@askexenow/exe-os 0.9.8 → 0.9.9

package/dist/tui/App.js

@@ -355,6 +355,44 @@ var init_provider_table = __esm({
   }
 });
 
+// src/lib/secure-files.ts
+import { chmodSync, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
+import { chmod, mkdir } from "fs/promises";
+async function ensurePrivateDir(dirPath) {
+  await mkdir(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    await chmod(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+function ensurePrivateDirSync(dirPath) {
+  mkdirSync2(dirPath, { recursive: true, mode: PRIVATE_DIR_MODE });
+  try {
+    chmodSync(dirPath, PRIVATE_DIR_MODE);
+  } catch {
+  }
+}
+async function enforcePrivateFile(filePath) {
+  try {
+    await chmod(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+function enforcePrivateFileSync(filePath) {
+  try {
+    if (existsSync3(filePath)) chmodSync(filePath, PRIVATE_FILE_MODE);
+  } catch {
+  }
+}
+var PRIVATE_DIR_MODE, PRIVATE_FILE_MODE;
+var init_secure_files = __esm({
+  "src/lib/secure-files.ts"() {
+    "use strict";
+    PRIVATE_DIR_MODE = 448;
+    PRIVATE_FILE_MODE = 384;
+  }
+});
+
 // src/lib/config.ts
 var config_exports = {};
 __export(config_exports, {
@@ -371,8 +409,8 @@ __export(config_exports, {
   migrateConfig: () => migrateConfig,
   saveConfig: () => saveConfig
 });
-import { readFile, writeFile, mkdir, chmod } from "fs/promises";
-import { readFileSync as readFileSync3, existsSync as existsSync3, renameSync } from "fs";
+import { readFile, writeFile } from "fs/promises";
+import { readFileSync as readFileSync3, existsSync as existsSync4, renameSync } from "fs";
 import path2 from "path";
 import os2 from "os";
 function resolveDataDir() {
@@ -380,7 +418,7 @@ function resolveDataDir() {
   if (process.env.EXE_MEM_DIR) return process.env.EXE_MEM_DIR;
   const newDir = path2.join(os2.homedir(), ".exe-os");
   const legacyDir = path2.join(os2.homedir(), ".exe-mem");
-  if (!existsSync3(newDir) && existsSync3(legacyDir)) {
+  if (!existsSync4(newDir) && existsSync4(legacyDir)) {
     try {
       renameSync(legacyDir, newDir);
       process.stderr.write(`[exe-os] Migrated data directory: ~/.exe-mem \u2192 ~/.exe-os
@@ -443,9 +481,9 @@ function normalizeAutoUpdate(raw) {
 }
 async function loadConfig() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await mkdir(dir, { recursive: true });
+  await ensurePrivateDir(dir);
   const configPath = path2.join(dir, "config.json");
-  if (!existsSync3(configPath)) {
+  if (!existsSync4(configPath)) {
     return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
   }
   const raw = await readFile(configPath, "utf-8");
@@ -458,6 +496,7 @@ async function loadConfig() {
 `);
       try {
         await writeFile(configPath, JSON.stringify(migratedCfg, null, 2) + "\n");
+        await enforcePrivateFile(configPath);
       } catch {
       }
     }
@@ -476,7 +515,7 @@ async function loadConfig() {
 function loadConfigSync() {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
   const configPath = path2.join(dir, "config.json");
-  if (!existsSync3(configPath)) {
+  if (!existsSync4(configPath)) {
     return { ...DEFAULT_CONFIG, dbPath: path2.join(dir, "memories.db") };
   }
   try {
@@ -494,12 +533,10 @@ function loadConfigSync() {
 }
 async function saveConfig(config) {
   const dir = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? EXE_AI_DIR;
-  await mkdir(dir, { recursive: true });
+  await ensurePrivateDir(dir);
   const configPath = path2.join(dir, "config.json");
   await writeFile(configPath, JSON.stringify(config, null, 2) + "\n");
-  if (config.cloud?.apiKey) {
-    await chmod(configPath, 384);
-  }
+  await enforcePrivateFile(configPath);
 }
 async function loadConfigFrom(configPath) {
   const raw = await readFile(configPath, "utf-8");
@@ -519,6 +556,7 @@ var EXE_AI_DIR, DB_PATH, MODELS_DIR, CONFIG_PATH, LEGACY_LANCE_PATH, CURRENT_CON
 var init_config = __esm({
   "src/lib/config.ts"() {
     "use strict";
+    init_secure_files();
     EXE_AI_DIR = resolveDataDir();
     DB_PATH = path2.join(EXE_AI_DIR, "memories.db");
     MODELS_DIR = path2.join(EXE_AI_DIR, "models");
@@ -635,10 +673,10 @@ __export(agent_config_exports, {
   saveAgentConfig: () => saveAgentConfig,
   setAgentRuntime: () => setAgentRuntime
 });
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync2, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync2, existsSync as existsSync5 } from "fs";
 import path3 from "path";
 function loadAgentConfig() {
-  if (!existsSync4(AGENT_CONFIG_PATH)) return {};
+  if (!existsSync5(AGENT_CONFIG_PATH)) return {};
   try {
     return JSON.parse(readFileSync4(AGENT_CONFIG_PATH, "utf-8"));
   } catch {
@@ -647,8 +685,9 @@ function loadAgentConfig() {
 }
 function saveAgentConfig(config) {
   const dir = path3.dirname(AGENT_CONFIG_PATH);
-  if (!existsSync4(dir)) mkdirSync2(dir, { recursive: true });
+  ensurePrivateDirSync(dir);
   writeFileSync2(AGENT_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  enforcePrivateFileSync(AGENT_CONFIG_PATH);
 }
 function getAgentRuntime(agentId) {
   const config = loadAgentConfig();
@@ -688,6 +727,7 @@ var init_agent_config = __esm({
     "use strict";
     init_config();
     init_runtime_table();
+    init_secure_files();
     AGENT_CONFIG_PATH = path3.join(EXE_AI_DIR, "agent-config.json");
     KNOWN_RUNTIMES = {
       claude: ["claude-opus-4", "claude-sonnet-4", "claude-haiku-4.5"],
@@ -716,16 +756,16 @@ __export(intercom_queue_exports, {
   queueIntercom: () => queueIntercom,
   readQueue: () => readQueue
 });
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, renameSync as renameSync2, existsSync as existsSync5, mkdirSync as mkdirSync3 } from "fs";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, renameSync as renameSync2, existsSync as existsSync6, mkdirSync as mkdirSync3 } from "fs";
 import path4 from "path";
 import os3 from "os";
 function ensureDir() {
   const dir = path4.dirname(QUEUE_PATH);
-  if (!existsSync5(dir)) mkdirSync3(dir, { recursive: true });
+  if (!existsSync6(dir)) mkdirSync3(dir, { recursive: true });
 }
 function readQueue() {
   try {
-    if (!existsSync5(QUEUE_PATH)) return [];
+    if (!existsSync6(QUEUE_PATH)) return [];
     return JSON.parse(readFileSync5(QUEUE_PATH, "utf8"));
   } catch {
     return [];
@@ -916,7 +956,7 @@ __export(employees_exports, {
   validateEmployeeName: () => validateEmployeeName
 });
 import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { existsSync as existsSync6, symlinkSync, readlinkSync, readFileSync as readFileSync6, renameSync as renameSync3, unlinkSync, writeFileSync as writeFileSync4 } from "fs";
+import { existsSync as existsSync7, symlinkSync, readlinkSync, readFileSync as readFileSync6, renameSync as renameSync3, unlinkSync, writeFileSync as writeFileSync4 } from "fs";
 import { execSync as execSync4 } from "child_process";
 import path5 from "path";
 import os4 from "os";
@@ -955,7 +995,7 @@ function validateEmployeeName(name) {
   return { valid: true };
 }
 async function loadEmployees(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync6(employeesPath)) {
+  if (!existsSync7(employeesPath)) {
     return [];
   }
   const raw = await readFile2(employeesPath, "utf-8");
@@ -970,7 +1010,7 @@ async function saveEmployees(employees, employeesPath = EMPLOYEES_PATH) {
   await writeFile2(employeesPath, JSON.stringify(employees, null, 2) + "\n", "utf-8");
 }
 function loadEmployeesSync(employeesPath = EMPLOYEES_PATH) {
-  if (!existsSync6(employeesPath)) return [];
+  if (!existsSync7(employeesPath)) return [];
   try {
     return JSON.parse(readFileSync6(employeesPath, "utf-8"));
   } catch {
@@ -1018,7 +1058,7 @@ function appendToCoordinatorTeam(employee) {
   const coordinator = getCoordinatorEmployee(loadEmployeesSync());
   if (!coordinator) return;
   const idPath = path5.join(IDENTITY_DIR, `${coordinator.name}.md`);
-  if (!existsSync6(idPath)) return;
+  if (!existsSync7(idPath)) return;
   const content = readFileSync6(idPath, "utf-8");
   if (content.includes(`**${capitalize(employee.name)}`)) return;
   const teamMatch = content.match(TEAM_SECTION_RE);
@@ -1072,9 +1112,9 @@ async function normalizeRosterCase(rosterPath) {
         const identityDir = path5.join(os4.homedir(), ".exe-os", "identity");
         const oldPath = path5.join(identityDir, `${oldName}.md`);
         const newPath = path5.join(identityDir, `${emp.name}.md`);
-        if (existsSync6(oldPath) && !existsSync6(newPath)) {
+        if (existsSync7(oldPath) && !existsSync7(newPath)) {
           renameSync3(oldPath, newPath);
-        } else if (existsSync6(oldPath) && oldPath !== newPath) {
+        } else if (existsSync7(oldPath) && oldPath !== newPath) {
           const content = readFileSync6(oldPath, "utf-8");
           writeFileSync4(newPath, content, "utf-8");
           if (oldPath.toLowerCase() !== newPath.toLowerCase()) {
@@ -1117,7 +1157,7 @@ function registerBinSymlinks(name) {
   for (const suffix of ["", "-opencode"]) {
     const linkName = `${name}${suffix}`;
     const linkPath = path5.join(binDir, linkName);
-    if (existsSync6(linkPath)) {
+    if (existsSync7(linkPath)) {
       skipped.push(linkName);
       continue;
     }
@@ -1728,13 +1768,50 @@ var init_database_adapter = __esm({
   }
 });
 
+// src/lib/daemon-auth.ts
+import crypto from "crypto";
+import path7 from "path";
+import { existsSync as existsSync8, readFileSync as readFileSync7, writeFileSync as writeFileSync5 } from "fs";
+function normalizeToken(token) {
+  if (!token) return null;
+  const trimmed = token.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function readDaemonToken() {
+  try {
+    if (!existsSync8(DAEMON_TOKEN_PATH)) return null;
+    return normalizeToken(readFileSync7(DAEMON_TOKEN_PATH, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function ensureDaemonToken(seed) {
+  const existing = readDaemonToken();
+  if (existing) return existing;
+  const token = normalizeToken(seed) ?? crypto.randomBytes(32).toString("hex");
+  ensurePrivateDirSync(EXE_AI_DIR);
+  writeFileSync5(DAEMON_TOKEN_PATH, `${token}
+`, "utf8");
+  enforcePrivateFileSync(DAEMON_TOKEN_PATH);
+  return token;
+}
+var DAEMON_TOKEN_PATH;
+var init_daemon_auth = __esm({
+  "src/lib/daemon-auth.ts"() {
+    "use strict";
+    init_config();
+    init_secure_files();
+    DAEMON_TOKEN_PATH = path7.join(EXE_AI_DIR, "exed.token");
+  }
+});
+
 // src/lib/exe-daemon-client.ts
 import net from "net";
 import os6 from "os";
 import { spawn } from "child_process";
 import { randomUUID } from "crypto";
-import { existsSync as existsSync7, unlinkSync as unlinkSync2, readFileSync as readFileSync7, openSync, closeSync, statSync } from "fs";
-import path7 from "path";
+import { existsSync as existsSync9, unlinkSync as unlinkSync2, readFileSync as readFileSync8, openSync, closeSync, statSync } from "fs";
+import path8 from "path";
 import { fileURLToPath } from "url";
 function handleData(chunk) {
   _buffer += chunk.toString();
@@ -1762,9 +1839,9 @@ function handleData(chunk) {
   }
 }
 function cleanupStaleFiles() {
-  if (existsSync7(PID_PATH)) {
+  if (existsSync9(PID_PATH)) {
     try {
-      const pid = parseInt(readFileSync7(PID_PATH, "utf8").trim(), 10);
+      const pid = parseInt(readFileSync8(PID_PATH, "utf8").trim(), 10);
       if (pid > 0) {
         try {
           process.kill(pid, 0);
@@ -1785,11 +1862,11 @@ function cleanupStaleFiles() {
   }
 }
 function findPackageRoot() {
-  let dir = path7.dirname(fileURLToPath(import.meta.url));
-  const { root } = path7.parse(dir);
+  let dir = path8.dirname(fileURLToPath(import.meta.url));
+  const { root } = path8.parse(dir);
   while (dir !== root) {
-    if (existsSync7(path7.join(dir, "package.json"))) return dir;
-    dir = path7.dirname(dir);
+    if (existsSync9(path8.join(dir, "package.json"))) return dir;
+    dir = path8.dirname(dir);
   }
   return null;
 }
@@ -1815,16 +1892,17 @@ function spawnDaemon() {
     process.stderr.write("[exed-client] WARN: cannot find package root\n");
     return;
   }
-  const daemonPath = path7.join(pkgRoot, "dist", "lib", "exe-daemon.js");
-  if (!existsSync7(daemonPath)) {
+  const daemonPath = path8.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  if (!existsSync9(daemonPath)) {
     process.stderr.write(`[exed-client] WARN: daemon script not found at ${daemonPath}
 `);
     return;
   }
   const resolvedPath = daemonPath;
+  const daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV] ?? null);
   process.stderr.write(`[exed-client] Spawning daemon: ${resolvedPath}
 `);
-  const logPath = path7.join(path7.dirname(SOCKET_PATH), "exed.log");
+  const logPath = path8.join(path8.dirname(SOCKET_PATH), "exed.log");
   let stderrFd = "ignore";
   try {
     stderrFd = openSync(logPath, "a");
@@ -1842,7 +1920,8 @@ function spawnDaemon() {
       TMUX_PANE: void 0,
       // Prevents resolveExeSession() from scoping to one session
       EXE_DAEMON_SOCK: SOCKET_PATH,
-      EXE_DAEMON_PID: PID_PATH
+      EXE_DAEMON_PID: PID_PATH,
+      [DAEMON_TOKEN_ENV]: daemonToken
     }
   });
   child.unref();
@@ -1949,13 +2028,14 @@ function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
       return;
     }
     const id = randomUUID();
+    const token = process.env[DAEMON_TOKEN_ENV] ?? readDaemonToken();
     const timer = setTimeout(() => {
       _pending.delete(id);
       resolve({ error: "Request timeout" });
     }, timeoutMs);
     _pending.set(id, { resolve, timer });
     try {
-      _socket.write(JSON.stringify({ id, ...payload }) + "\n");
+      _socket.write(JSON.stringify({ id, token, ...payload }) + "\n");
     } catch {
       clearTimeout(timer);
       _pending.delete(id);
@@ -1966,17 +2046,19 @@ function sendDaemonRequest(payload, timeoutMs = REQUEST_TIMEOUT_MS) {
 function isClientConnected() {
   return _connected;
 }
-var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, _socket, _connected, _buffer, _pending, MAX_BUFFER;
+var SOCKET_PATH, PID_PATH, SPAWN_LOCK_PATH, SPAWN_LOCK_STALE_MS, CONNECT_TIMEOUT_MS, REQUEST_TIMEOUT_MS, DAEMON_TOKEN_ENV, _socket, _connected, _buffer, _pending, MAX_BUFFER;
 var init_exe_daemon_client = __esm({
   "src/lib/exe-daemon-client.ts"() {
     "use strict";
     init_config();
-    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path7.join(EXE_AI_DIR, "exed.sock");
-    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path7.join(EXE_AI_DIR, "exed.pid");
-    SPAWN_LOCK_PATH = path7.join(EXE_AI_DIR, "exed-spawn.lock");
+    init_daemon_auth();
+    SOCKET_PATH = process.env.EXE_DAEMON_SOCK ?? process.env.EXE_EMBED_SOCK ?? path8.join(EXE_AI_DIR, "exed.sock");
+    PID_PATH = process.env.EXE_DAEMON_PID ?? process.env.EXE_EMBED_PID ?? path8.join(EXE_AI_DIR, "exed.pid");
+    SPAWN_LOCK_PATH = path8.join(EXE_AI_DIR, "exed-spawn.lock");
     SPAWN_LOCK_STALE_MS = 3e4;
     CONNECT_TIMEOUT_MS = 15e3;
     REQUEST_TIMEOUT_MS = 3e4;
+    DAEMON_TOKEN_ENV = "EXE_DAEMON_TOKEN";
     _socket = null;
     _connected = false;
     _buffer = "";
@@ -2555,6 +2637,7 @@ async function ensureSchema() {
       project     TEXT NOT NULL,
       summary     TEXT NOT NULL,
       task_file   TEXT,
+      session_scope TEXT,
       read        INTEGER NOT NULL DEFAULT 0,
       created_at  TEXT NOT NULL
     );
@@ -2563,7 +2646,7 @@ async function ensureSchema() {
       ON notifications(read);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_agent
-      ON notifications(agent_id);
+      ON notifications(agent_id, session_scope);
 
     CREATE INDEX IF NOT EXISTS idx_notifications_task_file
       ON notifications(task_file);
@@ -2601,6 +2684,7 @@ async function ensureSchema() {
       target_agent    TEXT NOT NULL,
       target_project  TEXT,
       target_device   TEXT NOT NULL DEFAULT 'local',
+      session_scope   TEXT,
       content         TEXT NOT NULL,
       priority        TEXT DEFAULT 'normal',
       status          TEXT DEFAULT 'pending',
@@ -2614,10 +2698,31 @@ async function ensureSchema() {
     );
 
     CREATE INDEX IF NOT EXISTS idx_messages_target
-      ON messages(target_agent, status);
+      ON messages(target_agent, session_scope, status);
 
     CREATE INDEX IF NOT EXISTS idx_messages_conversation_order
-      ON messages(target_agent, from_agent, server_seq);
+      ON messages(target_agent, session_scope, from_agent, server_seq);
+  `);
+  try {
+    await client.execute({
+      sql: `ALTER TABLE notifications ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE messages ADD COLUMN session_scope TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  await client.executeMultiple(`
+    CREATE INDEX IF NOT EXISTS idx_notifications_agent_scope_read
+      ON notifications(agent_id, session_scope, read, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_messages_target_scope_status
+      ON messages(target_agent, session_scope, status, created_at);
   `);
   try {
     await client.execute({
@@ -3201,6 +3306,13 @@ async function ensureSchema() {
     } catch {
     }
   }
+  try {
+    await client.execute({
+      sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
+      args: []
+    });
+  } catch {
+  }
 }
 async function disposeDatabase() {
   if (_walCheckpointTimer) {
@@ -3255,9 +3367,12 @@ __export(license_exports, {
   stopLicenseRevalidation: () => stopLicenseRevalidation,
   validateLicense: () => validateLicense
 });
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync5, existsSync as existsSync8, mkdirSync as mkdirSync4 } from "fs";
+import { readFileSync as readFileSync9, writeFileSync as writeFileSync6, existsSync as existsSync10, mkdirSync as mkdirSync4 } from "fs";
 import { randomUUID as randomUUID2 } from "crypto";
-import path8 from "path";
+import { createRequire as createRequire2 } from "module";
+import { pathToFileURL as pathToFileURL2 } from "url";
+import os7 from "os";
+import path9 from "path";
 import { jwtVerify, importSPKI } from "jose";
 async function fetchRetry(url, init) {
   try {
@@ -3268,37 +3383,37 @@ async function fetchRetry(url, init) {
   }
 }
 function loadDeviceId() {
-  const deviceJsonPath = path8.join(EXE_AI_DIR, "device.json");
+  const deviceJsonPath = path9.join(EXE_AI_DIR, "device.json");
   try {
-    if (existsSync8(deviceJsonPath)) {
-      const data = JSON.parse(readFileSync8(deviceJsonPath, "utf8"));
+    if (existsSync10(deviceJsonPath)) {
+      const data = JSON.parse(readFileSync9(deviceJsonPath, "utf8"));
       if (data.deviceId) return data.deviceId;
     }
   } catch {
   }
   try {
-    if (existsSync8(DEVICE_ID_PATH)) {
-      const id2 = readFileSync8(DEVICE_ID_PATH, "utf8").trim();
+    if (existsSync10(DEVICE_ID_PATH)) {
+      const id2 = readFileSync9(DEVICE_ID_PATH, "utf8").trim();
       if (id2) return id2;
     }
   } catch {
   }
   const id = randomUUID2();
   mkdirSync4(EXE_AI_DIR, { recursive: true });
-  writeFileSync5(DEVICE_ID_PATH, id, "utf8");
+  writeFileSync6(DEVICE_ID_PATH, id, "utf8");
   return id;
 }
 function loadLicense() {
   try {
-    if (!existsSync8(LICENSE_PATH)) return null;
-    return readFileSync8(LICENSE_PATH, "utf8").trim();
+    if (!existsSync10(LICENSE_PATH)) return null;
+    return readFileSync9(LICENSE_PATH, "utf8").trim();
   } catch {
     return null;
   }
 }
 function saveLicense(apiKey) {
   mkdirSync4(EXE_AI_DIR, { recursive: true });
-  writeFileSync5(LICENSE_PATH, apiKey.trim(), { encoding: "utf8", mode: 384 });
+  writeFileSync6(LICENSE_PATH, apiKey.trim(), { encoding: "utf8", mode: 384 });
 }
 async function verifyLicenseJwt(token) {
   try {
@@ -3324,8 +3439,8 @@ async function verifyLicenseJwt(token) {
 }
 async function getCachedLicense() {
   try {
-    if (!existsSync8(CACHE_PATH)) return null;
-    const raw = JSON.parse(readFileSync8(CACHE_PATH, "utf8"));
+    if (!existsSync10(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync9(CACHE_PATH, "utf8"));
     if (!raw.token || typeof raw.token !== "string") return null;
     return await verifyLicenseJwt(raw.token);
   } catch {
@@ -3334,8 +3449,8 @@ async function getCachedLicense() {
 }
 function readCachedToken() {
   try {
-    if (!existsSync8(CACHE_PATH)) return null;
-    const raw = JSON.parse(readFileSync8(CACHE_PATH, "utf8"));
+    if (!existsSync10(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync9(CACHE_PATH, "utf8"));
     return typeof raw.token === "string" ? raw.token : null;
   } catch {
     return null;
@@ -3369,56 +3484,130 @@ function getRawCachedPlan() {
 }
 function cacheResponse(token) {
   try {
-    writeFileSync5(CACHE_PATH, JSON.stringify({ token }), "utf8");
+    writeFileSync6(CACHE_PATH, JSON.stringify({ token }), "utf8");
   } catch {
   }
 }
-async function validateLicense(apiKey, deviceId) {
-  const did = deviceId ?? loadDeviceId();
+function loadPrismaForLicense() {
+  if (_prismaFailed) return null;
+  const dbUrl = process.env.DATABASE_URL;
+  if (!dbUrl) {
+    const exeDbRoot = process.env.EXE_DB_ROOT ?? path9.join(os7.homedir(), "exe-db");
+    if (!existsSync10(path9.join(exeDbRoot, "package.json"))) {
+      _prismaFailed = true;
+      return null;
+    }
+  }
+  if (!_prismaPromise) {
+    _prismaPromise = (async () => {
+      const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
+      if (explicitPath) {
+        const mod2 = await import(pathToFileURL2(explicitPath).href);
+        const Ctor2 = mod2.PrismaClient ?? mod2.default?.PrismaClient;
+        if (!Ctor2) throw new Error(`No PrismaClient at ${explicitPath}`);
+        return new Ctor2();
+      }
+      const exeDbRoot = process.env.EXE_DB_ROOT ?? path9.join(os7.homedir(), "exe-db");
+      const req = createRequire2(path9.join(exeDbRoot, "package.json"));
+      const entry = req.resolve("@prisma/client");
+      const mod = await import(pathToFileURL2(entry).href);
+      const Ctor = mod.PrismaClient ?? mod.default?.PrismaClient;
+      if (!Ctor) throw new Error(`No PrismaClient in ${entry}`);
+      return new Ctor();
+    })().catch((err) => {
+      _prismaFailed = true;
+      _prismaPromise = null;
+      throw err;
+    });
+  }
+  return _prismaPromise;
+}
+async function validateViaPostgres(apiKey) {
+  const loader = loadPrismaForLicense();
+  if (!loader) return null;
+  try {
+    const prisma = await loader;
+    const rows = await prisma.$queryRawUnsafe(
+      `SELECT plan, email, status, device_limit, employee_limit, memory_limit, expires_at
+       FROM billing.licenses WHERE key = $1 LIMIT 1`,
+      apiKey
+    );
+    if (!rows || rows.length === 0) return null;
+    const row = rows[0];
+    if (row.status !== "active") return null;
+    if (row.expires_at && new Date(row.expires_at) < /* @__PURE__ */ new Date()) return null;
+    const plan = row.plan;
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan,
+      email: row.email,
+      expiresAt: row.expires_at ? new Date(row.expires_at).toISOString() : null,
+      deviceLimit: row.device_limit ?? limits.devices,
+      employeeLimit: row.employee_limit ?? limits.employees,
+      memoryLimit: row.memory_limit ?? limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateViaCFWorker(apiKey, deviceId) {
   try {
     const res = await fetchRetry(`${API_BASE}/auth/activate`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ apiKey, deviceId: did }),
+      body: JSON.stringify({ apiKey, deviceId }),
       signal: AbortSignal.timeout(1e4)
     });
-    if (res.ok) {
-      const data = await res.json();
-      if (data.error === "device_limit_exceeded") {
-        const cached2 = await getCachedLicense();
-        if (cached2) return cached2;
-        const raw2 = getRawCachedPlan();
-        if (raw2) return { ...raw2, valid: false };
-        return { ...FREE_LICENSE, valid: false, plan: "free" };
-      }
-      if (data.token) {
-        cacheResponse(data.token);
-        const verified = await verifyLicenseJwt(data.token);
-        if (verified) return verified;
-      }
-      const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
-      return {
-        valid: data.valid,
-        plan: data.plan,
-        email: data.email,
-        expiresAt: data.expiresAt,
-        deviceLimit: limits.devices,
-        employeeLimit: limits.employees,
-        memoryLimit: limits.memories
-      };
+    if (!res.ok) return null;
+    const data = await res.json();
+    if (data.error === "device_limit_exceeded") return null;
+    if (!data.valid) return null;
+    if (data.token) {
+      cacheResponse(data.token);
+      const verified = await verifyLicenseJwt(data.token);
+      if (verified) return verified;
+    }
+    const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: data.valid,
+      plan: data.plan,
+      email: data.email,
+      expiresAt: data.expiresAt,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateLicense(apiKey, deviceId) {
+  const did = deviceId ?? loadDeviceId();
+  const pgResult = await validateViaPostgres(apiKey);
+  if (pgResult) {
+    try {
+      writeFileSync6(CACHE_PATH, JSON.stringify({ pgLicense: pgResult, ts: Date.now() }), "utf8");
+    } catch {
+    }
+    return pgResult;
+  }
+  const cfResult = await validateViaCFWorker(apiKey, did);
+  if (cfResult) return cfResult;
+  const cached = await getCachedLicense();
+  if (cached) return cached;
+  try {
+    if (existsSync10(CACHE_PATH)) {
+      const raw = JSON.parse(readFileSync9(CACHE_PATH, "utf8"));
+      if (raw.pgLicense && raw.ts && Date.now() - raw.ts < 7 * 24 * 60 * 60 * 1e3) {
+        return raw.pgLicense;
+      }
     }
-    const cached = await getCachedLicense();
-    if (cached) return cached;
-    const raw = getRawCachedPlan();
-    if (raw) return raw;
-    return { ...FREE_LICENSE, valid: false, plan: "free" };
   } catch {
-    const cached = await getCachedLicense();
-    if (cached) return cached;
-    const rawFallback = getRawCachedPlan();
-    if (rawFallback) return rawFallback;
-    return { ...FREE_LICENSE, valid: false, error: "offline" };
   }
+  const rawFallback = getRawCachedPlan();
+  if (rawFallback) return rawFallback;
+  return { ...FREE_LICENSE, valid: false };
 }
 function getCacheAgeMs() {
   try {
@@ -3433,9 +3622,9 @@ async function checkLicense() {
   let key = loadLicense();
   if (!key) {
     try {
-      const configPath = path8.join(EXE_AI_DIR, "config.json");
-      if (existsSync8(configPath)) {
-        const raw = JSON.parse(readFileSync8(configPath, "utf8"));
+      const configPath = path9.join(EXE_AI_DIR, "config.json");
+      if (existsSync10(configPath)) {
+        const raw = JSON.parse(readFileSync9(configPath, "utf8"));
         const cloud = raw.cloud;
         if (cloud?.apiKey) {
           key = cloud.apiKey;
@@ -3589,14 +3778,14 @@ function stopLicenseRevalidation() {
     _revalTimer = null;
   }
 }
-var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, CACHE_MAX_AGE_MS, _revalTimer;
+var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE, RETRY_DELAY_MS, LICENSE_PUBLIC_KEY_PEM, LICENSE_JWT_ALG, PLAN_LIMITS, FREE_LICENSE, _prismaPromise, _prismaFailed, CACHE_MAX_AGE_MS, _revalTimer;
 var init_license = __esm({
   "src/lib/license.ts"() {
     "use strict";
     init_config();
-    LICENSE_PATH = path8.join(EXE_AI_DIR, "license.key");
-    CACHE_PATH = path8.join(EXE_AI_DIR, "license-cache.json");
-    DEVICE_ID_PATH = path8.join(EXE_AI_DIR, "device-id");
+    LICENSE_PATH = path9.join(EXE_AI_DIR, "license.key");
+    CACHE_PATH = path9.join(EXE_AI_DIR, "license-cache.json");
+    DEVICE_ID_PATH = path9.join(EXE_AI_DIR, "device-id");
     API_BASE = "https://askexe.com/cloud";
     RETRY_DELAY_MS = 500;
     LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
@@ -3620,18 +3809,20 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
       employeeLimit: 1,
       memoryLimit: 5e3
     };
+    _prismaPromise = null;
+    _prismaFailed = false;
     CACHE_MAX_AGE_MS = 36e5;
     _revalTimer = null;
   }
 });
 
 // src/lib/plan-limits.ts
-import { readFileSync as readFileSync9, existsSync as existsSync9 } from "fs";
-import path9 from "path";
+import { readFileSync as readFileSync10, existsSync as existsSync11 } from "fs";
+import path10 from "path";
 function getLicenseSync() {
   try {
-    if (!existsSync9(CACHE_PATH2)) return freeLicense();
-    const raw = JSON.parse(readFileSync9(CACHE_PATH2, "utf8"));
+    if (!existsSync11(CACHE_PATH2)) return freeLicense();
+    const raw = JSON.parse(readFileSync10(CACHE_PATH2, "utf8"));
     if (!raw.token || typeof raw.token !== "string") return freeLicense();
     const parts = raw.token.split(".");
     if (parts.length !== 3) return freeLicense();
@@ -3669,8 +3860,8 @@ function assertEmployeeLimitSync(rosterPath) {
   const filePath = rosterPath ?? EMPLOYEES_PATH;
   let count = 0;
   try {
-    if (existsSync9(filePath)) {
-      const raw = readFileSync9(filePath, "utf8");
+    if (existsSync11(filePath)) {
+      const raw = readFileSync10(filePath, "utf8");
       const employees = JSON.parse(raw);
       count = Array.isArray(employees) ? employees.length : 0;
     }
@@ -3699,29 +3890,30 @@ var init_plan_limits = __esm({
         this.name = "PlanLimitError";
       }
     };
-    CACHE_PATH2 = path9.join(EXE_AI_DIR, "license-cache.json");
+    CACHE_PATH2 = path10.join(EXE_AI_DIR, "license-cache.json");
   }
 });
 
 // src/lib/notifications.ts
-import crypto from "crypto";
-import path10 from "path";
-import os7 from "os";
+import crypto2 from "crypto";
+import path11 from "path";
+import os8 from "os";
 import {
-  readFileSync as readFileSync10,
+  readFileSync as readFileSync11,
   readdirSync,
   unlinkSync as unlinkSync3,
-  existsSync as existsSync10,
+  existsSync as existsSync12,
   rmdirSync
 } from "fs";
 async function writeNotification(notification) {
   try {
     const client = getClient();
-    const id = crypto.randomUUID();
+    const id = crypto2.randomUUID();
     const now = (/* @__PURE__ */ new Date()).toISOString();
+    const sessionScope = notification.sessionScope === void 0 ? getCurrentSessionScope() : notification.sessionScope;
     await client.execute({
-      sql: `INSERT INTO notifications (id, agent_id, agent_role, event, project, summary, task_file, read, created_at)
-            VALUES (?, ?, ?, ?, ?, ?, ?, 0, ?)`,
+      sql: `INSERT INTO notifications (id, agent_id, agent_role, event, project, summary, task_file, session_scope, read, created_at)
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?, 0, ?)`,
       args: [
         id,
         notification.agentId,
@@ -3730,6 +3922,7 @@ async function writeNotification(notification) {
         notification.project,
         notification.summary,
         notification.taskFile ?? null,
+        sessionScope,
         now
       ]
     });
@@ -3738,12 +3931,14 @@ async function writeNotification(notification) {
 `);
   }
 }
-async function markAsReadByTaskFile(taskFile) {
+async function markAsReadByTaskFile(taskFile, sessionScope) {
   try {
     const client = getClient();
+    const scope = strictSessionScopeFilter(sessionScope);
     await client.execute({
-      sql: "UPDATE notifications SET read = 1 WHERE task_file = ? AND read = 0",
-      args: [taskFile]
+      sql: `UPDATE notifications SET read = 1
+            WHERE task_file = ? AND read = 0${scope.sql}`,
+      args: [taskFile, ...scope.args]
     });
   } catch {
   }
@@ -3752,11 +3947,12 @@ var init_notifications = __esm({
   "src/lib/notifications.ts"() {
     "use strict";
     init_database();
+    init_task_scope();
   }
 });
 
 // src/lib/session-kill-telemetry.ts
-import crypto2 from "crypto";
+import crypto3 from "crypto";
 async function recordSessionKill(input) {
   try {
     const client = getClient();
@@ -3766,7 +3962,7 @@ async function recordSessionKill(input) {
                ticks_idle, estimated_tokens_saved)
             VALUES (?, ?, ?, ?, ?, ?, ?)`,
       args: [
-        crypto2.randomUUID(),
+        crypto3.randomUUID(),
         input.sessionName,
         input.agentId,
         (/* @__PURE__ */ new Date()).toISOString(),
@@ -3861,12 +4057,12 @@ __export(tasks_crud_exports, {
   updateTaskStatus: () => updateTaskStatus,
   writeCheckpoint: () => writeCheckpoint
 });
-import crypto3 from "crypto";
-import path11 from "path";
-import os8 from "os";
+import crypto4 from "crypto";
+import path12 from "path";
+import os9 from "os";
 import { execSync as execSync5 } from "child_process";
 import { mkdir as mkdir3, writeFile as writeFile3, appendFile } from "fs/promises";
-import { existsSync as existsSync11, readFileSync as readFileSync11 } from "fs";
+import { existsSync as existsSync13, readFileSync as readFileSync12 } from "fs";
 async function writeCheckpoint(input) {
   const client = getClient();
   const row = await resolveTask(client, input.taskId);
@@ -3982,7 +4178,7 @@ async function resolveTask(client, identifier, scopeSession) {
 }
 async function createTaskCore(input) {
   const client = getClient();
-  const id = crypto3.randomUUID();
+  const id = crypto4.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const slug = slugify(input.title);
   let earlySessionScope = null;
@@ -4041,8 +4237,8 @@ ${laneWarning}` : laneWarning;
   }
   if (input.baseDir) {
     try {
-      await mkdir3(path11.join(input.baseDir, "exe", "output"), { recursive: true });
-      await mkdir3(path11.join(input.baseDir, "exe", "research"), { recursive: true });
+      await mkdir3(path12.join(input.baseDir, "exe", "output"), { recursive: true });
+      await mkdir3(path12.join(input.baseDir, "exe", "research"), { recursive: true });
       await ensureArchitectureDoc(input.baseDir, input.projectName);
       await ensureGitignoreExe(input.baseDir);
     } catch {
@@ -4078,13 +4274,19 @@ ${laneWarning}` : laneWarning;
   });
   if (input.baseDir) {
     try {
-      const EXE_OS_DIR = path11.join(os8.homedir(), ".exe-os");
-      const mdPath = path11.join(EXE_OS_DIR, taskFile);
-      const mdDir = path11.dirname(mdPath);
-      if (!existsSync11(mdDir)) await mkdir3(mdDir, { recursive: true });
+      const EXE_OS_DIR = path12.join(os9.homedir(), ".exe-os");
+      const mdPath = path12.join(EXE_OS_DIR, taskFile);
+      const mdDir = path12.dirname(mdPath);
+      if (!existsSync13(mdDir)) await mkdir3(mdDir, { recursive: true });
       const reviewer = input.reviewer ?? input.assignedBy;
       const mdContent = `# ${input.title}
 
+## MANDATORY: When done
+
+You MUST call update_task with status "done" and a result summary when finished.
+If you skip this, your reviewer will not know you're done and your work won't be reviewed.
+Do NOT let a failed commit or any error prevent you from calling update_task(done).
+
 **ID:** ${id}
 **Status:** ${initialStatus}
 **Priority:** ${input.priority}
@@ -4098,12 +4300,6 @@ ${laneWarning}` : laneWarning;
 ## Context
 
 ${input.context}
-
-## MANDATORY: When done
-
-You MUST call update_task with status "done" and a result summary when finished.
-If you skip this, your reviewer will not know you're done and your work won't be reviewed.
-Do NOT let a failed commit or any error prevent you from calling update_task(done).
 `;
       await writeFile3(mdPath, mdContent, "utf-8");
     } catch (err) {
@@ -4352,7 +4548,7 @@ ${input.result}` : `\u26A0\uFE0F ${warning}`;
     await client.execute("PRAGMA wal_checkpoint(PASSIVE)");
   } catch {
   }
-  if (input.status === "done" || input.status === "cancelled") {
+  if (input.status === "done" || input.status === "cancelled" || input.status === "closed") {
     try {
       const { clearQueueForAgent: clearQueueForAgent2 } = await Promise.resolve().then(() => (init_intercom_queue(), intercom_queue_exports));
       clearQueueForAgent2(String(row.assigned_to));
@@ -4381,9 +4577,9 @@ async function deleteTaskCore(taskId, _baseDir) {
   return { taskFile, assignedTo, assignedBy, taskSlug };
 }
 async function ensureArchitectureDoc(baseDir, projectName) {
-  const archPath = path11.join(baseDir, "exe", "ARCHITECTURE.md");
+  const archPath = path12.join(baseDir, "exe", "ARCHITECTURE.md");
   try {
-    if (existsSync11(archPath)) return;
+    if (existsSync13(archPath)) return;
     const template = [
       `# ${projectName} \u2014 System Architecture`,
       "",
@@ -4416,10 +4612,10 @@ async function ensureArchitectureDoc(baseDir, projectName) {
   }
 }
 async function ensureGitignoreExe(baseDir) {
-  const gitignorePath = path11.join(baseDir, ".gitignore");
+  const gitignorePath = path12.join(baseDir, ".gitignore");
   try {
-    if (existsSync11(gitignorePath)) {
-      const content = readFileSync11(gitignorePath, "utf-8");
+    if (existsSync13(gitignorePath)) {
+      const content = readFileSync12(gitignorePath, "utf-8");
       if (/^\/?exe\/?$/m.test(content)) return;
       await appendFile(gitignorePath, "\n# Employee task assignments (private)\n/exe/\n");
     } else {
@@ -4450,58 +4646,42 @@ var init_tasks_crud = __esm({
 });
 
 // src/lib/tasks-review.ts
-import path12 from "path";
-import { existsSync as existsSync12, readdirSync as readdirSync2, unlinkSync as unlinkSync4 } from "fs";
+import path13 from "path";
+import { existsSync as existsSync14, readdirSync as readdirSync2, unlinkSync as unlinkSync4 } from "fs";
 async function countPendingReviews(sessionScope) {
   const client = getClient();
-  if (sessionScope) {
-    const result2 = await client.execute({
-      sql: "SELECT COUNT(*) as cnt FROM tasks WHERE status = 'needs_review' AND session_scope = ?",
-      args: [sessionScope]
-    });
-    return Number(result2.rows[0]?.cnt) || 0;
-  }
+  const scope = strictSessionScopeFilter(
+    sessionScope === void 0 ? getCurrentSessionScope() : sessionScope
+  );
   const result = await client.execute({
-    sql: "SELECT COUNT(*) as cnt FROM tasks WHERE status = 'needs_review'",
-    args: []
+    sql: `SELECT COUNT(*) as cnt FROM tasks
+          WHERE status = 'needs_review'${scope.sql}`,
+    args: [...scope.args]
   });
   return Number(result.rows[0]?.cnt) || 0;
 }
 async function countNewPendingReviewsSince(sinceIso, sessionScope) {
   const client = getClient();
-  if (sessionScope) {
-    const result2 = await client.execute({
-      sql: `SELECT COUNT(*) as cnt FROM tasks
-            WHERE status = 'needs_review' AND updated_at > ?
-              AND session_scope = ?`,
-      args: [sinceIso, sessionScope]
-    });
-    return Number(result2.rows[0]?.cnt) || 0;
-  }
+  const scope = strictSessionScopeFilter(
+    sessionScope === void 0 ? getCurrentSessionScope() : sessionScope
+  );
   const result = await client.execute({
     sql: `SELECT COUNT(*) as cnt FROM tasks
-          WHERE status = 'needs_review' AND updated_at > ?`,
-    args: [sinceIso]
+          WHERE status = 'needs_review' AND updated_at > ?${scope.sql}`,
+    args: [sinceIso, ...scope.args]
   });
   return Number(result.rows[0]?.cnt) || 0;
 }
 async function listPendingReviews(limit, sessionScope) {
   const client = getClient();
-  if (sessionScope) {
-    const result2 = await client.execute({
-      sql: `SELECT title, assigned_to, project_name, updated_at FROM tasks
-            WHERE status = 'needs_review'
-              AND session_scope = ?
-            ORDER BY updated_at ASC LIMIT ?`,
-      args: [sessionScope, limit]
-    });
-    return result2.rows;
-  }
+  const scope = strictSessionScopeFilter(
+    sessionScope === void 0 ? getCurrentSessionScope() : sessionScope
+  );
   const result = await client.execute({
     sql: `SELECT title, assigned_to, project_name, updated_at FROM tasks
-          WHERE status = 'needs_review'
+          WHERE status = 'needs_review'${scope.sql}
           ORDER BY updated_at ASC LIMIT ?`,
-    args: [limit]
+    args: [...scope.args, limit]
   });
   return result.rows;
 }
@@ -4513,7 +4693,7 @@ async function cleanupOrphanedReviews() {
           WHERE status IN ('open', 'needs_review', 'in_progress')
           AND assigned_by = 'system'
           AND title LIKE 'Review:%'
-          AND parent_task_id IN (SELECT id FROM tasks WHERE status IN ('done', 'cancelled'))`,
+          AND parent_task_id IN (SELECT id FROM tasks WHERE status IN ('done', 'cancelled', 'closed'))`,
     args: [now]
   });
   const r1b = await client.execute({
@@ -4632,11 +4812,11 @@ async function cleanupReviewFile(row, taskFile, _baseDir) {
     );
   }
   try {
-    const cacheDir = path12.join(EXE_AI_DIR, "session-cache");
-    if (existsSync12(cacheDir)) {
+    const cacheDir = path13.join(EXE_AI_DIR, "session-cache");
+    if (existsSync14(cacheDir)) {
       for (const f of readdirSync2(cacheDir)) {
         if (f.startsWith("review-notified-")) {
-          unlinkSync4(path12.join(cacheDir, f));
+          unlinkSync4(path13.join(cacheDir, f));
         }
       }
     }
@@ -4653,11 +4833,12 @@ var init_tasks_review = __esm({
     init_tmux_routing();
     init_session_key();
     init_state_bus();
+    init_task_scope();
   }
 });
 
 // src/lib/tasks-chain.ts
-import path13 from "path";
+import path14 from "path";
 import { readFile as readFile3, writeFile as writeFile4 } from "fs/promises";
 async function cascadeUnblock(taskId, baseDir, now) {
   const client = getClient();
@@ -4674,7 +4855,7 @@ async function cascadeUnblock(taskId, baseDir, now) {
     });
     for (const ur of unblockedRows.rows) {
       try {
-        const ubFile = path13.join(baseDir, String(ur.task_file));
+        const ubFile = path14.join(baseDir, String(ur.task_file));
         let ubContent = await readFile3(ubFile, "utf-8");
         ubContent = ubContent.replace(/\*\*Status:\*\* blocked/, "**Status:** open");
         ubContent = ubContent.replace(/\n\*\*Blocked by:\*\*.*\n/, "\n");
@@ -4709,7 +4890,7 @@ async function checkSubtaskCompletion(parentTaskId, projectName) {
   const scScope = sessionScopeFilter();
   const remaining = await client.execute({
     sql: `SELECT COUNT(*) as cnt FROM tasks
-          WHERE parent_task_id = ? AND status NOT IN ('done', 'cancelled')${scScope.sql}`,
+          WHERE parent_task_id = ? AND status NOT IN ('done', 'cancelled', 'closed')${scScope.sql}`,
     args: [parentTaskId, ...scScope.args]
   });
   const cnt = Number(remaining.rows[0]?.cnt ?? 1);
@@ -4743,7 +4924,7 @@ var init_tasks_chain = __esm({
 
 // src/lib/project-name.ts
 import { execSync as execSync6 } from "child_process";
-import path14 from "path";
+import path15 from "path";
 function getProjectName(cwd2) {
   const dir = cwd2 ?? process.cwd();
   if (_cached2 && _cachedCwd === dir) return _cached2;
@@ -4756,7 +4937,7 @@ function getProjectName(cwd2) {
         timeout: 2e3,
         stdio: ["pipe", "pipe", "pipe"]
       }).trim();
-      repoRoot = path14.dirname(gitCommonDir);
+      repoRoot = path15.dirname(gitCommonDir);
     } catch {
       repoRoot = execSync6("git rev-parse --show-toplevel", {
         cwd: dir,
@@ -4765,11 +4946,11 @@ function getProjectName(cwd2) {
         stdio: ["pipe", "pipe", "pipe"]
       }).trim();
     }
-    _cached2 = path14.basename(repoRoot);
+    _cached2 = path15.basename(repoRoot);
     _cachedCwd = dir;
     return _cached2;
   } catch {
-    _cached2 = path14.basename(dir);
+    _cached2 = path15.basename(dir);
     _cachedCwd = dir;
     return _cached2;
   }
@@ -4912,10 +5093,10 @@ var init_tasks_notify = __esm({
 });
 
 // src/lib/behaviors.ts
-import crypto4 from "crypto";
+import crypto5 from "crypto";
 async function storeBehavior(opts) {
   const client = getClient();
-  const id = crypto4.randomUUID();
+  const id = crypto5.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   await client.execute({
     sql: `INSERT INTO behaviors (id, agent_id, project_name, domain, priority, content, active, created_at, updated_at)
@@ -4944,7 +5125,7 @@ __export(skill_learning_exports, {
   storeTrajectory: () => storeTrajectory,
   sweepTrajectories: () => sweepTrajectories
 });
-import crypto5 from "crypto";
+import crypto6 from "crypto";
 async function extractTrajectory(taskId, agentId) {
   const client = getClient();
   const result = await client.execute({
@@ -4973,11 +5154,11 @@ async function extractTrajectory(taskId, agentId) {
   return signature;
 }
 function hashSignature(signature) {
-  return crypto5.createHash("sha256").update(signature.join("|")).digest("hex").slice(0, 16);
+  return crypto6.createHash("sha256").update(signature.join("|")).digest("hex").slice(0, 16);
 }
 async function storeTrajectory(opts) {
   const client = getClient();
-  const id = crypto5.randomUUID();
+  const id = crypto6.randomUUID();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const signatureHash = hashSignature(opts.signature);
   await client.execute({
@@ -5242,8 +5423,8 @@ __export(tasks_exports, {
   updateTaskStatus: () => updateTaskStatus,
   writeCheckpoint: () => writeCheckpoint
 });
-import path15 from "path";
-import { writeFileSync as writeFileSync6, mkdirSync as mkdirSync5, unlinkSync as unlinkSync5 } from "fs";
+import path16 from "path";
+import { writeFileSync as writeFileSync7, mkdirSync as mkdirSync5, unlinkSync as unlinkSync5 } from "fs";
 async function createTask(input) {
   const result = await createTaskCore(input);
   if (!input.skipDispatch && result.status !== "blocked" && !process.env.VITEST) {
@@ -5262,12 +5443,12 @@ async function updateTask(input) {
   const { row, taskFile, now, taskId } = await updateTaskStatus(input);
   try {
     const agent = String(row.assigned_to);
-    const cacheDir = path15.join(EXE_AI_DIR, "session-cache");
-    const cachePath = path15.join(cacheDir, `current-task-${agent}.json`);
+    const cacheDir = path16.join(EXE_AI_DIR, "session-cache");
+    const cachePath = path16.join(cacheDir, `current-task-${agent}.json`);
     if (input.status === "in_progress") {
       mkdirSync5(cacheDir, { recursive: true });
-      writeFileSync6(cachePath, JSON.stringify({ taskId, title: String(row.title) }));
-    } else if (input.status === "done" || input.status === "blocked" || input.status === "cancelled") {
+      writeFileSync7(cachePath, JSON.stringify({ taskId, title: String(row.title) }));
+    } else if (input.status === "done" || input.status === "blocked" || input.status === "cancelled" || input.status === "closed") {
       try {
         unlinkSync5(cachePath);
       } catch {
@@ -5275,10 +5456,10 @@ async function updateTask(input) {
     }
   } catch {
   }
-  if (input.status === "done") {
+  if (input.status === "done" || input.status === "closed") {
     await cleanupReviewFile(row, taskFile, input.baseDir);
   }
-  if (input.status === "done" || input.status === "cancelled") {
+  if (input.status === "done" || input.status === "cancelled" || input.status === "closed") {
     try {
       const client = getClient();
       const taskTitle = String(row.title);
@@ -5294,7 +5475,7 @@ async function updateTask(input) {
     if (!isCoordinatorName(assignedAgent)) {
       try {
         const draftClient = getClient();
-        if (input.status === "done") {
+        if (input.status === "done" || input.status === "closed") {
           await draftClient.execute({
             sql: `UPDATE memories SET draft = 0 WHERE agent_id = ? AND draft = 1`,
             args: [assignedAgent]
@@ -5311,7 +5492,7 @@ async function updateTask(input) {
     try {
       const client = getClient();
       const cascaded = await client.execute({
-        sql: `UPDATE tasks SET status = 'done', updated_at = ?
+        sql: `UPDATE tasks SET status = 'closed', updated_at = ?
               WHERE parent_task_id = ? AND status = 'needs_review'`,
         args: [now, taskId]
       });
@@ -5324,14 +5505,14 @@ async function updateTask(input) {
     } catch {
     }
   }
-  const isTerminal = input.status === "done" || input.status === "needs_review";
+  const isTerminal = input.status === "done" || input.status === "needs_review" || input.status === "closed";
   if (isTerminal) {
     const isCoordinator = isCoordinatorName(String(row.assigned_to));
     if (!isCoordinator) {
       notifyTaskDone();
     }
     await markTaskNotificationsRead(taskFile);
-    if (input.status === "done") {
+    if (input.status === "done" || input.status === "closed") {
       try {
         await cascadeUnblock(taskId, input.baseDir, now);
       } catch {
@@ -5351,7 +5532,7 @@ async function updateTask(input) {
       }
     }
   }
-  if (input.status === "done" && !isCoordinatorName(String(row.assigned_to)) && !process.env.VITEST) {
+  if ((input.status === "done" || input.status === "closed") && !isCoordinatorName(String(row.assigned_to)) && !process.env.VITEST) {
     Promise.resolve().then(() => (init_skill_learning(), skill_learning_exports)).then(
       ({ captureAndLearn: captureAndLearn2 }) => captureAndLearn2({
         taskId,
@@ -5723,6 +5904,7 @@ __export(tmux_routing_exports, {
   isEmployeeAlive: () => isEmployeeAlive,
   isExeSession: () => isExeSession,
   isSessionBusy: () => isSessionBusy,
+  notifyCoordinatorTaskCompletion: () => notifyCoordinatorTaskCompletion,
   notifyParentExe: () => notifyParentExe,
   parseParentExe: () => parseParentExe,
   registerParentExe: () => registerParentExe,
@@ -5733,13 +5915,13 @@ __export(tmux_routing_exports, {
   verifyPaneAtCapacity: () => verifyPaneAtCapacity
 });
 import { execFileSync as execFileSync3, execSync as execSync7 } from "child_process";
-import { readFileSync as readFileSync12, writeFileSync as writeFileSync7, mkdirSync as mkdirSync6, existsSync as existsSync13, appendFileSync, readdirSync as readdirSync3 } from "fs";
-import path16 from "path";
-import os9 from "os";
+import { readFileSync as readFileSync13, writeFileSync as writeFileSync8, mkdirSync as mkdirSync6, existsSync as existsSync15, appendFileSync, readdirSync as readdirSync3 } from "fs";
+import path17 from "path";
+import os10 from "os";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { unlinkSync as unlinkSync6 } from "fs";
 function spawnLockPath(sessionName) {
-  return path16.join(SPAWN_LOCK_DIR, `${sessionName}.lock`);
+  return path17.join(SPAWN_LOCK_DIR, `${sessionName}.lock`);
 }
 function isProcessAlive(pid) {
   try {
@@ -5750,13 +5932,13 @@ function isProcessAlive(pid) {
   }
 }
 function acquireSpawnLock2(sessionName) {
-  if (!existsSync13(SPAWN_LOCK_DIR)) {
+  if (!existsSync15(SPAWN_LOCK_DIR)) {
     mkdirSync6(SPAWN_LOCK_DIR, { recursive: true });
   }
   const lockFile = spawnLockPath(sessionName);
-  if (existsSync13(lockFile)) {
+  if (existsSync15(lockFile)) {
     try {
-      const lock = JSON.parse(readFileSync12(lockFile, "utf8"));
+      const lock = JSON.parse(readFileSync13(lockFile, "utf8"));
       const age = Date.now() - lock.timestamp;
       if (isProcessAlive(lock.pid) && age < 6e4) {
         return false;
@@ -5764,7 +5946,7 @@ function acquireSpawnLock2(sessionName) {
     } catch {
     }
   }
-  writeFileSync7(lockFile, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
+  writeFileSync8(lockFile, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
   return true;
 }
 function releaseSpawnLock2(sessionName) {
@@ -5776,13 +5958,13 @@ function releaseSpawnLock2(sessionName) {
 function resolveBehaviorsExporterScript() {
   try {
     const thisFile = fileURLToPath2(import.meta.url);
-    const scriptPath = path16.join(
-      path16.dirname(thisFile),
+    const scriptPath = path17.join(
+      path17.dirname(thisFile),
       "..",
       "bin",
       "exe-export-behaviors.js"
     );
-    return existsSync13(scriptPath) ? scriptPath : null;
+    return existsSync15(scriptPath) ? scriptPath : null;
   } catch {
     return null;
   }
@@ -5848,12 +6030,12 @@ function extractRootExe(name) {
   return parts.length > 0 ? parts[parts.length - 1] : null;
 }
 function registerParentExe(sessionKey, parentExe, dispatchedBy) {
-  if (!existsSync13(SESSION_CACHE)) {
+  if (!existsSync15(SESSION_CACHE)) {
     mkdirSync6(SESSION_CACHE, { recursive: true });
   }
   const rootExe = extractRootExe(parentExe) ?? parentExe;
-  const filePath = path16.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`);
-  writeFileSync7(filePath, JSON.stringify({
+  const filePath = path17.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`);
+  writeFileSync8(filePath, JSON.stringify({
     parentExe: rootExe,
     dispatchedBy: dispatchedBy || rootExe,
     registeredAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -5861,7 +6043,7 @@ function registerParentExe(sessionKey, parentExe, dispatchedBy) {
 }
 function getParentExe(sessionKey) {
   try {
-    const data = JSON.parse(readFileSync12(path16.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
+    const data = JSON.parse(readFileSync13(path17.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`), "utf8"));
     return data.parentExe || null;
   } catch {
     return null;
@@ -5869,8 +6051,8 @@ function getParentExe(sessionKey) {
 }
 function getDispatchedBy(sessionKey) {
   try {
-    const data = JSON.parse(readFileSync12(
-      path16.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`),
+    const data = JSON.parse(readFileSync13(
+      path17.join(SESSION_CACHE, `parent-exe-${sessionKey}.json`),
       "utf8"
     ));
     return data.dispatchedBy ?? data.parentExe ?? null;
@@ -5940,8 +6122,8 @@ async function verifyPaneAtCapacity(sessionName) {
 }
 function readDebounceState() {
   try {
-    if (!existsSync13(DEBOUNCE_FILE)) return {};
-    const raw = JSON.parse(readFileSync12(DEBOUNCE_FILE, "utf8"));
+    if (!existsSync15(DEBOUNCE_FILE)) return {};
+    const raw = JSON.parse(readFileSync13(DEBOUNCE_FILE, "utf8"));
     const state = {};
     for (const [key, val] of Object.entries(raw)) {
       if (typeof val === "number") {
@@ -5957,8 +6139,8 @@ function readDebounceState() {
 }
 function writeDebounceState(state) {
   try {
-    if (!existsSync13(SESSION_CACHE)) mkdirSync6(SESSION_CACHE, { recursive: true });
-    writeFileSync7(DEBOUNCE_FILE, JSON.stringify(state));
+    if (!existsSync15(SESSION_CACHE)) mkdirSync6(SESSION_CACHE, { recursive: true });
+    writeFileSync8(DEBOUNCE_FILE, JSON.stringify(state));
   } catch {
   }
 }
@@ -6056,8 +6238,8 @@ function sendIntercom(targetSession) {
     try {
       const rawAgent = targetSession.split("-")[0] ?? targetSession;
       const agent = baseAgentName(rawAgent);
-      const markerPath = path16.join(SESSION_CACHE, `current-task-${agent}.json`);
-      if (existsSync13(markerPath)) {
+      const markerPath = path17.join(SESSION_CACHE, `current-task-${agent}.json`);
+      if (existsSync15(markerPath)) {
         logIntercom(`SKIP \u2192 ${targetSession} (has in_progress task marker \u2014 will auto-chain)`);
         return "debounced";
       }
@@ -6066,8 +6248,8 @@ function sendIntercom(targetSession) {
     try {
       const rawAgent = targetSession.split("-")[0] ?? targetSession;
       const agent = baseAgentName(rawAgent);
-      const taskDir = path16.join(process.cwd(), "exe", agent);
-      if (existsSync13(taskDir)) {
+      const taskDir = path17.join(process.cwd(), "exe", agent);
+      if (existsSync15(taskDir)) {
         const files = readdirSync3(taskDir).filter(
           (f) => f.endsWith(".md") && f !== "DONE.txt"
         );
@@ -6127,6 +6309,21 @@ function notifyParentExe(sessionKey) {
   }
   return true;
 }
+function notifyCoordinatorTaskCompletion(coordinatorSession, agentName, taskTitle) {
+  const transport = getTransport();
+  try {
+    const sessions = transport.listSessions();
+    if (!sessions.includes(coordinatorSession)) return false;
+    execSync7(
+      `tmux send-keys -t ${JSON.stringify(coordinatorSession)} '/exe-intercom' Enter`,
+      { timeout: 3e3 }
+    );
+    logIntercom(`COMPLETION \u2192 ${coordinatorSession} (${agentName} completed "${taskTitle.slice(0, 50)}")`);
+    return true;
+  } catch {
+    return false;
+  }
+}
 function ensureEmployee(employeeName, exeSession, projectDir, opts) {
   if (isCoordinatorName(employeeName)) {
     return { status: "failed", sessionName: "", error: "The COO is not a dispatchable employee" };
@@ -6200,26 +6397,26 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   const transport = getTransport();
   const sessionName = employeeSessionName(employeeName, exeSession, opts?.instance);
   const instanceLabel = opts?.instance != null && opts.instance > 0 ? `${employeeName}${opts.instance}` : employeeName;
-  const logDir = path16.join(os9.homedir(), ".exe-os", "session-logs");
-  const logFile = path16.join(logDir, `${instanceLabel}-${Date.now()}.log`);
-  if (!existsSync13(logDir)) {
+  const logDir = path17.join(os10.homedir(), ".exe-os", "session-logs");
+  const logFile = path17.join(logDir, `${instanceLabel}-${Date.now()}.log`);
+  if (!existsSync15(logDir)) {
     mkdirSync6(logDir, { recursive: true });
   }
   transport.kill(sessionName);
   let cleanupSuffix = "";
   try {
     const thisFile = fileURLToPath2(import.meta.url);
-    const cleanupScript = path16.join(path16.dirname(thisFile), "..", "bin", "exe-session-cleanup.js");
-    if (existsSync13(cleanupScript)) {
+    const cleanupScript = path17.join(path17.dirname(thisFile), "..", "bin", "exe-session-cleanup.js");
+    if (existsSync15(cleanupScript)) {
       cleanupSuffix = `; ${process.execPath} "${cleanupScript}" "${employeeName}" "${exeSession}"`;
     }
   } catch {
   }
   try {
-    const claudeJsonPath = path16.join(os9.homedir(), ".claude.json");
+    const claudeJsonPath = path17.join(os10.homedir(), ".claude.json");
     let claudeJson = {};
     try {
-      claudeJson = JSON.parse(readFileSync12(claudeJsonPath, "utf8"));
+      claudeJson = JSON.parse(readFileSync13(claudeJsonPath, "utf8"));
     } catch {
     }
     if (!claudeJson.projects) claudeJson.projects = {};
@@ -6227,17 +6424,17 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     const trustDir = opts?.cwd ?? projectDir;
     if (!projects[trustDir]) projects[trustDir] = {};
     projects[trustDir].hasTrustDialogAccepted = true;
-    writeFileSync7(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
+    writeFileSync8(claudeJsonPath, JSON.stringify(claudeJson, null, 2) + "\n");
   } catch {
   }
   try {
-    const settingsDir = path16.join(os9.homedir(), ".claude", "projects");
+    const settingsDir = path17.join(os10.homedir(), ".claude", "projects");
     const normalizedKey = (opts?.cwd ?? projectDir).replace(/\//g, "-").replace(/^-/, "");
-    const projSettingsDir = path16.join(settingsDir, normalizedKey);
-    const settingsPath = path16.join(projSettingsDir, "settings.json");
+    const projSettingsDir = path17.join(settingsDir, normalizedKey);
+    const settingsPath = path17.join(projSettingsDir, "settings.json");
     let settings = {};
     try {
-      settings = JSON.parse(readFileSync12(settingsPath, "utf8"));
+      settings = JSON.parse(readFileSync13(settingsPath, "utf8"));
     } catch {
     }
     const perms = settings.permissions ?? {};
@@ -6266,7 +6463,7 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
       perms.allow = allow;
       settings.permissions = perms;
       mkdirSync6(projSettingsDir, { recursive: true });
-      writeFileSync7(settingsPath, JSON.stringify(settings, null, 2) + "\n");
+      writeFileSync8(settingsPath, JSON.stringify(settings, null, 2) + "\n");
     }
   } catch {
   }
@@ -6281,8 +6478,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   let behaviorsFlag = "";
   let legacyFallbackWarned = false;
   if (!useExeAgent && !useBinSymlink) {
-    const identityPath = path16.join(
-      os9.homedir(),
+    const identityPath = path17.join(
+      os10.homedir(),
       ".exe-os",
       "identity",
       `${employeeName}.md`
@@ -6291,13 +6488,13 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
     const hasAgentFlag = claudeSupportsAgentFlag();
     if (hasAgentFlag) {
       identityFlag = ` --agent ${employeeName}`;
-    } else if (existsSync13(identityPath)) {
+    } else if (existsSync15(identityPath)) {
       identityFlag = ` --append-system-prompt-file ${identityPath}`;
       legacyFallbackWarned = true;
     }
     const behaviorsFile = exportBehaviorsSync(
       employeeName,
-      path16.basename(spawnCwd),
+      path17.basename(spawnCwd),
       sessionName
     );
     if (behaviorsFile) {
@@ -6312,16 +6509,16 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   }
   let sessionContextFlag = "";
   try {
-    const ctxDir = path16.join(os9.homedir(), ".exe-os", "session-cache");
+    const ctxDir = path17.join(os10.homedir(), ".exe-os", "session-cache");
     mkdirSync6(ctxDir, { recursive: true });
-    const ctxFile = path16.join(ctxDir, `session-context-${sessionName}.md`);
+    const ctxFile = path17.join(ctxDir, `session-context-${sessionName}.md`);
     const ctxContent = [
       `## Session Context`,
       `You are running in tmux session: ${sessionName}.`,
       `Your parent coordinator session is ${exeSession}.`,
       `Your employees (if any) use the -${exeSession} suffix.`
     ].join("\n");
-    writeFileSync7(ctxFile, ctxContent);
+    writeFileSync8(ctxFile, ctxContent);
     sessionContextFlag = ` --append-system-prompt-file ${ctxFile}`;
   } catch {
   }
@@ -6398,8 +6595,8 @@ function spawnEmployee(employeeName, exeSession, projectDir, opts) {
   transport.pipeLog(sessionName, logFile);
   try {
     const mySession = getMySession();
-    const dispatchInfo = path16.join(SESSION_CACHE, `dispatch-info-${sessionName}.json`);
-    writeFileSync7(dispatchInfo, JSON.stringify({
+    const dispatchInfo = path17.join(SESSION_CACHE, `dispatch-info-${sessionName}.json`);
+    writeFileSync8(dispatchInfo, JSON.stringify({
       dispatchedBy: mySession,
       rootExe: exeSession,
       provider: useBinSymlink ? ccProvider : useExeAgent ? opts.provider : useCodex ? "openai" : useOpencode ? "opencode" : "anthropic",
@@ -6473,15 +6670,15 @@ var init_tmux_routing = __esm({
     init_intercom_queue();
     init_plan_limits();
     init_employees();
-    SPAWN_LOCK_DIR = path16.join(os9.homedir(), ".exe-os", "spawn-locks");
-    SESSION_CACHE = path16.join(os9.homedir(), ".exe-os", "session-cache");
+    SPAWN_LOCK_DIR = path17.join(os10.homedir(), ".exe-os", "spawn-locks");
+    SESSION_CACHE = path17.join(os10.homedir(), ".exe-os", "session-cache");
     BEHAVIORS_EXPORT_TIMEOUT_MS = 1e4;
     VALID_SESSION_NAME = /^[a-z]+\d*-[a-zA-Z0-9_]+$/;
     VERIFY_PANE_LINES = 200;
     INTERCOM_DEBOUNCE_MS = 3e4;
     CODEX_DEBOUNCE_MS = 12e4;
-    INTERCOM_LOG2 = path16.join(os9.homedir(), ".exe-os", "intercom.log");
-    DEBOUNCE_FILE = path16.join(SESSION_CACHE, "intercom-debounce.json");
+    INTERCOM_LOG2 = path17.join(os10.homedir(), ".exe-os", "intercom.log");
+    DEBOUNCE_FILE = path17.join(SESSION_CACHE, "intercom-debounce.json");
     DEBOUNCE_CLEANUP_AGE_MS = 5 * 60 * 1e3;
     BUSY_PATTERN = /[✻✽✶✳·].*…|Running…|• Working|• Ran |• Explored|• Called|esc to interrupt/;
   }
@@ -6491,7 +6688,8 @@ var init_tmux_routing = __esm({
 var task_scope_exports = {};
 __export(task_scope_exports, {
   getCurrentSessionScope: () => getCurrentSessionScope,
-  sessionScopeFilter: () => sessionScopeFilter
+  sessionScopeFilter: () => sessionScopeFilter,
+  strictSessionScopeFilter: () => strictSessionScopeFilter
 });
 function getCurrentSessionScope() {
   try {
@@ -6509,6 +6707,15 @@ function sessionScopeFilter(sessionScope, tableAlias) {
     args: [scope]
   };
 }
+function strictSessionScopeFilter(sessionScope, tableAlias) {
+  const scope = sessionScope !== void 0 ? sessionScope : getCurrentSessionScope();
+  if (!scope) return { sql: "", args: [] };
+  const col = tableAlias ? `${tableAlias}.session_scope` : "session_scope";
+  return {
+    sql: ` AND ${col} = ?`,
+    args: [scope]
+  };
+}
 var init_task_scope = __esm({
   "src/lib/task-scope.ts"() {
     "use strict";
@@ -8367,10 +8574,10 @@ var init_hooks = __esm({
 });
 
 // src/runtime/safety-checks.ts
-import path17 from "path";
-import os10 from "os";
+import path18 from "path";
+import os11 from "os";
 function checkPathSafety(filePath) {
-  const resolved = path17.resolve(filePath);
+  const resolved = path18.resolve(filePath);
   for (const { pattern, reason } of BYPASS_IMMUNE_PATTERNS) {
     const matches = typeof pattern === "function" ? pattern(resolved) : pattern.test(resolved);
     if (matches) {
@@ -8380,7 +8587,7 @@ function checkPathSafety(filePath) {
   return { safe: true, bypassImmune: true };
 }
 function checkReadPathSafety(filePath) {
-  const resolved = path17.resolve(filePath);
+  const resolved = path18.resolve(filePath);
   const credPatterns = BYPASS_IMMUNE_PATTERNS.filter(
     (p) => typeof p.pattern !== "function" && (p.reason.includes("secrets") || p.reason.includes("Private key") || p.reason.includes("Credential"))
   );
@@ -8395,7 +8602,7 @@ var HOME, BYPASS_IMMUNE_PATTERNS;
 var init_safety_checks = __esm({
   "src/runtime/safety-checks.ts"() {
     "use strict";
-    HOME = os10.homedir();
+    HOME = os11.homedir();
     BYPASS_IMMUNE_PATTERNS = [
       {
         pattern: /\/\.git\/hooks\//,
@@ -8406,11 +8613,11 @@ var init_safety_checks = __esm({
         reason: "Git config can set hooks and command execution"
       },
       {
-        pattern: (p) => p.startsWith(path17.join(HOME, ".claude")),
+        pattern: (p) => p.startsWith(path18.join(HOME, ".claude")),
         reason: "Claude configuration files are protected"
       },
       {
-        pattern: (p) => p.startsWith(path17.join(HOME, ".exe-os")),
+        pattern: (p) => p.startsWith(path18.join(HOME, ".exe-os")),
         reason: "exe-os configuration files are protected"
       },
       {
@@ -8427,7 +8634,7 @@ var init_safety_checks = __esm({
       },
       {
         pattern: (p) => {
-          const name = path17.basename(p);
+          const name = path18.basename(p);
           return [".bashrc", ".zshrc", ".profile", ".bash_profile", ".zprofile", ".zshenv"].includes(name);
         },
         reason: "Shell configuration files can execute arbitrary code on login"
@@ -8454,7 +8661,7 @@ __export(file_read_exports, {
   FileReadTool: () => FileReadTool
 });
 import fs3 from "fs/promises";
-import path18 from "path";
+import path19 from "path";
 import { z } from "zod";
 function isBinary(buf) {
   for (let i = 0; i < buf.length; i++) {
@@ -8490,7 +8697,7 @@ var init_file_read = __esm({
         return { behavior: "allow" };
       },
       async call(input, context) {
-        const filePath = path18.isAbsolute(input.file_path) ? input.file_path : path18.resolve(context.cwd, input.file_path);
+        const filePath = path19.isAbsolute(input.file_path) ? input.file_path : path19.resolve(context.cwd, input.file_path);
         let stat;
         try {
           stat = await fs3.stat(filePath);
@@ -8530,7 +8737,7 @@ __export(glob_exports, {
   GlobTool: () => GlobTool
 });
 import fs4 from "fs/promises";
-import path19 from "path";
+import path20 from "path";
 import { z as z2 } from "zod";
 async function walkDir(dir, maxDepth = 10) {
   const results = [];
@@ -8546,7 +8753,7 @@ async function walkDir(dir, maxDepth = 10) {
       if (entry.isDirectory() && (entry.name === "node_modules" || entry.name === ".git")) {
         continue;
       }
-      const fullPath = path19.join(current, entry.name);
+      const fullPath = path20.join(current, entry.name);
       if (entry.isDirectory()) {
         await walk(fullPath, depth + 1);
       } else {
@@ -8580,11 +8787,11 @@ var init_glob = __esm({
       inputSchema: inputSchema2,
       isReadOnly: true,
       async call(input, context) {
-        const baseDir = input.path ? path19.isAbsolute(input.path) ? input.path : path19.resolve(context.cwd, input.path) : context.cwd;
+        const baseDir = input.path ? path20.isAbsolute(input.path) ? input.path : path20.resolve(context.cwd, input.path) : context.cwd;
         try {
           const entries = await walkDir(baseDir);
           const matched = entries.filter(
-            (e) => simpleGlobMatch(path19.relative(baseDir, e.path), input.pattern)
+            (e) => simpleGlobMatch(path20.relative(baseDir, e.path), input.pattern)
           );
           matched.sort((a, b) => b.mtime - a.mtime);
           if (matched.length === 0) {
@@ -8610,7 +8817,7 @@ __export(grep_exports, {
 });
 import { spawn as spawn2 } from "child_process";
 import fs5 from "fs/promises";
-import path20 from "path";
+import path21 from "path";
 import { z as z3 } from "zod";
 function runRipgrep(input, searchPath, context) {
   return new Promise((resolve, reject) => {
@@ -8664,7 +8871,7 @@ async function nodeGrep(input, searchPath) {
     }
     for (const entry of entries) {
       if (entry.name === "node_modules" || entry.name === ".git") continue;
-      const fullPath = path20.join(dir, entry.name);
+      const fullPath = path21.join(dir, entry.name);
       if (entry.isDirectory()) {
         await walk(fullPath);
       } else {
@@ -8710,7 +8917,7 @@ var init_grep = __esm({
       inputSchema: inputSchema3,
       isReadOnly: true,
       async call(input, context) {
-        const searchPath = input.path ? path20.isAbsolute(input.path) ? input.path : path20.resolve(context.cwd, input.path) : context.cwd;
+        const searchPath = input.path ? path21.isAbsolute(input.path) ? input.path : path21.resolve(context.cwd, input.path) : context.cwd;
         try {
           const result = await runRipgrep(input, searchPath, context);
           return result;
@@ -8735,7 +8942,7 @@ __export(file_write_exports, {
   FileWriteTool: () => FileWriteTool
 });
 import fs6 from "fs/promises";
-import path21 from "path";
+import path22 from "path";
 import { z as z4 } from "zod";
 var inputSchema4, FileWriteTool;
 var init_file_write = __esm({
@@ -8763,8 +8970,8 @@ var init_file_write = __esm({
         return { behavior: "allow" };
       },
       async call(input, context) {
-        const filePath = path21.isAbsolute(input.file_path) ? input.file_path : path21.resolve(context.cwd, input.file_path);
-        const dir = path21.dirname(filePath);
+        const filePath = path22.isAbsolute(input.file_path) ? input.file_path : path22.resolve(context.cwd, input.file_path);
+        const dir = path22.dirname(filePath);
         await fs6.mkdir(dir, { recursive: true });
         await fs6.writeFile(filePath, input.content, "utf-8");
         return {
@@ -8782,7 +8989,7 @@ __export(file_edit_exports, {
   FileEditTool: () => FileEditTool
 });
 import fs7 from "fs/promises";
-import path22 from "path";
+import path23 from "path";
 import { z as z5 } from "zod";
 function countOccurrences(haystack, needle) {
   let count = 0;
@@ -8823,7 +9030,7 @@ var init_file_edit = __esm({
         return { behavior: "allow" };
       },
       async call(input, context) {
-        const filePath = path22.isAbsolute(input.file_path) ? input.file_path : path22.resolve(context.cwd, input.file_path);
+        const filePath = path23.isAbsolute(input.file_path) ? input.file_path : path23.resolve(context.cwd, input.file_path);
         let content;
         try {
           content = await fs7.readFile(filePath, "utf-8");
@@ -9430,6 +9637,133 @@ ${task.context}`,
   }
 });
 
+// src/lib/tui-data.ts
+var tui_data_exports = {};
+__export(tui_data_exports, {
+  loadMemoryDashboard: () => loadMemoryDashboard,
+  loadTaskList: () => loadTaskList,
+  loadTeamMetrics: () => loadTeamMetrics,
+  searchWikiMemoryRows: () => searchWikiMemoryRows
+});
+async function loadMemoryDashboard(limit) {
+  const client = getClient();
+  const [countResult, recentResult, agentResult] = await Promise.all([
+    client.execute("SELECT COUNT(*) as cnt FROM memories"),
+    client.execute({
+      sql: "SELECT agent_id, tool_name, project_name, raw_text, timestamp FROM memories ORDER BY timestamp DESC LIMIT ?",
+      args: [limit]
+    }),
+    client.execute("SELECT agent_id, COUNT(*) as cnt FROM memories GROUP BY agent_id ORDER BY cnt DESC")
+  ]);
+  return {
+    total: Number(countResult.rows[0]?.cnt ?? 0),
+    recent: recentResult.rows.map((row) => ({
+      agentId: String(row.agent_id ?? "unknown"),
+      toolName: String(row.tool_name ?? ""),
+      projectName: String(row.project_name ?? ""),
+      rawText: String(row.raw_text ?? ""),
+      timestamp: String(row.timestamp ?? "")
+    })),
+    byAgent: agentResult.rows.map((row) => ({
+      agentId: String(row.agent_id ?? "unknown"),
+      count: Number(row.cnt ?? 0)
+    }))
+  };
+}
+async function loadTeamMetrics(employeeNames) {
+  const client = getClient();
+  const memoryCounts = /* @__PURE__ */ new Map();
+  const projectsByEmployee = /* @__PURE__ */ new Map();
+  const currentTaskByEmployee = /* @__PURE__ */ new Map();
+  const scope = sessionScopeFilter();
+  const memResult = await client.execute("SELECT agent_id, COUNT(*) as cnt FROM memories GROUP BY agent_id");
+  for (const row of memResult.rows) {
+    memoryCounts.set(String(row.agent_id), Number(row.cnt));
+  }
+  for (const employeeName of employeeNames) {
+    const [projectResult, taskResult] = await Promise.all([
+      client.execute({
+        sql: `SELECT DISTINCT project_name,
+                     MAX(CASE WHEN status = 'in_progress' THEN 1 WHEN status = 'open' THEN 2 ELSE 3 END) as urgency
+              FROM tasks
+              WHERE assigned_to = ? AND status IN ('open','in_progress','done')${scope.sql}
+              GROUP BY project_name
+              ORDER BY urgency ASC
+              LIMIT 5`,
+        args: [employeeName, ...scope.args]
+      }),
+      client.execute({
+        sql: `SELECT title FROM tasks
+              WHERE assigned_to = ? AND status = 'in_progress'${scope.sql}
+              ORDER BY updated_at DESC
+              LIMIT 1`,
+        args: [employeeName, ...scope.args]
+      })
+    ]);
+    const projects = projectResult.rows.map((row) => {
+      const urgency = Number(row.urgency);
+      return {
+        name: String(row.project_name),
+        status: urgency === 1 ? "active" : urgency === 2 ? "has_tasks" : "idle"
+      };
+    });
+    if (projects.length > 0) projectsByEmployee.set(employeeName, projects);
+    if (taskResult.rows.length > 0) {
+      currentTaskByEmployee.set(employeeName, String(taskResult.rows[0].title));
+    }
+  }
+  return { memoryCounts, projectsByEmployee, currentTaskByEmployee };
+}
+async function loadTaskList() {
+  const client = getClient();
+  const scope = sessionScopeFilter();
+  const result = await client.execute({
+    sql: `SELECT id, title, priority, assigned_to, assigned_by, status, project_name, created_at, result
+          FROM tasks
+          WHERE 1=1${scope.sql}
+          ORDER BY
+            CASE status WHEN 'in_progress' THEN 0 WHEN 'open' THEN 1 WHEN 'blocked' THEN 2 WHEN 'needs_review' THEN 3 WHEN 'done' THEN 4 ELSE 5 END,
+            CASE priority WHEN 'p0' THEN 0 WHEN 'p1' THEN 1 WHEN 'p2' THEN 2 ELSE 3 END,
+            created_at DESC`,
+    args: [...scope.args]
+  });
+  return result.rows.map((row) => ({
+    id: String(row.id ?? ""),
+    title: String(row.title ?? ""),
+    priority: String(row.priority ?? "p2").toUpperCase(),
+    assignedTo: String(row.assigned_to ?? ""),
+    assignedBy: String(row.assigned_by ?? ""),
+    status: String(row.status ?? "open"),
+    projectName: String(row.project_name ?? ""),
+    createdAt: String(row.created_at ?? ""),
+    result: String(row.result ?? "")
+  }));
+}
+async function searchWikiMemoryRows(query) {
+  const client = getClient();
+  const result = await client.execute({
+    sql: `SELECT id, agent_id, raw_text, timestamp, project_name
+          FROM memories
+          WHERE raw_text LIKE ? AND COALESCE(status, 'active') = 'active'
+          ORDER BY timestamp DESC LIMIT 20`,
+    args: [`%${query}%`]
+  });
+  return result.rows.map((row) => ({
+    id: String(row.id),
+    agentId: String(row.agent_id),
+    rawText: String(row.raw_text),
+    timestamp: String(row.timestamp),
+    projectName: String(row.project_name ?? "")
+  }));
+}
+var init_tui_data = __esm({
+  "src/lib/tui-data.ts"() {
+    "use strict";
+    init_database();
+    init_task_scope();
+  }
+});
+
 // src/lib/message-queue.ts
 var DEFAULT_MAX_SIZE, DEFAULT_TTL_MS, MessageQueue;
 var init_message_queue = __esm({
@@ -9488,14 +9822,14 @@ __export(keychain_exports, {
   setMasterKey: () => setMasterKey
 });
 import { readFile as readFile4, writeFile as writeFile5, unlink, mkdir as mkdir4, chmod as chmod2 } from "fs/promises";
-import { existsSync as existsSync14 } from "fs";
-import path25 from "path";
-import os11 from "os";
+import { existsSync as existsSync16 } from "fs";
+import path26 from "path";
+import os12 from "os";
 function getKeyDir() {
-  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path25.join(os11.homedir(), ".exe-os");
+  return process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path26.join(os12.homedir(), ".exe-os");
 }
 function getKeyPath() {
-  return path25.join(getKeyDir(), "master.key");
+  return path26.join(getKeyDir(), "master.key");
 }
 async function tryKeytar() {
   try {
@@ -9516,9 +9850,9 @@ async function getMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (!existsSync14(keyPath)) {
+  if (!existsSync16(keyPath)) {
     process.stderr.write(
-      `[keychain] Key not found at ${keyPath} (HOME=${os11.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
+      `[keychain] Key not found at ${keyPath} (HOME=${os12.homedir()}, EXE_OS_DIR=${process.env.EXE_OS_DIR ?? "unset"})
 `
     );
     return null;
@@ -9559,7 +9893,7 @@ async function deleteMasterKey() {
     }
   }
   const keyPath = getKeyPath();
-  if (existsSync14(keyPath)) {
+  if (existsSync16(keyPath)) {
     await unlink(keyPath);
   }
 }
@@ -9608,16 +9942,16 @@ __export(ws_auth_exports, {
   deriveWsAuthToken: () => deriveWsAuthToken,
   hashAuthToken: () => hashAuthToken
 });
-import crypto6 from "crypto";
+import crypto7 from "crypto";
 function deriveWsAuthToken(masterKey) {
-  return Buffer.from(crypto6.hkdfSync("sha256", masterKey, "", WS_AUTH_HKDF_INFO, 32));
+  return Buffer.from(crypto7.hkdfSync("sha256", masterKey, "", WS_AUTH_HKDF_INFO, 32));
 }
 function deriveOrgId(masterKey) {
-  const raw = Buffer.from(crypto6.hkdfSync("sha256", masterKey, "", ORG_ID_HKDF_INFO, 32));
-  return crypto6.createHash("sha256").update(raw).digest("hex").slice(0, 32);
+  const raw = Buffer.from(crypto7.hkdfSync("sha256", masterKey, "", ORG_ID_HKDF_INFO, 32));
+  return crypto7.createHash("sha256").update(raw).digest("hex").slice(0, 32);
 }
 function hashAuthToken(token) {
-  return crypto6.createHash("sha256").update(token).digest("hex");
+  return crypto7.createHash("sha256").update(token).digest("hex");
 }
 var WS_AUTH_HKDF_INFO, ORG_ID_HKDF_INFO;
 var init_ws_auth = __esm({
@@ -9859,8 +10193,8 @@ __export(wiki_client_exports, {
   listDocuments: () => listDocuments,
   listWorkspaces: () => listWorkspaces
 });
-async function wikiFetch(config, path27, method = "GET", body) {
-  const url = `${config.baseUrl}/api/v1${path27}`;
+async function wikiFetch(config, path28, method = "GET", body) {
+  const url = `${config.baseUrl}/api/v1${path28}`;
   const headers = {
     Authorization: `Bearer ${config.apiKey}`,
     "Content-Type": "application/json"
@@ -9893,7 +10227,7 @@ async function wikiFetch(config, path27, method = "GET", body) {
       }
     }
     if (!response.ok) {
-      throw new Error(`Wiki API ${method} ${path27}: ${response.status} ${response.statusText}`);
+      throw new Error(`Wiki API ${method} ${path28}: ${response.status} ${response.statusText}`);
     }
     return response.json();
   } finally {
@@ -10006,6 +10340,7 @@ var shard_manager_exports = {};
 __export(shard_manager_exports, {
   disposeShards: () => disposeShards,
   ensureShardSchema: () => ensureShardSchema,
+  getOpenShardCount: () => getOpenShardCount,
   getReadyShardClient: () => getReadyShardClient,
   getShardClient: () => getShardClient,
   getShardsDir: () => getShardsDir,
@@ -10014,15 +10349,18 @@ __export(shard_manager_exports, {
   listShards: () => listShards,
   shardExists: () => shardExists
 });
-import path26 from "path";
-import { existsSync as existsSync15, mkdirSync as mkdirSync7, readdirSync as readdirSync4 } from "fs";
+import path27 from "path";
+import { existsSync as existsSync17, mkdirSync as mkdirSync7, readdirSync as readdirSync4 } from "fs";
 import { createClient as createClient2 } from "@libsql/client";
 function initShardManager(encryptionKey) {
   _encryptionKey = encryptionKey;
-  if (!existsSync15(SHARDS_DIR)) {
+  if (!existsSync17(SHARDS_DIR)) {
     mkdirSync7(SHARDS_DIR, { recursive: true });
   }
   _shardingEnabled = true;
+  if (_evictionTimer) clearInterval(_evictionTimer);
+  _evictionTimer = setInterval(evictIdleShards, EVICTION_INTERVAL_MS);
+  _evictionTimer.unref();
 }
 function isShardingEnabled() {
   return _shardingEnabled;
@@ -10039,21 +10377,28 @@ function getShardClient(projectName) {
     throw new Error(`Invalid project name for shard: "${projectName}"`);
   }
   const cached = _shards.get(safeName);
-  if (cached) return cached;
-  const dbPath = path26.join(SHARDS_DIR, `${safeName}.db`);
+  if (cached) {
+    _shardLastAccess.set(safeName, Date.now());
+    return cached;
+  }
+  while (_shards.size >= MAX_OPEN_SHARDS) {
+    evictLRU();
+  }
+  const dbPath = path27.join(SHARDS_DIR, `${safeName}.db`);
   const client = createClient2({
     url: `file:${dbPath}`,
     encryptionKey: _encryptionKey
   });
   _shards.set(safeName, client);
+  _shardLastAccess.set(safeName, Date.now());
   return client;
 }
 function shardExists(projectName) {
   const safeName = projectName.replace(/[^a-zA-Z0-9_-]/g, "_");
-  return existsSync15(path26.join(SHARDS_DIR, `${safeName}.db`));
+  return existsSync17(path27.join(SHARDS_DIR, `${safeName}.db`));
 }
 function listShards() {
-  if (!existsSync15(SHARDS_DIR)) return [];
+  if (!existsSync17(SHARDS_DIR)) return [];
   return readdirSync4(SHARDS_DIR).filter((f) => f.endsWith(".db")).map((f) => f.replace(".db", ""));
 }
 async function ensureShardSchema(client) {
@@ -10105,6 +10450,8 @@ async function ensureShardSchema(client) {
   for (const col of [
     "ALTER TABLE memories ADD COLUMN task_id TEXT",
     "ALTER TABLE memories ADD COLUMN consolidated INTEGER NOT NULL DEFAULT 0",
+    "ALTER TABLE memories ADD COLUMN author_device_id TEXT",
+    "ALTER TABLE memories ADD COLUMN scope TEXT NOT NULL DEFAULT 'business'",
     "ALTER TABLE memories ADD COLUMN importance INTEGER DEFAULT 5",
     "ALTER TABLE memories ADD COLUMN status TEXT DEFAULT 'active'",
     "ALTER TABLE memories ADD COLUMN wiki_synced INTEGER DEFAULT 0",
@@ -10242,21 +10589,69 @@ async function getReadyShardClient(projectName) {
   await ensureShardSchema(client);
   return client;
 }
+function evictLRU() {
+  let oldest = null;
+  let oldestTime = Infinity;
+  for (const [name, time] of _shardLastAccess) {
+    if (time < oldestTime) {
+      oldestTime = time;
+      oldest = name;
+    }
+  }
+  if (oldest) {
+    const client = _shards.get(oldest);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(oldest);
+    _shardLastAccess.delete(oldest);
+  }
+}
+function evictIdleShards() {
+  const now = Date.now();
+  const toEvict = [];
+  for (const [name, lastAccess] of _shardLastAccess) {
+    if (now - lastAccess > SHARD_IDLE_MS) {
+      toEvict.push(name);
+    }
+  }
+  for (const name of toEvict) {
+    const client = _shards.get(name);
+    if (client) {
+      client.close();
+    }
+    _shards.delete(name);
+    _shardLastAccess.delete(name);
+  }
+}
+function getOpenShardCount() {
+  return _shards.size;
+}
 function disposeShards() {
+  if (_evictionTimer) {
+    clearInterval(_evictionTimer);
+    _evictionTimer = null;
+  }
   for (const [, client] of _shards) {
     client.close();
   }
   _shards.clear();
+  _shardLastAccess.clear();
   _shardingEnabled = false;
   _encryptionKey = null;
 }
-var SHARDS_DIR, _shards, _encryptionKey, _shardingEnabled;
+var SHARDS_DIR, SHARD_IDLE_MS, MAX_OPEN_SHARDS, EVICTION_INTERVAL_MS, _shards, _shardLastAccess, _evictionTimer, _encryptionKey, _shardingEnabled;
 var init_shard_manager = __esm({
   "src/lib/shard-manager.ts"() {
     "use strict";
     init_config();
-    SHARDS_DIR = path26.join(EXE_AI_DIR, "shards");
+    SHARDS_DIR = path27.join(EXE_AI_DIR, "shards");
+    SHARD_IDLE_MS = 5 * 60 * 1e3;
+    MAX_OPEN_SHARDS = 10;
+    EVICTION_INTERVAL_MS = 60 * 1e3;
     _shards = /* @__PURE__ */ new Map();
+    _shardLastAccess = /* @__PURE__ */ new Map();
+    _evictionTimer = null;
     _encryptionKey = null;
     _shardingEnabled = false;
   }
@@ -14827,8 +15222,8 @@ function Text({ color, backgroundColor, dimColor = false, bold = false, italic =
 }
 
 // src/tui/ink/components/ErrorOverview.js
-var cleanupPath = (path27) => {
-  return path27?.replace(`file://${cwd()}/`, "");
+var cleanupPath = (path28) => {
+  return path28?.replace(`file://${cwd()}/`, "");
 };
 var stackUtils = new StackUtils({
   cwd: cwd(),
@@ -16760,11 +17155,11 @@ function Footer() {
       } catch {
       }
       try {
-        const { existsSync: existsSync16 } = await import("fs");
+        const { existsSync: existsSync18 } = await import("fs");
         const { join } = await import("path");
         const home = process.env.HOME ?? "";
         const pidPath = join(home, ".exe-os", "exed.pid");
-        setDaemon(existsSync16(pidPath) ? "running" : "stopped");
+        setDaemon(existsSync18(pidPath) ? "running" : "stopped");
       } catch {
         setDaemon("unknown");
       }
@@ -16846,7 +17241,7 @@ function Footer() {
 // src/tui/views/CommandCenter.tsx
 import { useState as useState6, useEffect as useEffect8, useMemo as useMemo4, useCallback as useCallback4, useRef as useRef4 } from "react";
 import TextInput from "ink-text-input";
-import path23 from "path";
+import path24 from "path";
 import { homedir } from "os";
 
 // src/tui/components/StatusDot.tsx
@@ -17633,15 +18028,15 @@ function CommandCenterView({
         const { createPermissionsFromPreset: createPermissionsFromPreset2, EMPLOYEE_PERMISSIONS: EMPLOYEE_PERMISSIONS2 } = await Promise.resolve().then(() => (init_permissions(), permissions_exports));
         const { getPresetByRole: getPresetByRole2 } = await Promise.resolve().then(() => (init_permission_presets(), permission_presets_exports));
         const { createDefaultHooks: createDefaultHooks2 } = await Promise.resolve().then(() => (init_hooks(), hooks_exports));
-        const { readFileSync: readFileSync13, existsSync: existsSync16 } = await import("fs");
+        const { readFileSync: readFileSync14, existsSync: existsSync18 } = await import("fs");
         const { join } = await import("path");
         const { homedir: homedir3 } = await import("os");
         const configPath = join(homedir3(), ".exe-os", "config.json");
         let failoverChain = ["anthropic", "opencode", "gemini", "openai"];
         let providerConfigs = {};
-        if (existsSync16(configPath)) {
+        if (existsSync18(configPath)) {
           try {
-            const raw = JSON.parse(readFileSync13(configPath, "utf8"));
+            const raw = JSON.parse(readFileSync14(configPath, "utf8"));
             if (Array.isArray(raw.failoverChain)) failoverChain = raw.failoverChain;
             if (raw.providers && typeof raw.providers === "object") {
               providerConfigs = raw.providers;
@@ -17702,7 +18097,7 @@ function CommandCenterView({
           const markerDir = join(homedir3(), ".exe-os", "session-cache");
           const agentFiles = (await import("fs")).readdirSync(markerDir).filter((f) => f.startsWith("active-agent-"));
           for (const f of agentFiles) {
-            const data = JSON.parse(readFileSync13(join(markerDir, f), "utf8"));
+            const data = JSON.parse(readFileSync14(join(markerDir, f), "utf8"));
             if (data.agentRole) {
               agentRole = data.agentRole;
               break;
@@ -17847,7 +18242,7 @@ function CommandCenterView({
       const demoEntries = DEMO_PROJECTS.map((p) => ({
         projectName: p.projectName,
         exeSession: p.exeSession,
-        projectDir: path23.join(homedir(), p.projectName),
+        projectDir: path24.join(homedir(), p.projectName),
         employeeCount: p.employees.length,
         activeCount: p.employees.filter((e) => e.status === "active").length,
         memoryCount: p.employees.length * 4e3,
@@ -17885,7 +18280,7 @@ function CommandCenterView({
         const { listSessions: listSessions2 } = await Promise.resolve().then(() => (init_session_registry(), session_registry_exports));
         const { listTmuxSessions: listTmuxSessions2, inTmux: inTmux2 } = await Promise.resolve().then(() => (init_tmux_status(), tmux_status_exports));
         const { loadEmployees: loadEmployees2 } = await Promise.resolve().then(() => (init_employees(), employees_exports));
-        const { existsSync: existsSync16 } = await import("fs");
+        const { existsSync: existsSync18 } = await import("fs");
         const { join } = await import("path");
         const client = getClient2();
         if (!client) {
@@ -17956,7 +18351,7 @@ function CommandCenterView({
           }
           const memoryCount = memoryCounts.get(name) ?? 0;
           const openTaskCount = openTaskCounts.get(name) ?? 0;
-          const hasGit = projectDir ? existsSync16(join(projectDir, ".git")) : false;
+          const hasGit = projectDir ? existsSync18(join(projectDir, ".git")) : false;
           const type = hasGit ? "code" : memoryCount > 0 ? "code" : "automation";
           projectList.push({
             projectName: name,
@@ -17981,7 +18376,7 @@ function CommandCenterView({
         setHealth((h) => ({ ...h, memories: Number(totalResult.rows[0]?.cnt ?? 0) }));
         try {
           const pidPath = join(process.env.HOME ?? "", ".exe-os", "exed.pid");
-          setHealth((h) => ({ ...h, daemon: existsSync16(pidPath) ? "running" : "stopped" }));
+          setHealth((h) => ({ ...h, daemon: existsSync18(pidPath) ? "running" : "stopped" }));
         } catch {
         }
         const activityResult = await client.execute(
@@ -18196,7 +18591,7 @@ function ChatMessageRow({ msg }) {
 
 // src/tui/views/Sessions.tsx
 import React19, { useState as useState9, useEffect as useEffect11, useCallback as useCallback6 } from "react";
-import path24 from "path";
+import path25 from "path";
 import { homedir as homedir2 } from "os";
 
 // src/tui/components/TmuxPane.tsx
@@ -18500,7 +18895,7 @@ function SessionsView({
     if (demo) {
       setProjects(DEMO_PROJECTS.map((p) => ({
         ...p,
-        projectDir: path24.join(homedir2(), p.projectName),
+        projectDir: path25.join(homedir2(), p.projectName),
         employees: p.employees.map((e) => ({ ...e, attached: e.status === "active" }))
       })));
       return;
@@ -18896,7 +19291,6 @@ function SessionsView({
 
 // src/tui/views/Tasks.tsx
 import React20, { useState as useState10, useEffect as useEffect12, useMemo as useMemo5 } from "react";
-init_task_scope();
 import { Fragment as Fragment3, jsx as jsx10, jsxs as jsxs8 } from "react/jsx-runtime";
 var STATUS_FILTERS = ["all", "open", "in_progress", "done", "blocked", "needs_review"];
 var PRIORITY_COLORS = {
@@ -19029,37 +19423,22 @@ function TasksView({ onBack }) {
     const { withTrace: withTrace2 } = await Promise.resolve().then(() => (init_telemetry(), telemetry_exports));
     return withTrace2("tui.tasks.loadTasks", async () => {
       try {
-        const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
-        const client = getClient2();
-        if (client) {
-          const tScope = sessionScopeFilter();
-          const result = await client.execute({
-            sql: `SELECT id, title, priority, assigned_to, assigned_by, status, project_name, created_at, result
-           FROM tasks
-           WHERE 1=1${tScope.sql}
-           ORDER BY
-             CASE status WHEN 'in_progress' THEN 0 WHEN 'open' THEN 1 WHEN 'blocked' THEN 2 WHEN 'needs_review' THEN 3 WHEN 'done' THEN 4 ELSE 5 END,
-             CASE priority WHEN 'p0' THEN 0 WHEN 'p1' THEN 1 WHEN 'p2' THEN 2 ELSE 3 END,
-             created_at DESC`,
-            args: [...tScope.args]
-          });
-          setAllTasks(
-            result.rows.map((r) => ({
-              id: String(r.id ?? ""),
-              priority: String(r.priority ?? "p2").toUpperCase(),
-              title: String(r.title ?? ""),
-              assignee: String(r.assigned_to ?? ""),
-              assignedBy: String(r.assigned_by ?? ""),
-              status: String(r.status ?? "open"),
-              project: String(r.project_name ?? ""),
-              createdAt: String(r.created_at ?? ""),
-              result: String(r.result ?? "")
-            }))
-          );
-          setDbError(null);
-        } else {
-          setDbError("Database client not initialized. Run exe-os setup.");
-        }
+        const { loadTaskList: loadTaskList2 } = await Promise.resolve().then(() => (init_tui_data(), tui_data_exports));
+        const tasks = await loadTaskList2();
+        setAllTasks(
+          tasks.map((task) => ({
+            id: task.id,
+            priority: task.priority,
+            title: task.title,
+            assignee: task.assignedTo,
+            assignedBy: task.assignedBy,
+            status: task.status,
+            project: task.projectName,
+            createdAt: task.createdAt,
+            result: task.result
+          }))
+        );
+        setDbError(null);
       } catch (err) {
         setDbError(err instanceof Error ? err.message : "Unknown error");
       } finally {
@@ -19397,12 +19776,12 @@ async function loadGatewayConfig() {
     state.running = false;
   }
   try {
-    const { existsSync: existsSync16, readFileSync: readFileSync13 } = await import("fs");
+    const { existsSync: existsSync18, readFileSync: readFileSync14 } = await import("fs");
     const { join } = await import("path");
     const home = process.env.HOME ?? "";
     const configPath = join(home, ".exe-os", "gateway.json");
-    if (existsSync16(configPath)) {
-      const raw = JSON.parse(readFileSync13(configPath, "utf8"));
+    if (existsSync18(configPath)) {
+      const raw = JSON.parse(readFileSync14(configPath, "utf8"));
       state.port = raw.port ?? 3100;
       state.gatewayUrl = raw.gatewayUrl ?? "";
       if (raw.adapters) {
@@ -19802,7 +20181,6 @@ function getAgentStatus(agentId) {
 }
 
 // src/tui/views/Team.tsx
-init_task_scope();
 import { jsx as jsx12, jsxs as jsxs10 } from "react/jsx-runtime";
 var DEPRECATED_PROJECTS = /* @__PURE__ */ new Set(["exe-ai-employees"]);
 function roleBadgeColor(role) {
@@ -19875,41 +20253,16 @@ function TeamView({ onBack, onViewSessions }) {
         let projectsByEmployee = /* @__PURE__ */ new Map();
         let currentTaskByEmployee = /* @__PURE__ */ new Map();
         try {
-          const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
-          const client = getClient2();
-          if (client) {
-            const memResult = await client.execute("SELECT agent_id, COUNT(*) as cnt FROM memories GROUP BY agent_id");
-            for (const row of memResult.rows) {
-              memoryCounts.set(String(row.agent_id), Number(row.cnt));
-            }
-            const tmScope = sessionScopeFilter();
-            for (const emp of roster) {
-              const projResult = await client.execute({
-                sql: `SELECT DISTINCT project_name,
-                      MAX(CASE WHEN status = 'in_progress' THEN 1 WHEN status = 'open' THEN 2 ELSE 3 END) as urgency
-                    FROM tasks WHERE assigned_to = ? AND status IN ('open','in_progress','done')${tmScope.sql}
-                    GROUP BY project_name ORDER BY urgency ASC LIMIT 5`,
-                args: [emp.name, ...tmScope.args]
-              });
-              const projects = projResult.rows.filter((r) => !DEPRECATED_PROJECTS.has(String(r.project_name))).map((r) => {
-                const urgency = Number(r.urgency);
-                let pStatus = "idle";
-                if (urgency === 1) pStatus = "active";
-                else if (urgency === 2) pStatus = "has_tasks";
-                return { name: String(r.project_name), status: pStatus };
-              });
-              if (projects.length > 0) projectsByEmployee.set(emp.name, projects);
-            }
-            for (const emp of roster) {
-              const taskResult = await client.execute({
-                sql: `SELECT title FROM tasks WHERE assigned_to = ? AND status = 'in_progress'${tmScope.sql} ORDER BY updated_at DESC LIMIT 1`,
-                args: [emp.name, ...tmScope.args]
-              });
-              if (taskResult.rows.length > 0) {
-                currentTaskByEmployee.set(emp.name, String(taskResult.rows[0].title));
-              }
-            }
-          }
+          const { loadTeamMetrics: loadTeamMetrics2 } = await Promise.resolve().then(() => (init_tui_data(), tui_data_exports));
+          const teamMetrics = await loadTeamMetrics2(roster.map((emp) => emp.name));
+          memoryCounts = teamMetrics.memoryCounts;
+          projectsByEmployee = new Map(
+            Array.from(teamMetrics.projectsByEmployee.entries()).map(([name, projects]) => [
+              name,
+              projects.filter((project) => !DEPRECATED_PROJECTS.has(project.name))
+            ])
+          );
+          currentTaskByEmployee = teamMetrics.currentTaskByEmployee;
         } catch {
         }
         const teamData = roster.map((emp) => {
@@ -19928,12 +20281,12 @@ function TeamView({ onBack, onViewSessions }) {
         setMembers(teamData);
         setDbError(null);
         try {
-          const { existsSync: existsSync16, readFileSync: readFileSync13 } = await import("fs");
+          const { existsSync: existsSync18, readFileSync: readFileSync14 } = await import("fs");
           const { join } = await import("path");
           const home = process.env.HOME ?? "";
           const gatewayConfig = join(home, ".exe-os", "gateway.json");
-          if (existsSync16(gatewayConfig)) {
-            const raw = JSON.parse(readFileSync13(gatewayConfig, "utf8"));
+          if (existsSync18(gatewayConfig)) {
+            const raw = JSON.parse(readFileSync14(gatewayConfig, "utf8"));
             if (raw.agents && raw.agents.length > 0) {
               setExternals(raw.agents.map((a) => ({
                 name: a.name,
@@ -20247,24 +20600,8 @@ function WikiView({ onBack }) {
     }
     setSearchLoading(true);
     try {
-      const { getClient: getClient2 } = await Promise.resolve().then(() => (init_database(), database_exports));
-      const client = getClient2();
-      const result = await client.execute({
-        sql: `SELECT id, agent_id, raw_text, timestamp, project_name
-              FROM memories
-              WHERE raw_text LIKE ? AND COALESCE(status, 'active') = 'active'
-              ORDER BY timestamp DESC LIMIT 20`,
-        args: [`%${query}%`]
-      });
-      setSearchResults(
-        result.rows.map((r) => ({
-          id: String(r.id),
-          agentId: String(r.agent_id),
-          rawText: String(r.raw_text),
-          timestamp: String(r.timestamp),
-          projectName: String(r.project_name ?? "")
-        }))
-      );
+      const { searchWikiMemoryRows: searchWikiMemoryRows2 } = await Promise.resolve().then(() => (init_tui_data(), tui_data_exports));
+      setSearchResults(await searchWikiMemoryRows2(query));
     } catch {
       setSearchResults([]);
     } finally {
@@ -20597,12 +20934,12 @@ function SettingsView({ onBack }) {
     }
     setProviders(providerList);
     try {
-      const { existsSync: existsSync16 } = await import("fs");
+      const { existsSync: existsSync18 } = await import("fs");
       const { join } = await import("path");
       const { loadConfig: loadConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
       const cfg = await loadConfig2();
       const home = process.env.HOME ?? "";
-      const hasKey = existsSync16(join(home, ".exe-os", "master.key"));
+      const hasKey = existsSync18(join(home, ".exe-os", "master.key"));
       if (cfg.cloud) {
         setCloud({
           configured: true,
@@ -20615,22 +20952,22 @@ function SettingsView({ onBack }) {
       const pidPath = join(home, ".exe-os", "exed.pid");
       let daemon = "unknown";
       try {
-        daemon = existsSync16(pidPath) ? "running" : "stopped";
+        daemon = existsSync18(pidPath) ? "running" : "stopped";
       } catch {
       }
       let version = "unknown";
       try {
-        const { readFileSync: readFileSync13 } = await import("fs");
-        const { createRequire: createRequire2 } = await import("module");
-        const require2 = createRequire2(import.meta.url);
+        const { readFileSync: readFileSync14 } = await import("fs");
+        const { createRequire: createRequire3 } = await import("module");
+        const require2 = createRequire3(import.meta.url);
         const pkgPath = require2.resolve("@askexenow/exe-os/package.json");
-        const pkg = JSON.parse(readFileSync13(pkgPath, "utf8"));
+        const pkg = JSON.parse(readFileSync14(pkgPath, "utf8"));
         version = pkg.version;
       } catch {
         try {
-          const { readFileSync: readFileSync13 } = await import("fs");
+          const { readFileSync: readFileSync14 } = await import("fs");
           const { join: joinPath } = await import("path");
-          const pkg = JSON.parse(readFileSync13(joinPath(process.cwd(), "package.json"), "utf8"));
+          const pkg = JSON.parse(readFileSync14(joinPath(process.cwd(), "package.json"), "utf8"));
           version = pkg.version;
         } catch {
         }