3439,50 @@ var init_reranker = __esm({
   }
 });
 
+// src/lib/daemon-auth.ts
+import crypto2 from "crypto";
+import path7 from "path";
+import { existsSync as existsSync7, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+function normalizeToken(token) {
+  if (!token) return null;
+  const trimmed = token.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function readDaemonToken() {
+  try {
+    if (!existsSync7(DAEMON_TOKEN_PATH)) return null;
+    return normalizeToken(readFileSync3(DAEMON_TOKEN_PATH, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function ensureDaemonToken(seed) {
+  const existing = readDaemonToken();
+  if (existing) return existing;
+  const token = normalizeToken(seed) ?? crypto2.randomBytes(32).toString("hex");
+  ensurePrivateDirSync(EXE_AI_DIR);
+  writeFileSync2(DAEMON_TOKEN_PATH, `${token}
+`, "utf8");
+  enforcePrivateFileSync(DAEMON_TOKEN_PATH);
+  return token;
+}
+var DAEMON_TOKEN_PATH;
+var init_daemon_auth = __esm({
+  "src/lib/daemon-auth.ts"() {
+    "use strict";
+    init_config();
+    init_secure_files();
+    DAEMON_TOKEN_PATH = path7.join(EXE_AI_DIR, "exed.token");
+  }
+});
+
 // src/lib/exe-daemon-client.ts
 import net from "net";
 import os5 from "os";
 import { spawn } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
-import { existsSync as existsSync6, unlinkSync as unlinkSync2, readFileSync as readFileSync3, openSync, closeSync, statSync } from "fs";
-import path7 from "path";
+import { existsSync as existsSync8, unlinkSync as unlinkSync2, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
+import path8 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
@@ -3344,9 +3510,9 @@ function handleData(chunk) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync6(PID_PATH)) {
+  if (existsSync8(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync3(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, 0);
@@ -3367,11 +3533,11 @@ function cleanupStaleFiles() {
   }
 }
 function findPackageRoot() {
-  let dir = path7.dirname(fileURLToPath(import.meta.url));
-  const { root } = path7.parse(dir);
+  let dir = path8.dirname(fileURLToPath(import.meta.url));
+  const { root } = path8.parse(dir);
   while (dir !== root) {
-    if (existsSync6(path7.join(dir, "package.json"))) return dir;
-    dir = path7.dirname(dir);
+    if (existsSync8(path8.join(dir, "package.json"))) return dir;
+    dir = path8.dirname(dir);
   }
   return null;
 }
@@ -3397,16 +3563,17 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path7.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync6(daemonPath)) {
+  const daemonPath = path8.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync8(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
   }
   const resolvedPath = daemonPath;
+  const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path7.join(path7.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path8.join(path8.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -3424,7 +3591,8 @@ function spawnDaemon() {
       TMUX_PANE: void 0,
       // Prevents resolveExeSession() from scoping to one session
       EXE_DAEMON_SOCK: SOCKET_PATH,
-      EXE_DAEMON_PID: PID_PATH
+      EXE_DAEMON_PID: PID_PATH,
+      [DAEMON_TOKEN_ENV]: daemonToken
     }
   });
   child.unref();
@@ -3534,13 +3702,14 @@ function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
       return;
     }
     const id = randomUUID2();
+    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
     const timer = setTimeout(() => {
       _pending.delete(id);
       resolve({ error: "Request timeout" });
     }, timeoutMs);
     _pending.set(id, { resolve, timer });
     try {
-      _socket.write(JSON.stringify({ id, ...payload }) + "\n");
+      _socket.write(JSON.stringify({ id, token, ...payload }) + "\n");
     } catch {
       clearTimeout(timer);
       _pending.delete(id);
@@ -3569,9 +3738,9 @@ function killAndRespawnDaemon() {
   }
   try {
     process.stderr.write("[exed-client] Killing daemon for restart...\n");
-    if (existsSync6(PID_PATH)) {
+    if (existsSync8(PID_PATH)) {
       try {
-        const pid = parseInt(readFileSync3(PID_PATH, "utf8").trim(), 10);
+        const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
         if (pid > 0) {
           try {
             process.kill(pid, "SIGKILL");
@@ -3688,17 +3857,19 @@ function disconnectClient() {
     entry.resolve({ error: "Client disconnected" });
   }
 }
-var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, _socket, _connected, _buffer, _requestCount, _consecutiveFailures, HEALTH_CHECK_INTERVAL, MAX_RETRIES_BEFORE_RESTART, RETRY_DELAYS_MS, MIN_DAEMON_AGE_MS, _pending, MAX_BUFFER;
+var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _requestCount, _consecutiveFailures, HEALTH_CHECK_INTERVAL, MAX_RETRIES_BEFORE_RESTART, RETRY_DELAYS_MS, MIN_DAEMON_AGE_MS, _pending, MAX_BUFFER;
 var init_exe_daemon_client = __esm({
   "src/lib/exe-daemon-client.ts"() {
     "use strict";
     init_config();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path7.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path7.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path7.join(EXE_AI_DIR, "exed-spawn.lock");
+    init_daemon_auth();
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path8.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path8.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path8.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
+    DAEMON_TOKEN_ENV = "EXE_DAEMON_TOKEN";
     _socket = null;
     _connected = false;
     _buffer = "";
@@ -3750,10 +3921,10 @@ async function disposeEmbedder() {
 async function embedDirect(text) {
   const llamaCpp = await import("node-llama-cpp");
   const { MODELS_DIR: MODELS_DIR2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-  const { existsSync: existsSync8 } = await import("fs");
-  const path11 = await import("path");
-  const modelPath = path11.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
-  if (!existsSync8(modelPath)) {
+  const { existsSync: existsSync10 } = await import("fs");
+  const path12 = await import("path");
+  const modelPath = path12.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
+  if (!existsSync10(modelPath)) {
     throw new Error(`Embedding model not found at ${modelPath}. Run '/exe-setup' to download it.`);
   }
   const llama = await llamaCpp.getLlama();
@@ -3788,7 +3959,7 @@ __export(project_name_exports, {
   getProjectName: () => getProjectName
 });
 import { execSync as execSync2 } from "child_process";
-import path8 from "path";
+import path9 from "path";
 function getProjectName(cwd) {
   const dir = cwd ?? process.cwd();
   if (_cached && _cachedCwd === dir) return _cached;
@@ -3801,7 +3972,7 @@ function getProjectName(cwd) {
         timeout: 2e3,
         stdio: ["pipe", "pipe", "pipe"]
       }).trim();
-      repoRoot = path8.dirname(gitCommonDir);
+      repoRoot = path9.dirname(gitCommonDir);
     } catch {
       repoRoot = execSync2("git rev-parse --show-toplevel", {
         cwd: dir,
@@ -3810,11 +3981,11 @@ function getProjectName(cwd) {
         stdio: ["pipe", "pipe", "pipe"]
       }).trim();
     }
-    _cached = path8.basename(repoRoot);
+    _cached = path9.basename(repoRoot);
     _cachedCwd = dir;
     return _cached;
   } catch {
-    _cached = path8.basename(dir);
+    _cached = path9.basename(dir);
     _cachedCwd = dir;
     return _cached;
   }
@@ -3838,9 +4009,9 @@ __export(file_grep_exports, {
   grepProjectFiles: () => grepProjectFiles
 });
 import { execSync as execSync3 } from "child_process";
-import { readFileSync as readFileSync4, readdirSync as readdirSync2, statSync as statSync2, existsSync as existsSync7 } from "fs";
-import path9 from "path";
-import crypto2 from "crypto";
+import { readFileSync as readFileSync5, readdirSync as readdirSync2, statSync as statSync2, existsSync as existsSync9 } from "fs";
+import path10 from "path";
+import crypto3 from "crypto";
 function hasRipgrep() {
   if (_hasRg === null) {
     try {
@@ -3873,13 +4044,13 @@ async function grepProjectFiles(query, projectRoot, options) {
     const chunkCtx = getChunkContext(hit.filePath, hit.lineNumber);
     const prefix = chunkCtx ? `[file: ${hit.filePath}:${hit.lineNumber} in ${chunkCtx}]` : `[file: ${hit.filePath}:${hit.lineNumber}]`;
     return {
-      id: crypto2.createHash("sha256").update(`${hit.filePath}:${hit.lineNumber}`).digest("hex").slice(0, 36),
+      id: crypto3.createHash("sha256").update(`${hit.filePath}:${hit.lineNumber}`).digest("hex").slice(0, 36),
       agent_id: "project",
       agent_role: "file",
       session_id: "file-grep",
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       tool_name: "file_grep",
-      project_name: path9.basename(projectRoot),
+      project_name: path10.basename(projectRoot),
       has_error: false,
       raw_text: `${prefix} ${buildSnippet(hit, projectRoot)}`,
       vector: null,
@@ -3891,7 +4062,7 @@ function getChunkContext(filePath, lineNumber) {
   try {
     const ext = filePath.split(".").pop()?.toLowerCase();
     if (ext !== "ts" && ext !== "tsx" && ext !== "js" && ext !== "jsx") return "";
-    const source = readFileSync4(filePath, "utf8");
+    const source = readFileSync5(filePath, "utf8");
     const lines = source.split("\n");
     for (let i = Math.min(lineNumber - 1, lines.length - 1); i >= 0; i--) {
       const line = lines[i];
@@ -3953,11 +4124,11 @@ function grepWithNodeFs(pattern, projectRoot, patterns) {
   const files = collectFiles(projectRoot, patterns ?? DEFAULT_PATTERNS);
   const hits = [];
   for (const filePath of files.slice(0, MAX_FILES)) {
-    const absPath = path9.join(projectRoot, filePath);
+    const absPath = path10.join(projectRoot, filePath);
     try {
       const stat = statSync2(absPath);
       if (stat.size > MAX_FILE_SIZE) continue;
-      const content = readFileSync4(absPath, "utf8");
+      const content = readFileSync5(absPath, "utf8");
       const lines = content.split("\n");
       const matches = content.match(regex);
       if (!matches || matches.length === 0) continue;
@@ -3980,15 +4151,15 @@ function collectFiles(root, patterns) {
   const files = [];
   function walk(dir, relative) {
     if (files.length >= MAX_FILES) return;
-    const basename = path9.basename(dir);
+    const basename = path10.basename(dir);
     if (EXCLUDE_DIRS.includes(basename)) return;
     try {
       const entries = readdirSync2(dir, { withFileTypes: true });
       for (const entry of entries) {
         if (files.length >= MAX_FILES) return;
-        const rel = path9.join(relative, entry.name);
+        const rel = path10.join(relative, entry.name);
         if (entry.isDirectory()) {
-          walk(path9.join(dir, entry.name), rel);
+          walk(path10.join(dir, entry.name), rel);
         } else if (entry.isFile()) {
           for (const pat of patterns) {
             if (matchGlob(rel, pat)) {
@@ -4020,7 +4191,7 @@ function matchGlob(filePath, pattern) {
   if (slashIdx !== -1) {
     const dir = pattern.slice(0, slashIdx);
     const ext2 = pattern.slice(slashIdx + 1).replace("*", "");
-    const fileDir = path9.dirname(filePath);
+    const fileDir = path10.dirname(filePath);
     return fileDir === dir && filePath.endsWith(ext2);
   }
   const ext = pattern.replace("*", "");
@@ -4028,9 +4199,9 @@ function matchGlob(filePath, pattern) {
 }
 function buildSnippet(hit, projectRoot) {
   try {
-    const absPath = path9.join(projectRoot, hit.filePath);
-    if (!existsSync7(absPath)) return hit.matchLine;
-    const lines = readFileSync4(absPath, "utf8").split("\n");
+    const absPath = path10.join(projectRoot, hit.filePath);
+    if (!existsSync9(absPath)) return hit.matchLine;
+    const lines = readFileSync5(absPath, "utf8").split("\n");
     const start = Math.max(0, hit.lineNumber - 3);
     const end = Math.min(lines.length, hit.lineNumber + 2);
     return lines.slice(start, end).join("\n").slice(0, 500);
@@ -5274,9 +5445,9 @@ init_database();
 
 // src/lib/active-agent.ts
 init_config();
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2, unlinkSync as unlinkSync3, readdirSync as readdirSync3 } from "fs";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3, unlinkSync as unlinkSync3, readdirSync as readdirSync3 } from "fs";
 import { execSync as execSync5 } from "child_process";
-import path10 from "path";
+import path11 from "path";
 
 // src/lib/session-key.ts
 import { execSync as execSync4 } from "child_process";
@@ -5342,7 +5513,7 @@ function getSessionKey() {
 
 // src/lib/active-agent.ts
 init_employees();
-var CACHE_DIR = path10.join(EXE_AI_DIR, "session-cache");
+var CACHE_DIR = path11.join(EXE_AI_DIR, "session-cache");
 var STALE_MS = 24 * 60 * 60 * 1e3;
 function isNameWithOptionalInstance(candidate, baseName) {
   if (candidate === baseName) return true;
@@ -5387,12 +5558,12 @@ function resolveActiveAgentFromTmuxSession(sessionName) {
   return null;
 }
 function getMarkerPath() {
-  return path10.join(CACHE_DIR, `active-agent-${getSessionKey()}.json`);
+  return path11.join(CACHE_DIR, `active-agent-${getSessionKey()}.json`);
 }
 function getActiveAgent() {
   try {
     const markerPath = getMarkerPath();
-    const raw = readFileSync5(markerPath, "utf8");
+    const raw = readFileSync6(markerPath, "utf8");
     const data = JSON.parse(raw);
     if (data.agentId) {
       if (data.startedAt) {