@askexenow/exe-os 0.9.8 → 0.9.9

package/dist/lib/cloud-sync.js

@@ -63,9 +63,34 @@ var init_db_retry = __esm({
   }
 });
 
+// src/lib/secure-files.ts
+import { chmodSync, existsSync, mkdirSync } from "fs";
+import { chmod, mkdir } from "fs/promises";
+function ensurePrivateDirSync(dirPath) {
+  mkdirSync(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    chmodSync(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+function enforcePrivateFileSync(filePath) {
+  try {
+    if (existsSync(filePath)) chmodSync(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+var PRIVATE_DIR_MODE, PRIVATE_FILE_MODE;
+var init_secure_files = __esm({
+  "src/lib/secure-files.ts"() {
+    "use strict";
+    PRIVATE_DIR_MODE = 448;
+    PRIVATE_FILE_MODE = 384;
+  }
+});
+
 // src/lib/config.ts
-import { readFile, writeFile, mkdir, chmod } from "fs/promises";
-import { readFileSync, existsSync, renameSync } from "fs";
+import { readFile, writeFile } from "fs/promises";
+import { readFileSync, existsSync as existsSync2, renameSync } from "fs";
 import path from "path";
 import os from "os";
 function resolveDataDir() {
@@ -73,7 +98,7 @@ function resolveDataDir() {
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
   const newDir = path.join(os.homedir(), ".exe-os");
   const legacyDir = path.join(os.homedir(), ".exe-mem");
-  if (!existsSync(newDir) && existsSync(legacyDir)) {
+  if (!existsSync2(newDir) && existsSync2(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
       process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
@@ -88,6 +113,7 @@ var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CON
 var init_config = __esm({
   "src/lib/config.ts"() {
     "use strict";
+    init_secure_files();
     EXE_AI_DIR = resolveDataDir();
     DB_PATH = path.join(EXE_AI_DIR, "memories.db");
     MODELS_DIR = path.join(EXE_AI_DIR, "models");
@@ -156,7 +182,7 @@ var init_config = __esm({
 
 // src/lib/employees.ts
 import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync2, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
+import { existsSync as existsSync3, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync as renameSync2, unlinkSync, writeFileSync } from "fs";
 import { execSync } from "child_process";
 import path2 from "path";
 import os2 from "os";
@@ -173,7 +199,7 @@ function getCoordinatorName(employees = loadEmployeesSync()) {
   return getCoordinatorEmployee(employees)?.name ?? DEFAULT_COORDINATOR_TEMPLATE_NAME;
 }
 async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync2(employeesPath)) {
+  if (!existsSync3(employeesPath)) {
     return [];
   }
   const raw = await readFile2(employeesPath, "utf-8");
@@ -188,7 +214,7 @@ async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
   await writeFile2(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
 }
 function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync2(employeesPath)) return [];
+  if (!existsSync3(employeesPath)) return [];
   try {
     return JSON.parse(readFileSync2(employeesPath, "utf-8"));
   } catch {
@@ -222,7 +248,7 @@ function registerBinSymlinks(name) {
   for (const suffix of ["", "-opencode"]) {
     const linkName = `${name}${suffix}`;
     const linkPath = path2.join(binDir, linkName);
-    if (existsSync2(linkPath)) {
+    if (existsSync3(linkPath)) {
       skipped.push(linkName);
       continue;
     }
@@ -831,13 +857,50 @@ var init_database_adapter = __esm({
   }
 });
 
+// src/lib/daemon-auth.ts
+import crypto from "crypto";
+import path4 from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+function normalizeToken(token) {
+  if (!token) return null;
+  const trimmed = token.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function readDaemonToken() {
+  try {
+    if (!existsSync4(DAEMON_TOKEN_PATH)) return null;
+    return normalizeToken(readFileSync3(DAEMON_TOKEN_PATH, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function ensureDaemonToken(seed) {
+  const existing = readDaemonToken();
+  if (existing) return existing;
+  const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
+  ensurePrivateDirSync(EXE_AI_DIR);
+  writeFileSync2(DAEMON_TOKEN_PATH, `${token}
+`, "utf8");
+  enforcePrivateFileSync(DAEMON_TOKEN_PATH);
+  return token;
+}
+var DAEMON_TOKEN_PATH;
+var init_daemon_auth = __esm({
+  "src/lib/daemon-auth.ts"() {
+    "use strict";
+    init_config();
+    init_secure_files();
+    DAEMON_TOKEN_PATH = path4.join(EXE_AI_DIR, "exed.token");
+  }
+});
+
 // src/lib/exe-daemon-client.ts
 import net from "net";
 import os4 from "os";
 import { spawn } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync3, unlinkSync as unlinkSync2, readFileSync as readFileSync3, openSync, closeSync, statSync } from "fs";
-import path4 from "path";
+import { existsSync as existsSync5, unlinkSync as unlinkSync2, readFileSync as readFileSync4, openSync, closeSync, statSync } from "fs";
+import path5 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
@@ -865,9 +928,9 @@ function handleData(chunk) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync3(PID_PATH)) {
+  if (existsSync5(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync3(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync4(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, 0);
@@ -888,11 +951,11 @@ function cleanupStaleFiles() {
   }
 }
 function findPackageRoot() {
-  let dir = path4.dirname(fileURLToPath(import.meta.url));
-  const { root } = path4.parse(dir);
+  let dir = path5.dirname(fileURLToPath(import.meta.url));
+  const { root } = path5.parse(dir);
   while (dir !== root) {
-    if (existsSync3(path4.join(dir, "package.json"))) return dir;
-    dir = path4.dirname(dir);
+    if (existsSync5(path5.join(dir, "package.json"))) return dir;
+    dir = path5.dirname(dir);
   }
   return null;
 }
@@ -918,16 +981,17 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path4.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync3(daemonPath)) {
+  const daemonPath = path5.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync5(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
   }
   const resolvedPath = daemonPath;
+  const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path4.join(path4.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path5.join(path5.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -945,7 +1009,8 @@ function spawnDaemon() {
       TMUX_PANE: void 0,
       // Prevents resolveExeSession() from scoping to one session
       EXE_DAEMON_SOCK: SOCKET_PATH,
-      EXE_DAEMON_PID: PID_PATH
+      EXE_DAEMON_PID: PID_PATH,
+      [DAEMON_TOKEN_ENV]: daemonToken
     }
   });
   child.unref();
@@ -1052,13 +1117,14 @@ function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
       return;
     }
     const id = randomUUID();
+    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
     const timer = setTimeout(() => {
       _pending.delete(id);
       resolve({ error: "Request timeout" });
     }, timeoutMs);
     _pending.set(id, { resolve, timer });
     try {
-      _socket.write(JSON.stringify({ id, ...payload }) + "\n");
+      _socket.write(JSON.stringify({ id, token, ...payload }) + "\n");
     } catch {
       clearTimeout(timer);
       _pending.delete(id);
@@ -1069,17 +1135,19 @@ function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
 function isClientConnected() {
   return _connected;
 }
-var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, _socket, _connected, _buffer, _pending, MAX_BUFFER;
+var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _pending, MAX_BUFFER;
 var init_exe_daemon_client = __esm({
   "src/lib/exe-daemon-client.ts"() {
     "use strict";
     init_config();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path4.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path4.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path4.join(EXE_AI_DIR, "exed-spawn.lock");
+    init_daemon_auth();
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path5.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path5.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path5.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
+    DAEMON_TOKEN_ENV = "EXE_DAEMON_TOKEN";
     _socket = null;
     _connected = false;
     _buffer = "";
@@ -1658,6 +1726,7 @@ async function ensureSchema() {
       project     TEXT NOT NULL,
       summary     TEXT NOT NULL,
       task_file   TEXT,
+      session_scope TEXT,
       read        INTEGER NOT NULL DEFAULT 0,
       created_at  TEXT NOT NULL
     );
@@ -1666,7 +1735,7 @@ async function ensureSchema() {
       ON notifications(read);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_agent
-      ON notifications(agent_id);
+      ON notifications(agent_id, session_scope);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_task_file
       ON notifications(task_file);
@@ -1704,6 +1773,7 @@ async function ensureSchema() {
       target_agent    TEXT NOT NULL,
       target_project  TEXT,
       target_device   TEXT NOT NULL DEFAULT 'local',
+      session_scope   TEXT,
       content         TEXT NOT NULL,
       priority        TEXT DEFAULT 'normal',
       status          TEXT DEFAULT 'pending',
@@ -1717,10 +1787,31 @@ async function ensureSchema() {
     );
 
     CREATE INDEX IF NOT EXISTS idx_messages_target
-      ON messages(target_agent, status);
+      ON messages(target_agent, session_scope, status);
 
     CREATE INDEX IF NOT EXISTS idx_messages_conversation_order
-      ON messages(target_agent, from_agent, server_seq);
+      ON messages(target_agent, session_scope, from_agent, server_seq);
+  `);
+  try {
+    await client.execute({
+      sql: `ALTER TABLE notifications ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE messages ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE INDEX IF NOT EXISTS idx_notifications_agent_scope_read
+      ON notifications(agent_id, session_scope, read, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_messages_target_scope_status
+      ON messages(target_agent, session_scope, status, created_at);
   `);
   try {
     await client.execute({
@@ -2304,6 +2395,13 @@ async function ensureSchema() {
     } catch {
     }
   }
+  try {
+    await client.execute({
+      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
+      args: []
+    });
+  } catch {
+  }
 }
 async function disposeDatabase() {
   if (_walCheckpointTimer) {
@@ -2360,8 +2458,8 @@ __export(crdt_sync_exports, {
   rebuildFromDb: () => rebuildFromDb
 });
 import * as Y from "yjs";
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, existsSync as existsSync5, mkdirSync as mkdirSync2, unlinkSync as unlinkSync3 } from "fs";
-import path6 from "path";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, existsSync as existsSync7, mkdirSync as mkdirSync3, unlinkSync as unlinkSync3 } from "fs";
+import path7 from "path";
 import { homedir } from "os";
 function getStatePath() {
   return _statePathOverride ?? DEFAULT_STATE_PATH;
@@ -2373,9 +2471,9 @@ function initCrdtDoc() {
   if (doc) return doc;
   doc = new Y.Doc();
   const sp = getStatePath();
-  if (existsSync5(sp)) {
+  if (existsSync7(sp)) {
     try {
-      const state = readFileSync5(sp);
+      const state = readFileSync6(sp);
       Y.applyUpdate(doc, new Uint8Array(state));
     } catch {
       console.warn("[crdt-sync] WARN: corrupted state file, rebuilding from DB");
@@ -2517,10 +2615,10 @@ function persistState() {
   if (!doc) return;
   try {
     const sp = getStatePath();
-    const dir = path6.dirname(sp);
-    if (!existsSync5(dir)) mkdirSync2(dir, { recursive: true });
+    const dir = path7.dirname(sp);
+    if (!existsSync7(dir)) mkdirSync3(dir, { recursive: true });
     const state = Y.encodeStateAsUpdate(doc);
-    writeFileSync3(sp, Buffer.from(state));
+    writeFileSync4(sp, Buffer.from(state));
   } catch {
   }
 }
@@ -2561,7 +2659,7 @@ var DEFAULT_STATE_PATH, _statePathOverride, doc;
 var init_crdt_sync = __esm({
   "src/lib/crdt-sync.ts"() {
     "use strict";
-    DEFAULT_STATE_PATH = path6.join(homedir(), ".exe-os", "crdt-state.bin");
+    DEFAULT_STATE_PATH = path7.join(homedir(), ".exe-os", "crdt-state.bin");
     _statePathOverride = null;
     doc = null;
   }
@@ -2577,14 +2675,14 @@ __export(keychain_exports, {
   setMasterKey: () => setMasterKey
 });
 import { readFile as readFile3, writeFile as writeFile3, unlink, mkdir as mkdir3, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync6 } from "fs";
-import path7 from "path";
-import os5 from "os";
+import { existsSync as existsSync8 } from "fs";
+import path8 from "path";
+import os6 from "os";
 function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path7.join(os5.homedir(), ".exe-os");
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path8.join(os6.homedir(), ".exe-os");
 }
 function getKeyPath() {
-  return path7.join(getKeyDir(), "master.key");
+  return path8.join(getKeyDir(), "master.key");
 }
 async function tryKeytar() {
   try {
@@ -2605,9 +2703,9 @@ async function getMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (!existsSync6(keyPath)) {
+  if (!existsSync8(keyPath)) {
     process.stderr.write(
-      `[keychain] Key not found at ${keyPath} (HOME=${os5.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
+      `[keychain] Key not found at ${keyPath} (HOME=${os6.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
 `
     );
     return null;
@@ -2648,7 +2746,7 @@ async function deleteMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (existsSync6(keyPath)) {
+  if (existsSync8(keyPath)) {
     await unlink(keyPath);
   }
 }
@@ -2692,13 +2790,13 @@ var init_keychain = __esm({
 
 // src/lib/cloud-sync.ts
 init_database();
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, existsSync as existsSync7, readdirSync, mkdirSync as mkdirSync3, appendFileSync, unlinkSync as unlinkSync4, openSync as openSync2, closeSync as closeSync2 } from "fs";
-import crypto2 from "crypto";
-import path8 from "path";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, existsSync as existsSync9, readdirSync, mkdirSync as mkdirSync4, appendFileSync, unlinkSync as unlinkSync4, openSync as openSync2, closeSync as closeSync2 } from "fs";
+import crypto3 from "crypto";
+import path9 from "path";
 import { homedir as homedir2 } from "os";
 
 // src/lib/crypto.ts
-import crypto from "crypto";
+import crypto2 from "crypto";
 var ALGORITHM = "aes-256-gcm";
 var IV_LENGTH = 12;
 var TAG_LENGTH = 16;
@@ -2709,7 +2807,7 @@ function initSyncCrypto(masterKey) {
     throw new Error(`Master key must be 32 bytes, got ${masterKey.length}`);
   }
   _syncKey = Buffer.from(
-    crypto.hkdfSync("sha256", masterKey, "", SYNC_HKDF_INFO, 32)
+    crypto2.hkdfSync("sha256", masterKey, "", SYNC_HKDF_INFO, 32)
   );
 }
 function isSyncCryptoInitialized() {
@@ -2723,8 +2821,8 @@ function requireSyncKey() {
 }
 function encryptSyncBlob(data) {
   const key = requireSyncKey();
-  const iv = crypto.randomBytes(IV_LENGTH);
-  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const iv = crypto2.randomBytes(IV_LENGTH);
+  const cipher = crypto2.createCipheriv(ALGORITHM, key, iv);
   const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
   const tag = cipher.getAuthTag();
   return Buffer.concat([iv, encrypted, tag]).toString("base64");
@@ -2738,7 +2836,7 @@ function decryptSyncBlob(ciphertext) {
   const iv = combined.subarray(0, IV_LENGTH);
   const tag = combined.subarray(combined.length - TAG_LENGTH);
   const encrypted = combined.subarray(IV_LENGTH, combined.length - TAG_LENGTH);
-  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+  const decipher = crypto2.createDecipheriv(ALGORITHM, key, iv);
   decipher.setAuthTag(tag);
   return Buffer.concat([decipher.update(encrypted), decipher.final()]);
 }
@@ -2760,32 +2858,35 @@ function decompress(input) {
 
 // src/lib/license.ts
 init_config();
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync2, existsSync as existsSync4, mkdirSync } from "fs";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, existsSync as existsSync6, mkdirSync as mkdirSync2 } from "fs";
 import { randomUUID as randomUUID2 } from "crypto";
-import path5 from "path";
+import { createRequire as createRequire2 } from "module";
+import { pathToFileURL as pathToFileURL2 } from "url";
+import os5 from "os";
+import path6 from "path";
 import { jwtVerify, importSPKI } from "jose";
-var LICENSE_PATH = path5.join(EXE_AI_DIR, "license.key");
-var CACHE_PATH = path5.join(EXE_AI_DIR, "license-cache.json");
-var DEVICE_ID_PATH = path5.join(EXE_AI_DIR, "device-id");
+var LICENSE_PATH = path6.join(EXE_AI_DIR, "license.key");
+var CACHE_PATH = path6.join(EXE_AI_DIR, "license-cache.json");
+var DEVICE_ID_PATH = path6.join(EXE_AI_DIR, "device-id");
 function loadDeviceId() {
-  const deviceJsonPath = path5.join(EXE_AI_DIR, "device.json");
+  const deviceJsonPath = path6.join(EXE_AI_DIR, "device.json");
   try {
-    if (existsSync4(deviceJsonPath)) {
-      const data = JSON.parse(readFileSync4(deviceJsonPath, "utf8"));
+    if (existsSync6(deviceJsonPath)) {
+      const data = JSON.parse(readFileSync5(deviceJsonPath, "utf8"));
       if (data.deviceId) return data.deviceId;
     }
   } catch {
   }
   try {
-    if (existsSync4(DEVICE_ID_PATH)) {
-      const id2 = readFileSync4(DEVICE_ID_PATH, "utf8").trim();
+    if (existsSync6(DEVICE_ID_PATH)) {
+      const id2 = readFileSync5(DEVICE_ID_PATH, "utf8").trim();
       if (id2) return id2;
     }
   } catch {
   }
   const id = randomUUID2();
-  mkdirSync(EXE_AI_DIR, { recursive: true });
-  writeFileSync2(DEVICE_ID_PATH, id, "utf8");
+  mkdirSync2(EXE_AI_DIR, { recursive: true });
+  writeFileSync3(DEVICE_ID_PATH, id, "utf8");
   return id;
 }
 
@@ -2793,12 +2894,13 @@ function loadDeviceId() {
 init_config();
 init_crdt_sync();
 init_employees();
+init_secure_files();
 function sqlSafe(v) {
   return v === void 0 ? null : v;
 }
 function logError(msg) {
   try {
-    const logPath = path8.join(homedir2(), ".exe-os", "workers.log");
+    const logPath = path9.join(homedir2(), ".exe-os", "workers.log");
     appendFileSync(logPath, `${(/* @__PURE__ */ new Date()).toISOString()} ${msg}
 `);
   } catch {
@@ -2807,24 +2909,93 @@ function logError(msg) {
 var LOCALHOST_PATTERNS = /^(localhost|127\.0\.0\.1|\[::1\])$/i;
 var FETCH_TIMEOUT_MS = 3e4;
 var PUSH_BATCH_SIZE = 5e3;
-var ROSTER_LOCK_PATH = path8.join(EXE_AI_DIR, "roster-merge.lock");
+var ROSTER_LOCK_PATH = path9.join(EXE_AI_DIR, "roster-merge.lock");
 var LOCK_STALE_MS = 3e4;
+var _pgPromise = null;
+var _pgFailed = false;
+function loadPgClient() {
+  if (_pgFailed) return null;
+  const postgresUrl = process.env.DATABASE_URL;
+  const configPath = path9.join(EXE_AI_DIR, "config.json");
+  let cloudPostgresUrl;
+  try {
+    if (existsSync9(configPath)) {
+      const cfg = JSON.parse(readFileSync7(configPath, "utf8"));
+      cloudPostgresUrl = cfg.cloud?.postgresUrl;
+      if (cfg.cloud?.syncToPostgres === false) {
+        _pgFailed = true;
+        return null;
+      }
+    }
+  } catch {
+  }
+  const url = postgresUrl || cloudPostgresUrl;
+  if (!url) {
+    _pgFailed = true;
+    return null;
+  }
+  if (!_pgPromise) {
+    _pgPromise = (async () => {
+      const { createRequire: createRequire3 } = await import("module");
+      const { pathToFileURL: pathToFileURL3 } = await import("url");
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path9.join(homedir2(), "exe-db");
+      const req = createRequire3(path9.join(exeDbRoot, "package.json"));
+      const entry = req.resolve("@prisma/client");
+      const mod = await import(pathToFileURL3(entry).href);
+      const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+      if (!Ctor) throw new Error("No PrismaClient");
+      return new Ctor();
+    })().catch(() => {
+      _pgFailed = true;
+      _pgPromise = null;
+      throw new Error("pg_unavailable");
+    });
+  }
+  return _pgPromise;
+}
+async function pushToPostgres(records) {
+  const loader = loadPgClient();
+  if (!loader) return 0;
+  let prisma;
+  try {
+    prisma = await loader;
+  } catch {
+    return 0;
+  }
+  let inserted = 0;
+  for (const rec of records) {
+    try {
+      await prisma.$executeRawUnsafe(
+        `INSERT INTO raw.raw_events (id, source, source_id, event_type, payload, metadata, timestamp)
+         VALUES (gen_random_uuid(), 'cloud_sync', $1, 'memory', $2::jsonb, $3::jsonb, $4)
+         ON CONFLICT (source, source_id, event_type) DO NOTHING`,
+        String(rec.id ?? ""),
+        JSON.stringify(rec),
+        JSON.stringify({ agent_id: rec.agent_id, project_name: rec.project_name, tool_name: rec.tool_name }),
+        rec.timestamp ? new Date(String(rec.timestamp)) : /* @__PURE__ */ new Date()
+      );
+      inserted++;
+    } catch {
+    }
+  }
+  return inserted;
+}
 async function withRosterLock(fn) {
   try {
     const fd = openSync2(ROSTER_LOCK_PATH, "wx");
     closeSync2(fd);
-    writeFileSync4(ROSTER_LOCK_PATH, String(Date.now()));
+    writeFileSync5(ROSTER_LOCK_PATH, String(Date.now()));
   } catch (err) {
     if (err.code === "EEXIST") {
       try {
-        const ts = parseInt(readFileSync6(ROSTER_LOCK_PATH, "utf-8"), 10);
+        const ts = parseInt(readFileSync7(ROSTER_LOCK_PATH, "utf-8"), 10);
         if (Date.now() - ts < LOCK_STALE_MS) {
           throw new Error("Roster merge already in progress \u2014 another sync is running");
         }
         unlinkSync4(ROSTER_LOCK_PATH);
         const fd = openSync2(ROSTER_LOCK_PATH, "wx");
         closeSync2(fd);
-        writeFileSync4(ROSTER_LOCK_PATH, String(Date.now()));
+        writeFileSync5(ROSTER_LOCK_PATH, String(Date.now()));
       } catch (retryErr) {
         if (retryErr instanceof Error && retryErr.message.includes("already in progress")) throw retryErr;
         throw new Error("Roster merge already in progress \u2014 another sync is running");
@@ -3094,6 +3265,10 @@ async function cloudSync(config) {
     const maxVersion = Number(records[records.length - 1].version);
     const pushOk = await cloudPush(records, maxVersion, config);
     if (!pushOk) break;
+    try {
+      await pushToPostgres(records);
+    } catch {
+    }
     await client.execute({
       sql: "INSERT OR REPLACE INTO sync_meta (key, value) VALUES ('last_cloud_push_version', ?)",
       args: [String(maxVersion)]
@@ -3198,8 +3373,8 @@ async function cloudSync(config) {
   try {
     const employees = await loadEmployees();
     rosterResult.employees = employees.length;
-    const idDir = path8.join(EXE_AI_DIR, "identity");
-    if (existsSync7(idDir)) {
+    const idDir = path9.join(EXE_AI_DIR, "identity");
+    if (existsSync9(idDir)) {
       rosterResult.identities = readdirSync(idDir).filter((f) => f.endsWith(".md")).length;
     }
   } catch {
@@ -3217,66 +3392,66 @@ async function cloudSync(config) {
     roster: rosterResult
   };
 }
-var ROSTER_DELETIONS_PATH = path8.join(EXE_AI_DIR, "roster-deletions.json");
+var ROSTER_DELETIONS_PATH = path9.join(EXE_AI_DIR, "roster-deletions.json");
 function recordRosterDeletion(name) {
   let deletions = [];
   try {
-    if (existsSync7(ROSTER_DELETIONS_PATH)) {
-      deletions = JSON.parse(readFileSync6(ROSTER_DELETIONS_PATH, "utf-8"));
+    if (existsSync9(ROSTER_DELETIONS_PATH)) {
+      deletions = JSON.parse(readFileSync7(ROSTER_DELETIONS_PATH, "utf-8"));
     }
   } catch {
   }
   if (!deletions.includes(name)) deletions.push(name);
-  writeFileSync4(ROSTER_DELETIONS_PATH, JSON.stringify(deletions));
+  writeFileSync5(ROSTER_DELETIONS_PATH, JSON.stringify(deletions));
 }
 function consumeRosterDeletions() {
   try {
-    if (!existsSync7(ROSTER_DELETIONS_PATH)) return [];
-    const deletions = JSON.parse(readFileSync6(ROSTER_DELETIONS_PATH, "utf-8"));
-    writeFileSync4(ROSTER_DELETIONS_PATH, "[]");
+    if (!existsSync9(ROSTER_DELETIONS_PATH)) return [];
+    const deletions = JSON.parse(readFileSync7(ROSTER_DELETIONS_PATH, "utf-8"));
+    writeFileSync5(ROSTER_DELETIONS_PATH, "[]");
     return deletions;
   } catch {
     return [];
   }
 }
 function buildRosterBlob(paths) {
-  const rosterPath = paths?.rosterPath ?? path8.join(EXE_AI_DIR, "exe-employees.json");
-  const identityDir = paths?.identityDir ?? path8.join(EXE_AI_DIR, "identity");
-  const configPath = paths?.configPath ?? path8.join(EXE_AI_DIR, "config.json");
+  const rosterPath = paths?.rosterPath ?? path9.join(EXE_AI_DIR, "exe-employees.json");
+  const identityDir = paths?.identityDir ?? path9.join(EXE_AI_DIR, "identity");
+  const configPath = paths?.configPath ?? path9.join(EXE_AI_DIR, "config.json");
   let roster = [];
-  if (existsSync7(rosterPath)) {
+  if (existsSync9(rosterPath)) {
     try {
-      roster = JSON.parse(readFileSync6(rosterPath, "utf-8"));
+      roster = JSON.parse(readFileSync7(rosterPath, "utf-8"));
     } catch {
     }
   }
   const identities = {};
-  if (existsSync7(identityDir)) {
+  if (existsSync9(identityDir)) {
     for (const file of readdirSync(identityDir).filter((f) => f.endsWith(".md"))) {
       try {
-        identities[file] = readFileSync6(path8.join(identityDir, file), "utf-8");
+        identities[file] = readFileSync7(path9.join(identityDir, file), "utf-8");
       } catch {
       }
     }
   }
   let config;
-  if (existsSync7(configPath)) {
+  if (existsSync9(configPath)) {
     try {
-      config = JSON.parse(readFileSync6(configPath, "utf-8"));
+      config = JSON.parse(readFileSync7(configPath, "utf-8"));
     } catch {
     }
   }
   let agentConfig;
-  const agentConfigPath = path8.join(EXE_AI_DIR, "agent-config.json");
-  if (existsSync7(agentConfigPath)) {
+  const agentConfigPath = path9.join(EXE_AI_DIR, "agent-config.json");
+  if (existsSync9(agentConfigPath)) {
     try {
-      agentConfig = JSON.parse(readFileSync6(agentConfigPath, "utf-8"));
+      agentConfig = JSON.parse(readFileSync7(agentConfigPath, "utf-8"));
     } catch {
     }
   }
   const deletedNames = consumeRosterDeletions();
   const content = JSON.stringify({ roster, identities, config, agentConfig, deletedNames });
-  const hash = crypto2.createHash("sha256").update(content).digest("hex").slice(0, 16);
+  const hash = crypto3.createHash("sha256").update(content).digest("hex").slice(0, 16);
   return { roster, identities, config, agentConfig, deletedNames, version: hash };
 }
 async function cloudPushRoster(config) {
@@ -3346,23 +3521,24 @@ async function cloudPullRoster(config) {
   }
 }
 function mergeConfig(remoteConfig, configPath) {
-  const cfgPath = configPath ?? path8.join(EXE_AI_DIR, "config.json");
+  const cfgPath = configPath ?? path9.join(EXE_AI_DIR, "config.json");
   let local = {};
-  if (existsSync7(cfgPath)) {
+  if (existsSync9(cfgPath)) {
     try {
-      local = JSON.parse(readFileSync6(cfgPath, "utf-8"));
+      local = JSON.parse(readFileSync7(cfgPath, "utf-8"));
     } catch {
     }
   }
   const merged = { ...remoteConfig, ...local };
-  const dir = path8.dirname(cfgPath);
-  if (!existsSync7(dir)) mkdirSync3(dir, { recursive: true });
-  writeFileSync4(cfgPath, JSON.stringify(merged, null, 2), "utf-8");
+  const dir = path9.dirname(cfgPath);
+  ensurePrivateDirSync(dir);
+  writeFileSync5(cfgPath, JSON.stringify(merged, null, 2), "utf-8");
+  enforcePrivateFileSync(cfgPath);
 }
 async function mergeRosterFromRemote(remote, paths) {
   return withRosterLock(async () => {
     const rosterPath = paths?.rosterPath ?? void 0;
-    const identityDir = paths?.identityDir ?? path8.join(EXE_AI_DIR, "identity");
+    const identityDir = paths?.identityDir ?? path9.join(EXE_AI_DIR, "identity");
     const localEmployees = await loadEmployees(rosterPath);
     const localNames = new Set(localEmployees.map((e) => e.name));
     let added = 0;
@@ -3383,15 +3559,15 @@ async function mergeRosterFromRemote(remote, paths) {
       ) ?? lookupKey;
       const remoteIdentity = remote.identities[matchedKey];
       if (remoteIdentity) {
-        if (!existsSync7(identityDir)) mkdirSync3(identityDir, { recursive: true });
-        const idPath = path8.join(identityDir, `${remoteEmp.name}.md`);
+        if (!existsSync9(identityDir)) mkdirSync4(identityDir, { recursive: true });
+        const idPath = path9.join(identityDir, `${remoteEmp.name}.md`);
         let localIdentity = null;
         try {
-          localIdentity = existsSync7(idPath) ? readFileSync6(idPath, "utf-8") : null;
+          localIdentity = existsSync9(idPath) ? readFileSync7(idPath, "utf-8") : null;
         } catch {
         }
         if (localIdentity !== remoteIdentity) {
-          writeFileSync4(idPath, remoteIdentity, "utf-8");
+          writeFileSync5(idPath, remoteIdentity, "utf-8");
           identitiesUpdated++;
         }
       }
@@ -3417,16 +3593,18 @@ async function mergeRosterFromRemote(remote, paths) {
     }
     if (remote.agentConfig && Object.keys(remote.agentConfig).length > 0) {
       try {
-        const agentConfigPath = path8.join(EXE_AI_DIR, "agent-config.json");
+        const agentConfigPath = path9.join(EXE_AI_DIR, "agent-config.json");
         let local = {};
-        if (existsSync7(agentConfigPath)) {
+        if (existsSync9(agentConfigPath)) {
           try {
-            local = JSON.parse(readFileSync6(agentConfigPath, "utf-8"));
+            local = JSON.parse(readFileSync7(agentConfigPath, "utf-8"));
           } catch {
           }
         }
         const merged = { ...remote.agentConfig, ...local };
-        writeFileSync4(agentConfigPath, JSON.stringify(merged, null, 2) + "\n", "utf-8");
+        ensurePrivateDirSync(path9.dirname(agentConfigPath));
+        writeFileSync5(agentConfigPath, JSON.stringify(merged, null, 2) + "\n", "utf-8");
+        enforcePrivateFileSync(agentConfigPath);
       } catch {
       }
     }
@@ -3874,5 +4052,6 @@ export {
   cloudSync,
   mergeConfig,
   mergeRosterFromRemote,
+  pushToPostgres,
   recordRosterDeletion
 };